CRITICAL PROCESS DIED on Windows Server 2012 R2 / 2019: Complete Fix Guide
Fix the CRITICAL_PROCESS_DIED blue screen on Windows Server 2012 R2 and 2019. Step-by-step diagnosis with SFC, DISM, WinDbg, and driver rollback commands.
- Root Cause 1: A protected Windows kernel process (such as csrss.exe, wininit.exe, or lsass.exe) was forcibly terminated or crashed due to a driver conflict, corrupted system files, or malware interference.
- Root Cause 2: Faulty or incompatible device drivers — especially after a Windows Update, hardware change, or third-party security software installation — trigger bug check code 0x000000EF (CRITICAL_PROCESS_DIED).
- Root Cause 3: Hardware-level failures including failing RAM, overheating CPUs, or corrupt storage sectors can cause intermittent critical process crashes that appear as BSOD loops.
- Quick Fix Summary: Boot into Safe Mode, run SFC /scannow and DISM RestoreHealth to repair system files, use WinDbg or WhoCrashed to identify the offending driver from the memory dump, then roll back or uninstall the culprit driver. If the server is unbootable, use Windows Recovery Environment (WinRE) to apply fixes offline.
| Method | When to Use | Time | Risk |
|---|---|---|---|
| SFC /scannow + DISM | Corrupted system files suspected; server still boots to Safe Mode | 15-45 min | Low |
| WinDbg Memory Dump Analysis | Recurring BSOD, need to identify exact culprit driver or process | 30-60 min | Low |
| Driver Rollback / Uninstall | BSOD started after a Windows Update or new hardware/driver install | 10-20 min | Low-Medium |
| Startup Repair via WinRE | Server stuck in BSOD reboot loop and cannot boot at all | 20-40 min | Low |
| RAM / Hardware Diagnostics | Multiple unexplained crashes, no clear software cause found | 1-4 hours | Low |
| System Restore / Snapshot Rollback | Known-good restore point or VM snapshot exists before issue started | 15-60 min | Medium |
| Clean Windows Server Reinstall | File system is severely corrupted, all other methods failed | 2-4 hours | High |
Understanding the CRITICAL_PROCESS_DIED Error
When Windows Server 2012 R2 or 2019 displays a blue screen with the message:
Your PC ran into a problem and needs to restart.
Stop code: CRITICAL_PROCESS_DIED
The underlying bug check code is 0x000000EF. This error means Windows detected that a critical system process — one that must be running at all times for the OS to function — has either terminated unexpectedly or entered an invalid state. The kernel has no choice but to halt the system to prevent data corruption.
Common critical processes that trigger this error when they die include:
- csrss.exe (Client/Server Runtime Subsystem)
- wininit.exe (Windows Initialization)
- lsass.exe (Local Security Authority Subsystem)
- services.exe (Service Control Manager)
- winlogon.exe (Windows Logon)
Step 1: Gather Crash Dump Information
Before attempting any fix, identify the root cause by analyzing the memory dump file Windows creates during the crash.
Locate the dump file:
By default, Windows writes a minidump to C:\Windows\Minidump\ and a full kernel dump to C:\Windows\MEMORY.DMP.
If dumps are not being created, verify dump settings:
- Right-click This PC → Properties → Advanced system settings
- Under Startup and Recovery, click Settings
- Set Write debugging information to Kernel memory dump or Small memory dump (256 KB)
- Ensure the path is set to
%SystemRoot%\MEMORY.DMP
Analyze with WinDbg (Windows Debugger): Download WinDbg from the Windows SDK or Microsoft Store. Open the dump file:
File → Open Crash Dump → C:\Windows\MEMORY.DMP
Then run:
!analyze -v
Look for the IMAGE_NAME: field — this identifies the driver or binary that caused the crash. Also check STACK_TEXT for the full call stack.
Quick analysis with WhoCrashed (free tool): If WinDbg feels complex, WhoCrashed (by Resplendence Software) reads minidumps and provides human-readable reports pointing to the offending driver.
Step 2: Boot Into Safe Mode or WinRE
If the server is stuck in a reboot loop:
For Windows Server 2012 R2: Press F8 repeatedly during boot to access Advanced Boot Options, then select Safe Mode with Networking.
For Windows Server 2019: F8 is disabled by default. To re-enable it:
bcdedit /set {default} bootmenupolicy legacy
Or boot from installation media → Repair your computer → Troubleshoot → Advanced options → Startup Settings → Enable Safe Mode.
Access WinRE from installation media:
- Boot from Windows Server ISO or USB
- Select Repair your computer
- Navigate to Troubleshoot → Advanced options → Command Prompt
Step 3: Run System File Checker and DISM
Corrupt system files are a leading cause of CRITICAL_PROCESS_DIED. Run these commands in an elevated Command Prompt:
System File Checker:
sfc /scannow
This scans all protected system files and replaces corrupted versions with cached copies. If it reports it could not fix all errors, proceed with DISM.
DISM (Component Store Repair):
DISM /Online /Cleanup-Image /CheckHealth
DISM /Online /Cleanup-Image /ScanHealth
DISM /Online /Cleanup-Image /RestoreHealth
If offline (booted from WinRE), specify the source:
DISM /Image:C:\ /Cleanup-Image /RestoreHealth /Source:D:\sources\install.wim
Replace D: with your installation media drive letter.
Step 4: Identify and Roll Back Faulty Drivers
If dump analysis points to a specific .sys driver file, roll it back or remove it.
View recently installed drivers:
driverquery /v | findstr /i "running"
Roll back a driver via Device Manager:
- Open Device Manager (devmgmt.msc)
- Right-click the affected device → Properties → Driver tab
- Click Roll Back Driver if available
Uninstall a driver from CLI:
pnputil /delete-driver oem42.inf /uninstall /force
Replace oem42.inf with the actual INF file of the problem driver (find it in the dump analysis output).
Disable a driver service from WinRE if the server won't boot:
sc config <ServiceName> start= disabled
Step 5: Scan for Malware
Malware that tampers with critical system processes can trigger this BSOD. If the server is accessible, run Windows Defender from CLI:
"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 2
For offline scanning, use Windows Defender Offline or Malwarebytes.
Step 6: Check Hardware — RAM and Storage
Windows Memory Diagnostic:
mdsched.exe
Choose to restart and check for problems. Review results in Event Viewer → Windows Logs → System after reboot.
For storage integrity:
chkdsk C: /f /r /x
This requires a reboot to run on the system drive. It repairs file system errors and bad sectors.
Check disk health with SMART data (PowerShell):
Get-WmiObject -Class Win32_DiskDrive | Select-Object Model, Status, MediaType
For detailed SMART data, use tools like CrystalDiskInfo or vendor-specific diagnostics (HP SmartArray, Dell OpenManage).
Step 7: Review Event Logs
Event logs often capture the exact process name that died milliseconds before the BSOD:
wevtutil qe System /c:50 /rd:true /f:text | findstr /i "critical error bugcheck"
Also check:
- Event ID 41 (Kernel-Power): Unexpected shutdown
- Event ID 1001 (BugCheck): Records the stop code and dump file path
- Event ID 6008: Unexpected previous system shutdown
Step 8: Apply Pending Windows Updates or Roll Back a Recent Update
If the issue started after a specific Windows Update:
wusa /uninstall /kb:XXXXXXX /quiet /norestart
Replace XXXXXXX with the KB number from Windows Update history.
To check recently installed updates:
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10
Step 9: Perform a Startup Repair
If BCD (Boot Configuration Data) is corrupt:
bootrec /fixmbr
bootrec /fixboot
bootrec /scanos
bootrec /rebuildbcd
Run these from WinRE Command Prompt. Rebuild BCD if Windows installation is not detected.
Windows Server 2019 Specific Notes
Windows Server 2019 runs on Windows 10 (1809) kernel internals. Some additional considerations:
- Virtualization-Based Security (VBS) and Credential Guard can cause CRITICAL_PROCESS_DIED if LSA is blocked by a policy conflict. Check:
msinfo32→ find Virtualization-based security. - Hyper-V guests may experience this error due to host-level memory pressure. Check host memory allocation.
- Use SetupDiag.exe after failed updates to diagnose update-related crashes:
SetupDiag.exe /Output:C:\SetupDiagResults.log
Frequently Asked Questions
# ============================================================
# CRITICAL_PROCESS_DIED - Windows Server Diagnostic Script
# Run as Administrator in PowerShell
# ============================================================
Write-Host "=== Step 1: Checking recent BugCheck events ==" -ForegroundColor Cyan
Get-WinEvent -LogName System -MaxEvents 200 | Where-Object { $_.Id -eq 1001 } | Format-List TimeCreated, Message
Write-Host "`n=== Step 2: Listing last 10 installed patches ==" -ForegroundColor Cyan
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10 | Format-Table HotFixID, InstalledOn, Description
Write-Host "`n=== Step 3: Checking disk health ==" -ForegroundColor Cyan
Get-WmiObject -Class Win32_DiskDrive | Select-Object Model, Status, MediaType, Size | Format-Table -AutoSize
Write-Host "`n=== Step 4: Listing running kernel drivers ==" -ForegroundColor Cyan
Get-WmiObject Win32_SystemDriver | Where-Object { $_.State -eq 'Running' } | Select-Object Name, PathName, StartMode | Sort-Object Name | Format-Table -AutoSize
Write-Host "`n=== Step 5: Checking for dump files ==" -ForegroundColor Cyan
$dumpPath = "C:\Windows\Minidump"
if (Test-Path $dumpPath) {
Get-ChildItem $dumpPath -Filter *.dmp | Sort-Object LastWriteTime -Descending | Select-Object -First 5 | Format-Table Name, LastWriteTime, Length
} else {
Write-Host "No minidump folder found. Check dump settings in System Properties." -ForegroundColor Yellow
}
Write-Host "`n=== Step 6: Run SFC scan ==" -ForegroundColor Cyan
Write-Host "Running: sfc /scannow (this may take 10-20 minutes)"
Start-Process -FilePath "sfc.exe" -ArgumentList "/scannow" -Wait -NoNewWindow
Write-Host "`n=== Step 7: Run DISM health restore ==" -ForegroundColor Cyan
Write-Host "Running DISM RestoreHealth..."
DISM /Online /Cleanup-Image /RestoreHealth
Write-Host "`n=== Step 8: Check memory diagnostic results ==" -ForegroundColor Cyan
Get-WinEvent -LogName System | Where-Object { $_.ProviderName -eq 'Microsoft-Windows-MemoryDiagnostics-Results' } | Format-List TimeCreated, Message
Write-Host "`n=== Step 9: Scan for malware (Windows Defender) ==" -ForegroundColor Cyan
$defenderPath = "C:\Program Files\Windows Defender\MpCmdRun.exe"
if (Test-Path $defenderPath) {
Write-Host "Starting Windows Defender quick scan..."
Start-Process -FilePath $defenderPath -ArgumentList "-Scan -ScanType 1" -Wait -NoNewWindow
} else {
Write-Host "Windows Defender MpCmdRun.exe not found. Use alternative AV tool." -ForegroundColor Yellow
}
Write-Host "`n=== Step 10: Export System event log for offline review ==" -ForegroundColor Cyan
$exportPath = "C:\CriticalProcessDied_SystemLog_$(Get-Date -Format yyyyMMdd_HHmm).evtx"
wevtutil epl System $exportPath
Write-Host "System event log exported to: $exportPath" -ForegroundColor Green
Write-Host "`n=== Diagnostic complete. Review output above for issues. ==" -ForegroundColor Green
# ============================================================
# BONUS: To roll back a specific Windows Update (replace KB number)
# wusa /uninstall /kb:5031364 /quiet /norestart
#
# To disable a specific driver service (replace ServiceName)
# sc config <ServiceName> start= disabled
#
# To rebuild BCD from WinRE Command Prompt:
# bootrec /fixmbr && bootrec /fixboot && bootrec /rebuildbcd
# ============================================================Error Medic Editorial
The Error Medic Editorial team consists of senior DevOps and SRE engineers with 10+ years of experience managing Windows Server, Linux, and cloud infrastructure at scale. We specialize in root-cause analysis of critical system failures, BSOD troubleshooting, kernel debugging, and production incident response. Our guides are tested against real server environments running Windows Server 2012 R2 through 2022.
Sources
- https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xef--critical-process-died
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/sfc
- https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/repair-a-windows-image
- https://support.microsoft.com/en-us/topic/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files-79aa86cb-ca52-166a-92a3-966e85d4094e
- https://stackoverflow.com/questions/tagged/windows-server+bsod
- https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windbg