KMODE_EXCEPTION_NOT_HANDLED on Windows Server 2012 R2: Complete Troubleshooting Guide
Fix KMODE_EXCEPTION_NOT_HANDLED BSOD on Windows Server 2012 R2, 2019, and 2022. Step-by-step diagnosis with WinDbg, driver rollback, and memory analysis command
- KMODE_EXCEPTION_NOT_HANDLED (Stop Code 0x0000001E) occurs when a kernel-mode program generates an exception that the error handler fails to catch — most commonly caused by a faulty driver, corrupt system file, or defective RAM.
- CRITICAL_PROCESS_DIED (0x000000EF) and SYSTEM_SERVICE_EXCEPTION (0x0000003B) share overlapping root causes including driver conflicts, Windows Update failures, and hardware faults — the same diagnostic workflow applies across Windows Server 2012 R2, 2019, and 2022.
- Quick fix summary: Boot into Safe Mode, identify the offending driver from the minidump using WinDbg or WhoCrashed, roll back or uninstall that driver, run SFC /scannow and DISM to repair system files, then verify RAM with MemTest86 if BSODs persist after driver remediation.
| Method | When to Use | Time | Risk |
|---|---|---|---|
| Driver Rollback / Uninstall | Minidump clearly identifies a third-party or recently updated driver | 10–30 min | Low |
| SFC /scannow + DISM Repair | System files are corrupt after a failed Windows Update or disk event | 20–45 min | Low |
| Windows Update Uninstall | BSOD started immediately after a cumulative update (KB number visible) | 10–15 min | Low |
| Memory Diagnostic (MemTest86) | BSODs occur randomly with no clear driver suspect; multiple stop codes | 2–8 hours | None (read-only test) |
| Clean Boot / Minimal Services | Third-party software or service is suspected but not identified | 30–60 min | Low |
| In-Place Upgrade / Repair Install | Multiple corrupt system components; SFC/DISM cannot repair | 1–3 hours | Medium |
| Full OS Reinstall | Hardware is healthy but OS is irreparably corrupted | 3–6 hours | High (data loss if not backed up) |
Understanding the Error
When Windows Server displays a Blue Screen of Death (BSOD) with the stop code KMODE_EXCEPTION_NOT_HANDLED (0x0000001E), it means that kernel-mode code — code running with full hardware access — threw an exception (such as an access violation or divide-by-zero) that was never caught by any exception handler. Because unhandled kernel exceptions cannot be safely recovered from, Windows halts immediately to prevent data corruption.
You will typically see one of these exact strings on the crash screen:
STOP: 0x0000001E (0xC0000005, 0xFFFFF880xxxxxxxx, 0x0000000000000000, 0x0000000000000000)— the second parameter is the faulting instruction address; the third and fourth are exception parameters.KMODE_EXCEPTION_NOT_HANDLEDon Windows Server 2012 R2, 2016, 2019, or 2022.- Related variants:
CRITICAL_PROCESS_DIED (0x000000EF),SYSTEM_SERVICE_EXCEPTION (0x0000003B),PAGE_FAULT_IN_NONPAGED_AREA (0x00000050).
The most common culprits, in order of frequency:
- Outdated, buggy, or incompatible drivers — antivirus kernel drivers, NIC drivers, storage controller drivers, and GPU drivers top the list.
- Corrupt system files — often caused by sudden power loss, disk errors, or botched Windows Updates.
- Defective RAM — bit-flip errors in RAM manifest as random kernel exceptions at unpredictable addresses.
- Hardware faults — failing HDDs/SSDs, overheating CPUs, or unstable overclocks.
- Malware — rootkits operate in kernel mode and can trigger unhandled exceptions.
Step 1: Collect the Minidump
Windows writes a minidump file every time a BSOD occurs. These are your primary forensic artifacts.
Default minidump location: C:\Windows\Minidump\
If the folder is empty, confirm dump settings are correct:
- Right-click This PC → Properties → Advanced system settings → Startup and Recovery → Settings.
- Under Write debugging information, select Small memory dump (256 KB) and confirm the path is
%SystemRoot%\Minidump. - Ensure Automatically restart is checked (so the server reboots after the BSOD rather than hanging).
Step 2: Analyze the Minidump with WinDbg
Download WinDbg from the Windows SDK (available free from Microsoft). After installation:
- Open WinDbg and go to File → Open Crash Dump and select the latest
.dmpfile fromC:\Windows\Minidump\. - Set the symbol path so WinDbg can resolve function names:
.sympath srv*C:\Symbols*https://msdl.microsoft.com/download/symbols .reload - Run the automated analysis:
!analyze -v - Look for the MODULE_NAME and IMAGE_NAME fields in the output. A result like
IMAGE_NAME: nvlddmkm.syspoints directly to the NVIDIA display driver.ataport.syspoints to the ATA storage driver stack. - Run
!lmvm <module_name>to get the exact version and timestamp of the offending module. - Run
!threadand!stackto see the full call stack at the time of the crash.
Alternatively, use the free WhoCrashed tool (Resplendence Software) for a GUI-based minidump analysis if WinDbg feels overwhelming.
Step 3: Identify and Remediate the Faulty Driver
Once you have the offending driver name:
Option A — Roll back the driver:
- Boot into Safe Mode (press F8 during startup on Server 2012 R2, or use
bcdedit /set {current} safeboot minimalfrom an elevated prompt). - Open Device Manager → locate the device → Properties → Driver tab → Roll Back Driver.
Option B — Uninstall the driver completely:
# In an elevated PowerShell session
pnputil /enum-drivers | Select-String "driver_name"
pnputil /delete-driver oem##.inf /uninstall /force
Option C — Update to the latest stable driver: Download the driver directly from the hardware vendor's website. Never rely on Windows Update alone for critical server drivers. For NIC drivers, always match the firmware version with the driver version.
Step 4: Repair System Files
If the minidump implicates a core Windows component (e.g., ntoskrnl.exe, hal.dll, win32k.sys) rather than a third-party driver, system file corruption is likely.
Run SFC first:
sfc /scannow
Review the log at C:\Windows\Logs\CBS\CBS.log for details on what was repaired or could not be repaired.
If SFC reports errors it cannot fix, run DISM:
DISM /Online /Cleanup-Image /CheckHealth
DISM /Online /Cleanup-Image /ScanHealth
DISM /Online /Cleanup-Image /RestoreHealth
For Windows Server 2012 R2 offline or air-gapped environments, mount the installation ISO and point DISM to the WIM:
DISM /Online /Cleanup-Image /RestoreHealth /Source:wim:D:\sources\install.wim:1 /LimitAccess
Step 5: Check for Problematic Windows Updates
If the BSOD started after a Windows Update:
# List recently installed updates
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10
# Uninstall a specific update by KB number
wusa /uninstall /kb:XXXXXXX /quiet /norestart
After uninstalling, block that specific update until a fixed version is released by hiding it using the Microsoft Show/Hide Updates troubleshooter.
Step 6: Test RAM with Windows Memory Diagnostic and MemTest86
If BSODs continue with different stop codes or at random intervals with no clear driver suspect, test RAM:
Windows Memory Diagnostic (built-in):
mdsched.exe
Choose Restart now and check for problems. After reboot, results appear in Event Viewer under Windows Logs → System (Event ID 1101 or 1201).
MemTest86 (more thorough): Download from https://www.memtest86.com, create a bootable USB, and run at least two full passes (4–8 hours). Any reported errors confirm faulty RAM. Replace DIMMs one at a time to isolate the bad stick.
Step 7: Check Disk Health
:: Check disk for errors on next reboot
chkdsk C: /f /r /x
:: Check SMART status via PowerShell (requires admin)
Get-PhysicalDisk | Get-StorageReliabilityCounter | Select-Object DeviceId, ReadErrorsTotal, WriteErrorsTotal, Temperature
For hardware RAID controllers, use the vendor's management tool (e.g., HP Smart Storage Administrator, Dell OMSA) to check for drive rebuild events or degraded arrays.
Step 8: Check System Event Logs
Before every BSOD, Windows logs critical events. Review them:
# Get the last 50 critical and error events from the System log
Get-WinEvent -LogName System -MaxEvents 50 | Where-Object {$_.Level -le 2} | Format-List TimeCreated, Id, Message
Event IDs to focus on: 41 (Kernel-Power — unexpected shutdown), 6008 (unexpected shutdown), 7001/7023 (service failures), 1001 (BugCheck — the BSOD itself).
Windows Server 2019 and 2022 Specific Notes
On Windows Server 2019, SYSTEM_SERVICE_EXCEPTION is frequently caused by third-party antivirus drivers (especially legacy AV products not designed for the new kernel isolation features). Use fltMC to enumerate and selectively detach filter drivers:
fltMC
fltMC detach <filtername> C: <instancename>
On Windows Server 2022, Hyper-V and virtual switch driver interactions have caused KMODE exceptions in some configurations. Ensure the Hyper-V integration components are fully updated from inside guest VMs, and verify that the host NIC driver supports RDMA/SR-IOV if those features are enabled.
Frequently Asked Questions
# ============================================================
# Windows Server BSOD Diagnostic Script
# Covers: KMODE_EXCEPTION_NOT_HANDLED, CRITICAL_PROCESS_DIED,
# SYSTEM_SERVICE_EXCEPTION, and general BSOD triage
# Run as Administrator in PowerShell
# ============================================================
# --- 1. List recent BSODs from Event Log ---
Write-Host "=== Recent BugCheck Events (BSODs) ===" -ForegroundColor Cyan
Get-WinEvent -LogName System | Where-Object { $_.Id -eq 1001 -and $_.ProviderName -eq 'Microsoft-Windows-WER-SystemErrorReporting' } |
Select-Object -First 10 TimeCreated, Message | Format-List
# --- 2. List all minidump files with timestamps ---
Write-Host "`n=== Minidump Files ===" -ForegroundColor Cyan
$dumpPath = "C:\Windows\Minidump"
if (Test-Path $dumpPath) {
Get-ChildItem -Path $dumpPath -Filter "*.dmp" | Sort-Object LastWriteTime -Descending |
Select-Object Name, LastWriteTime, @{N='SizeMB';E={[math]::Round($_.Length/1MB,2)}}
} else {
Write-Host "No minidump folder found. Check Startup and Recovery settings." -ForegroundColor Yellow
}
# --- 3. Show last 20 critical/error system events before most recent BSOD ---
Write-Host "`n=== Last 20 Critical/Error System Events ===" -ForegroundColor Cyan
Get-WinEvent -LogName System -MaxEvents 100 | Where-Object { $_.Level -le 2 } |
Select-Object -First 20 TimeCreated, Id, LevelDisplayName, Message | Format-List
# --- 4. List all third-party kernel drivers (non-Microsoft) ---
Write-Host "`n=== Third-Party Kernel Drivers ===" -ForegroundColor Cyan
Get-WmiObject Win32_SystemDriver | Where-Object { $_.State -eq 'Running' } |
ForEach-Object {
$file = $_.PathName -replace '\\\\?\\',''
try {
$sig = Get-AuthenticodeSignature $file -ErrorAction SilentlyContinue
if ($sig.SignerCertificate.Subject -notmatch 'Microsoft') {
[PSCustomObject]@{
Name = $_.Name
DisplayName = $_.DisplayName
Path = $file
Signer = $sig.SignerCertificate.Subject
}
}
} catch {}
} | Format-Table -AutoSize
# --- 5. Check for recently installed drivers (last 30 days) ---
Write-Host "`n=== Drivers Installed in Last 30 Days ===" -ForegroundColor Cyan
$cutoff = (Get-Date).AddDays(-30)
Get-WinEvent -LogName System | Where-Object { $_.Id -eq 7045 -and $_.TimeCreated -gt $cutoff } |
Select-Object TimeCreated, Message | Format-List
# --- 6. Run SFC scan (non-destructive check) ---
Write-Host "`n=== Running SFC (System File Checker) ===" -ForegroundColor Cyan
sfc /scannow
# --- 7. Run DISM health check ---
Write-Host "`n=== Running DISM Health Check ===" -ForegroundColor Cyan
DISM /Online /Cleanup-Image /CheckHealth
DISM /Online /Cleanup-Image /ScanHealth
# --- 8. Check disk health via SMART counters ---
Write-Host "`n=== Physical Disk Reliability Counters ===" -ForegroundColor Cyan
Get-PhysicalDisk | ForEach-Object {
$disk = $_
$rel = $disk | Get-StorageReliabilityCounter
[PSCustomObject]@{
FriendlyName = $disk.FriendlyName
MediaType = $disk.MediaType
HealthStatus = $disk.HealthStatus
ReadErrors = $rel.ReadErrorsTotal
WriteErrors = $rel.WriteErrorsTotal
Temperature = $rel.Temperature
WearLevel = $rel.Wear
}
} | Format-Table -AutoSize
# --- 9. Check RAM via Windows Memory Diagnostic (schedules on next reboot) ---
# Uncomment to schedule:
# Write-Host "`n=== Scheduling Windows Memory Diagnostic ===" -ForegroundColor Cyan
# mdsched.exe
# --- 10. Export full system info for offline analysis ---
Write-Host "`n=== Exporting System Info to C:\BSODReport.txt ===" -ForegroundColor Cyan
$reportPath = "C:\BSODReport.txt"
"=== System Info ===" | Out-File $reportPath
Get-ComputerInfo | Out-File $reportPath -Append
"=== Installed Hotfixes (last 20) ===" | Out-File $reportPath -Append
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 20 | Out-File $reportPath -Append
Write-Host "Report saved to $reportPath" -ForegroundColor Green
# --- 11. WinDbg quick-start commands (run manually in WinDbg) ---
# .sympath srv*C:\Symbols*https://msdl.microsoft.com/download/symbols
# .reload
# !analyze -v
# !lmvm <module_name>
# !thread
# kv
# !pool
# !verifierError Medic Editorial
The Error Medic Editorial team is composed of senior DevOps engineers, SREs, and Windows Server administrators with over a decade of experience diagnosing kernel-mode crashes, driver conflicts, and system stability issues across on-premises and cloud environments. We specialize in translating cryptic stop codes and crash dumps into actionable remediation steps for production systems.
Sources
- https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x1e--kmode-exception-not-handled
- https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/analyzing-a-kernel-mode-dump-file-with-windbg
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/sfc
- https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/repair-a-windows-image
- https://stackoverflow.com/questions/tagged/windbg
- https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x3b--system-service-exception
- https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xef--critical-process-died