CRITICAL_PROCESS_DIED on Windows Server 2012 R2 & 2019: Complete Troubleshooting Guide
Fix CRITICAL_PROCESS_DIED BSOD on Windows Server 2012 R2 and 2019 with step-by-step diagnostics, SFC/DISM commands, driver rollbacks, and memory checks.
- CRITICAL_PROCESS_DIED (Stop Code 0x000000EF) occurs when a core Windows process such as smss.exe, csrss.exe, wininit.exe, or services.exe terminates unexpectedly, forcing an immediate system crash to prevent data corruption.
- The most common root causes include corrupt system files, faulty or incompatible device drivers, bad RAM or storage hardware, failed Windows Updates, and third-party security software conflicts.
- Quick fix path: Boot into Safe Mode, run 'sfc /scannow' followed by DISM restorehealth, review Event Viewer and minidump files in C:\Windows\Minidump, then roll back or uninstall recently changed drivers or updates.
| Method | When to Use | Time | Risk |
|---|---|---|---|
| SFC /scannow + DISM RestoreHealth | Corrupt system files suspected; server boots normally or into Safe Mode | 15-45 min | Low |
| Driver Rollback / Uninstall | BSOD appeared after driver or Windows Update installation | 10-20 min | Low-Medium |
| Windows Memory Diagnostic / MemTest86 | Random BSODs, no clear pattern, server runs hot or has old RAM | 1-8 hours | Low |
| CHKDSK /f /r | Storage errors in Event Log, slow disk I/O, disk-related minidump strings | 1-6 hours | Medium (requires reboot) |
| System Restore / Snapshot Rollback | Recent configuration change caused the error; restore point exists | 20-60 min | Medium |
| In-place Upgrade Repair | Multiple system files corrupt, SFC/DISM unable to fix all issues | 2-4 hours | Medium-High |
| Clean OS Reinstall + Data Restore | All other methods failed; hardware is confirmed healthy | 4-8+ hours | High |
Understanding the CRITICAL_PROCESS_DIED Error
When Windows Server displays a Blue Screen of Death (BSOD) with the message CRITICAL_PROCESS_DIED and stop code 0x000000EF, it means the Windows kernel detected that a process it considers essential to system operation has terminated unexpectedly. Rather than continuing to run in a potentially unstable or compromised state, the OS performs a controlled crash to write a memory dump and reboot.
The exact screen text you will see is:
Your PC ran into a problem and needs to restart.
We're just collecting some error info, and then we'll restart for you.
Stop code: CRITICAL_PROCESS_DIED
On older Windows Server 2012 R2 systems the screen may show the classic blue background with:
A problem has been detected and Windows has been shut down to prevent damage to your computer.
CRITICAL_PROCESS_DIED
If this is the first time you've seen this stop error screen, restart your computer...
*** STOP: 0x000000EF (0xFFFFFA8003B9A060, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000)
The four hexadecimal parameters in parentheses point to the process object address and exception code. These are captured in the minidump for analysis.
Processes Most Commonly Involved
- smss.exe – Session Manager Subsystem; bootstraps user sessions
- csrss.exe – Client/Server Runtime Subsystem; manages Win32 console and shutdown
- wininit.exe – Windows Initialization; starts core services at boot
- services.exe – Service Control Manager; manages all Windows services
- lsass.exe – Local Security Authority; handles authentication
Step 1: Capture and Analyze the Minidump
Before applying any fix, identify exactly which process caused the crash.
1a. Locate minidump files:
Minidumps are stored in C:\Windows\Minidump\ with filenames like Mini062524-01.dmp. If the directory is empty, verify that crash dumps are configured:
- Right-click This PC > Properties > Advanced system settings > Startup and Recovery > Settings.
- Under Write debugging information, select Small memory dump (256 KB) and confirm the path is
%SystemRoot%\Minidump. - Ensure Automatically restart is checked.
1b. Analyze with WinDbg (Windows Debugger):
Install the Windows SDK Debugging Tools, then open a dump file:
windbg -z C:\Windows\Minidump\Mini062524-01.dmp
In the command window type:
!analyze -v
Look for the PROCESS_NAME, IMAGE_NAME, and FAILURE_BUCKET_ID fields. These tell you exactly which binary triggered the crash.
1c. Use Event Viewer for quick triage:
- Open Event Viewer (
eventvwr.msc). - Navigate to Windows Logs > System.
- Filter for Critical and Error events in the timeframe just before each BSOD.
- Look for sources like BugCheck, Kernel-Power, Disk, nvlddmkm (NVIDIA driver), or iaStor (Intel storage).
Step 2: Boot into Safe Mode (If the Server Cannot Boot Normally)
On Windows Server 2012 R2:
- Restart and press F8 repeatedly before the Windows logo appears.
- Select Safe Mode with Networking or Safe Mode with Command Prompt.
On Windows Server 2019:
- Hold Shift and click Restart from the login screen.
- Navigate to Troubleshoot > Advanced Options > Startup Settings > Restart.
- Press 4 or F4 for Safe Mode, or 5/F5 for Safe Mode with Networking.
Alternatively, from an elevated command prompt or recovery console:
bcdedit /set {current} safeboot minimal
shutdown /r /t 0
To revert after troubleshooting:
bcdedit /deletevalue {current} safeboot
Step 3: Repair System Files with SFC and DISM
This is the most effective first fix for CRITICAL_PROCESS_DIED caused by corrupt OS binaries.
3a. Run System File Checker:
Open an elevated Command Prompt (Run as Administrator):
sfc /scannow
Wait for the scan to complete (10-20 minutes). Possible outcomes:
- Windows Resource Protection did not find any integrity violations – system files are intact; proceed to Step 4.
- Windows Resource Protection found corrupt files and repaired them – reboot and monitor.
- Windows Resource Protection found corrupt files but was unable to fix some of them – run DISM next.
3b. Run DISM to repair the component store:
DISM /Online /Cleanup-Image /CheckHealth
DISM /Online /Cleanup-Image /ScanHealth
DISM /Online /Cleanup-Image /RestoreHealth
After DISM completes successfully, run sfc /scannow again to re-verify.
For offline repair using installation media (mount the ISO first, e.g., as D:):
DISM /Online /Cleanup-Image /RestoreHealth /Source:D:\Sources\install.wim /LimitAccess
Step 4: Check and Repair the Disk
Corrupt disk sectors can cause process crashes during file reads or writes.
chkdsk C: /f /r /x
The /f flag fixes errors, /r locates bad sectors, and /x forces a dismount. You will be prompted to schedule this for the next reboot since the system volume is in use. Type Y and restart.
Also review SMART data:
wmic diskdrive get status,model,serialNumber
A status of Caution or Bad indicates a failing drive. Replace the drive and restore from backup.
Step 5: Roll Back or Remove Problematic Drivers and Updates
If the BSOD started after a Windows Update, driver install, or new hardware addition:
5a. Roll back a driver:
- Open Device Manager (
devmgmt.msc). - Right-click the suspect device > Properties > Driver tab > Roll Back Driver.
Common culprits: network adapters (NIC drivers), storage controllers (LSI, HP Smart Array), display adapters, and chipset drivers.
5b. Uninstall a Windows Update:
wusa /uninstall /kb:XXXXXXX /quiet /norestart
Replace XXXXXXX with the KB number identified in Event Viewer or Windows Update history.
5c. Prevent a bad update from reinstalling (temporary):
wushowhide.diagcab
Run the Microsoft Show/Hide Updates troubleshooter to block a specific KB.
Step 6: Test Memory (RAM)
Faulty RAM can cause corruption in running processes, leading to CRITICAL_PROCESS_DIED.
Windows Memory Diagnostic (built-in):
mdsched.exe
Choose Restart now and check for problems. Results appear in Event Viewer under Windows Logs > System, source MemoryDiagnostics-Results after the reboot.
For deeper testing, boot from a MemTest86 USB drive and run at least two full passes (4+ hours for large RAM). Any errors indicate faulty DIMMs that must be replaced.
Step 7: Disable or Reconfigure Third-Party Security Software
Antivirus and EDR solutions that hook kernel functions can conflict with critical processes. Temporarily uninstall or disable the security agent, reboot, and observe if the BSOD recurs. If the server is stable without the agent, contact the vendor for a compatible version or exclusion configuration.
Step 8: Perform an In-Place Upgrade Repair (Last Resort Before Reinstall)
If SFC and DISM cannot repair all corrupt files, an in-place upgrade reinstalls Windows without removing applications or data.
- Mount or insert the Windows Server installation ISO matching your exact version and build.
- Run
setup.exefrom the mounted media. - Choose Upgrade this PC now and select Keep personal files and apps.
- Complete the wizard and allow the server to reboot multiple times.
This process typically takes 2-4 hours and should restore all system binaries to a healthy state.
Frequently Asked Questions
# ============================================================
# CRITICAL_PROCESS_DIED Diagnostic & Repair Script
# Run as Administrator in PowerShell or CMD
# Compatible with Windows Server 2012 R2 and 2019
# ============================================================
# --- Step 1: List recent minidump files ---
Write-Host "`n[INFO] Recent minidump files:" -ForegroundColor Cyan
Get-ChildItem -Path "$env:SystemRoot\Minidump" -Filter "*.dmp" -ErrorAction SilentlyContinue |
Sort-Object LastWriteTime -Descending |
Select-Object -First 10 Name, LastWriteTime, @{N='SizeMB';E={[math]::Round($_.Length/1MB,2)}} |
Format-Table -AutoSize
# --- Step 2: Query BugCheck events from Event Log ---
Write-Host "`n[INFO] Recent BugCheck events (last 20):" -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='System'; Id=1001; ProviderName='Microsoft-Windows-WER-SystemErrorReporting'} `
-MaxEvents 20 -ErrorAction SilentlyContinue |
Select-Object TimeCreated, Message |
Format-List
# --- Step 3: Check disk SMART status ---
Write-Host "`n[INFO] Physical disk health:" -ForegroundColor Cyan
Get-WmiObject -Class Win32_DiskDrive | Select-Object Model, Status, Size, SerialNumber | Format-Table -AutoSize
# --- Step 4: Run System File Checker ---
Write-Host "`n[ACTION] Running SFC /scannow (this may take 10-20 minutes)..." -ForegroundColor Yellow
sfc /scannow
# --- Step 5: Run DISM component store repair ---
Write-Host "`n[ACTION] Running DISM CheckHealth..." -ForegroundColor Yellow
DISM /Online /Cleanup-Image /CheckHealth
Write-Host "`n[ACTION] Running DISM ScanHealth..." -ForegroundColor Yellow
DISM /Online /Cleanup-Image /ScanHealth
Write-Host "`n[ACTION] Running DISM RestoreHealth (requires internet or mounted media)..." -ForegroundColor Yellow
DISM /Online /Cleanup-Image /RestoreHealth
# --- Step 6: Schedule CHKDSK on next reboot ---
Write-Host "`n[ACTION] Scheduling CHKDSK for next reboot on C: drive..." -ForegroundColor Yellow
echo Y | chkdsk C: /f /r
# --- Step 7: Check for recently installed updates (last 7 days) ---
Write-Host "`n[INFO] Updates installed in last 7 days:" -ForegroundColor Cyan
$date = (Get-Date).AddDays(-7)
Get-HotFix | Where-Object {$_.InstalledOn -ge $date} | Select-Object HotFixID, InstalledOn, Description | Format-Table -AutoSize
# --- Step 8: Check for recently installed drivers ---
Write-Host "`n[INFO] Drivers installed/modified in last 7 days:" -ForegroundColor Cyan
Get-WmiObject Win32_PnPSignedDriver |
Where-Object {$_.DriverDate -ne $null} |
Sort-Object DriverDate -Descending |
Select-Object -First 15 DeviceName, DriverVersion, DriverDate, Manufacturer |
Format-Table -AutoSize
# --- Step 9: Check running critical processes ---
Write-Host "`n[INFO] Critical process status:" -ForegroundColor Cyan
$criticalProcesses = @('smss','csrss','wininit','services','lsass')
foreach ($proc in $criticalProcesses) {
$p = Get-Process -Name $proc -ErrorAction SilentlyContinue
if ($p) {
Write-Host " [OK] $proc (PID: $($p.Id))" -ForegroundColor Green
} else {
Write-Host " [MISSING] $proc not found!" -ForegroundColor Red
}
}
# --- Step 10: Trigger Windows Memory Diagnostic ---
Write-Host "`n[ACTION] Launching Windows Memory Diagnostic scheduler..." -ForegroundColor Yellow
Start-Process mdsched.exe
Write-Host "`n[DONE] Diagnostics complete. Review output above and reboot to apply disk and file repairs." -ForegroundColor GreenError Medic Editorial
The Error Medic Editorial team is composed of senior DevOps engineers, Windows Server administrators, and SRE practitioners with 10+ years of experience managing enterprise Windows environments. We specialize in diagnosing and resolving critical system errors across on-premises, hybrid, and cloud-hosted Windows Server deployments. Our guides are tested on real hardware and virtual machines running Windows Server 2012 R2, 2016, 2019, and 2022.
Sources
- https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xef--critical-process-died
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/sfc
- https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/repair-a-windows-image
- https://support.microsoft.com/en-us/windows/using-system-file-checker-in-windows-365e0031-36b1-6031-f804-8fd86e0ef4ca
- https://stackoverflow.com/questions/tagged/windows-server+bsod