What does KMODE_EXCEPTION_NOT_HANDLED (0x0000001E) mean and why does it happen on Windows Server 2012 R2?

Stop code 0x0000001E means the Windows kernel detected an exception generated by kernel-mode code (a driver or the OS itself) for which no exception handler existed. On Windows Server 2012 R2, this most commonly occurs when a third-party kernel-mode driver — such as a NIC driver, storage adapter driver, or security product kernel filter — generates an access violation (exception code 0xC0000005) by attempting to read or write to an invalid memory address. The kernel cannot continue safely and forces a crash dump to preserve forensic data. The first parameter in the BSOD contains the exception code, and the second contains the faulting instruction address, which WinDbg can resolve to the exact driver function.

How is CRITICAL_PROCESS_DIED (0x000000EF) on Windows Server 2012 different from KMODE_EXCEPTION_NOT_HANDLED?

CRITICAL_PROCESS_DIED (0x000000EF) indicates that a process marked as critical to the Windows subsystem — such as smss.exe (Session Manager), csrss.exe (Client/Server Runtime), wininit.exe, or lsass.exe — has unexpectedly terminated. Windows cannot continue without these processes, so it triggers a BSOD. Unlike KMODE_EXCEPTION_NOT_HANDLED which is always caused by kernel-mode driver code, CRITICAL_PROCESS_DIED can also be caused by user-mode process corruption, malware terminating system processes, or severe file system corruption preventing the process from functioning. Analyze the dump for the process name in the PROCESS_NAME field and check the Security and System event logs for preceding error events (Event IDs 1000, 1001, 6008).

My Windows Server 2019 keeps crashing with SYSTEM_SERVICE_EXCEPTION. Is this the same problem?

SYSTEM_SERVICE_EXCEPTION (0x0000003B) is closely related — it means an exception occurred during execution of a routine that transitions from user-mode to kernel-mode (a system service call). On Windows Server 2019, this is frequently triggered by antivirus or EDR kernel filter drivers that intercept system calls and contain a bug, or by win32k.sys issues related to Remote Desktop session handling. The diagnostic approach is identical: locate the mini dump in C:\Windows\Minidump, open it in WinDbg, run '!analyze -v', and look at the STACK_TEXT and IMAGE_NAME fields. Common culprits on Server 2019 include legacy antivirus products not fully compatible with the updated kernel, and third-party RDP enhancement tools.

Can a Windows Server 2022 BSOD be caused by a Hyper-V guest driver rather than the host OS?

Yes. If the BSOD occurs on a Hyper-V host running Windows Server 2022, a buggy synthetic driver within a guest VM can, in rare cases, trigger a host-level crash via the VMBus. More commonly, the host crashes because the Hyper-V hypervisor or VMMS (Virtual Machine Management Service) driver (vmswitch.sys, vmbkmclr.sys) encounters a condition exposed by guest activity. If your dump implicates any vmbus*, vmswitch*, or storvsc* driver, update Hyper-V integration services on all guests, ensure the host has the latest Cumulative Update applied, and review the Hyper-V-Worker event log (Applications and Services Logs > Microsoft > Windows > Hyper-V-Worker) for guest-level error events preceding the host crash.

Server BSODs at random intervals with different stop codes each time — where do I start?

Random BSODs with varying stop codes almost always indicate a hardware problem, specifically faulty RAM or an unstable power supply. The random nature means the corruption is occurring at the physical memory or voltage level before the OS can consistently identify the same logical failure. Start with Windows Memory Diagnostic (mdsched.exe) then run MemTest86 for at least two complete passes (8+ hours for large RAM). If RAM passes, check Event Viewer for hardware error events (WHEA — Windows Hardware Error Architecture) by filtering the System log for Source 'Microsoft-Windows-WHEA-Logger'. Correctable ECC errors appear before uncorrectable ones. Also check your UPS and power rails — power delivery issues cause intermittent BSOD patterns that are often misdiagnosed as driver problems.

KMODE_EXCEPTION_NOT_HANDLED on Windows Server 2012 R2: Complete Troubleshooting Guide

Fix KMODE_EXCEPTION_NOT_HANDLED BSOD on Windows Server 2012 R2, 2019 & 2022. Step-by-step diagnosis with WinDbg, Driver Verifier & memory dump analysis.

Last updated: March 1, 2026

Last verified: March 1, 2026

2,648 words

Key Takeaways

Root Cause 1: Faulty or incompatible kernel-mode drivers (network adapters, storage controllers, antivirus kernel modules) are the #1 cause of KMODE_EXCEPTION_NOT_HANDLED (stop code 0x0000001E) on Windows Server 2012 R2 and later versions.
Root Cause 2: Corrupt or misconfigured system files, bad RAM modules, or hardware failures — particularly after Windows Updates or hardware changes — trigger CRITICAL_PROCESS_DIED (0x000000EF) and SYSTEM_SERVICE_EXCEPTION (0x0000003B) variants.
Root Cause 3: Outdated firmware (BIOS/UEFI, NIC firmware, RAID controller firmware) causes hardware-level exceptions that surface as kernel-mode BSODs across Windows Server 2012 R2, 2019, and 2022.
Quick Fix Summary: Boot into Safe Mode, run 'verifier /standard /all' to isolate the offending driver, analyze the memory dump with WinDbg (!analyze -v), update or roll back the suspect driver, run 'sfc /scannow' and 'DISM /Online /Cleanup-Image /RestoreHealth', then validate RAM with Windows Memory Diagnostic or MemTest86.

Fix Approaches Compared
Method	When to Use	Time	Risk
WinDbg Memory Dump Analysis	Server has crashed at least once and a .dmp file exists in C:\Windows\Minidump	30–60 min	Low — read-only analysis
Driver Verifier (verifier.exe)	Crash is intermittent or dump doesn't clearly identify the driver	2–4 hrs (requires reboot cycles)	Medium — can induce additional BSODs intentionally
Safe Mode Driver Rollback/Disable	BSOD occurs at boot or immediately after a driver/Windows Update install	15–30 min	Low — non-destructive
SFC & DISM System File Repair	Dump points to ntoskrnl.exe, hal.dll, or other core OS files	20–45 min	Low — in-place repair only
Windows Memory Diagnostic / MemTest86	Multiple BSODs with varying stop codes, or dump implicates memory addresses in RAM	1–8 hrs	Low — hardware test only
Firmware & Driver Update (NIC/RAID/HBA)	Hardware recently changed, or vendor advisory exists for the specific firmware version	30–90 min	Medium — requires maintenance window
In-Place OS Upgrade / Repair Install	Extensive file corruption; SFC/DISM cannot repair files	2–4 hrs	Medium — preserves data but modifies system files
Bare-Metal Restore from Backup	All software fixes exhausted, hardware verified healthy	Varies (1–8 hrs)	High — last resort, data risk if backup is stale

Understanding KMODE_EXCEPTION_NOT_HANDLED and Related Windows Server BSODs

When a Windows Server enters a Blue Screen of Death (BSOD), the kernel has detected a fatal, unrecoverable condition. The stop codes covered in this guide share a common thread: kernel-mode code — drivers, services, or the OS itself — has triggered an exception that no registered exception handler could catch.

Stop codes in this family:

0x0000001E — KMODE_EXCEPTION_NOT_HANDLED (classic kernel exception)
0x000000EF — CRITICAL_PROCESS_DIED (a protected process like smss.exe or wininit.exe terminated)
0x0000003B — SYSTEM_SERVICE_EXCEPTION (exception during a system service call)
0x0000007E — SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (similar to 1E but from a system thread)

On Windows Server 2012 R2, the most common screen text is:

Your PC ran into a problem and needs to restart.
STOP: 0x0000001E (0xFFFFFFFFC0000005, 0xFFFFF80003B1C3A0, 0x0000000000000000, 0xFFFFFA8009D3B000)
KMODE_EXCEPTION_NOT_HANDLED

The four parameters encode: (1) the exception code — 0xC0000005 means Access Violation, the most common; (2) the address of the faulting instruction; (3) a read/write indicator; (4) the target memory address.

Phase 1: Immediate Stabilization

Before diagnosing, you must get the server stable enough to boot.

Step 1.1 — Boot into Safe Mode with Networking

For Windows Server 2012 R2 and 2016: Interrupt boot three times to trigger Automatic Repair, then navigate to Troubleshoot > Advanced Options > Startup Settings > Restart > F4 (Safe Mode) or F5 (Safe Mode with Networking).

For Windows Server 2019 and 2022, the same path applies or use the installation media to access Recovery Environment.

Step 1.2 — Check Recent Changes

Run the following from an elevated PowerShell to identify recent driver and update installations:

Get-WinEvent -LogName System | Where-Object {$_.Id -eq 7045} | Select-Object TimeCreated, Message | Sort-Object TimeCreated -Descending | Select-Object -First 20

Also review Windows Update history:

Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10

If a specific update or driver installation correlates with the first crash, roll it back before proceeding.

Phase 2: Analyze the Memory Dump

Step 2.1 — Locate the Dump File

By default, Windows Server writes mini dumps to C:\Windows\Minidump\ and a full kernel dump to C:\Windows\MEMORY.DMP. Verify dump settings:

Control Panel > System > Advanced System Settings > Startup and Recovery > Settings

Ensure "Kernel memory dump" or "Complete memory dump" is selected so future crashes produce actionable data.

Step 2.2 — Install WinDbg and Symbols

Download WinDbg from the Windows SDK. Set the symbol path:

_NT_SYMBOL_PATH=srv*C:\Symbols*https://msdl.microsoft.com/download/symbols

Open the .dmp file: File > Open Crash Dump, then run:

!analyze -v

Key fields to examine in the output:

MODULE_NAME / IMAGE_NAME: Identifies the faulting driver (e.g., nvlddmkm.sys, vmxnet3.sys, storport.sys)
STACK_TEXT: The call stack leading to the crash
FAILURE_BUCKET_ID: A fingerprint for the crash type

If the dump implicates a third-party driver (anything not from Microsoft), that driver is your primary suspect.

Step 2.3 — Common Offending Drivers

Driver File	Component	Action
vmxnet3.sys	VMware NIC (VM guest)	Update VMware Tools
e1g6032e.sys	Intel NIC	Update from Intel/OEM
myfault.sys	NotMyFault (test)	Uninstall
avgntflt.sys	Avira AV kernel filter	Update or remove AV
cbfs6.sys	Various third-party	Identify and update parent app
storport.sys	Storage port driver	Run SFC; check HBA firmware

Phase 3: Driver Isolation with Driver Verifier

If the dump does not clearly identify the driver, use Driver Verifier to stress-test all non-Microsoft drivers:

Step 3.1 — Enable Driver Verifier

From an elevated Command Prompt:

verifier /standard /all

Restart the server. If the BSOD reproduces with Driver Verifier active, the dump will now contain precise information about which driver violated kernel rules.

Step 3.2 — Narrow Down to a Specific Driver

Once you have identified the vendor from the crash, apply verifier only to that driver:

verifier /standard /driver suspect_driver.sys

Step 3.3 — Disable Driver Verifier After Testing

verifier /reset

Then reboot. Do not leave Driver Verifier enabled in production — it significantly degrades performance.

Phase 4: System File and Image Repair

If the dump points to core Windows files (ntoskrnl.exe, hal.dll, win32k.sys), run a two-stage repair:

Step 4.1 — System File Checker

sfc /scannow

Review results in C:\Windows\Logs\CBS\CBS.log. If SFC reports it cannot repair some files, proceed to DISM.

Step 4.2 — DISM Health Restore

DISM /Online /Cleanup-Image /CheckHealth
DISM /Online /Cleanup-Image /ScanHealth
DISM /Online /Cleanup-Image /RestoreHealth

For offline repair (if the server cannot boot), mount the OS image and point DISM to it:

DISM /Image:C:\ /Cleanup-Image /RestoreHealth /Source:E:\sources\install.wim /LimitAccess

Phase 5: Hardware Validation

Step 5.1 — RAM Test

From the Recovery Environment or boot media:

mdsched.exe

For more thorough testing, boot from a MemTest86 USB and run at least 2 full passes. Memory errors cause unpredictable BSODs across all stop codes.

Step 5.2 — Storage Health

chkdsk C: /f /r /x

For NVMe or SAS/SATA SSDs, use the vendor tool (e.g., Samsung Magician, Seagate SeaTools, Dell OpenManage) to check for reallocated sectors or pending errors.

Step 5.3 — Update Firmware

Check your server OEM's support portal (Dell iDRAC/Lifecycle Controller, HPE SPP, Lenovo XClarity) for:

BIOS/UEFI firmware updates
NIC firmware (especially Intel X710/X550 family)
RAID/HBA controller firmware
SSD firmware

Outdated firmware is a frequent culprit that software-only fixes will never resolve.

Phase 6: Windows Server 2019 and 2022 Specific Notes

SYSTEM_SERVICE_EXCEPTION on Windows Server 2019 is frequently caused by:

Incompatible antivirus early launch anti-malware (ELAM) drivers after a Cumulative Update
Hyper-V integration services version mismatch between host and guest

Windows Server 2022 BSOD often involves:

Storage Spaces Direct (S2D) driver conflicts
NVMe driver incompatibilities after KB updates
Third-party backup agents hooking VSS at the kernel level

For Hyper-V guests on any Windows Server version, always ensure Integration Services are current by running inside the guest:

Get-WindowsFeature -Name Hyper-V-Tools

And on the host, update the VM Integration Services package via WSUS or Windows Update.

Phase 7: Preventive Measures

Configure WER (Windows Error Reporting) to collect full kernel dumps automatically.
Enable Automatic Memory Dump via Group Policy: Computer Configuration > Administrative Templates > System > Crash Control.
Subscribe to Microsoft Update Catalog RSS for your OS version to track problematic KBs before deployment.
Use Windows Server Update Services (WSUS) with a staged ring deployment: test updates on non-production VMs before rolling to production.
Deploy hardware monitoring via IPMI/iDRAC/iLO alerting for correctable ECC memory errors — these precede hard BSOD crashes.
Schedule quarterly firmware reviews aligned with your OEM's advisory cadence.

Frequently Asked Questions

powershell

# =============================================================
# Windows Server BSOD Diagnostic Script
# Works on: Windows Server 2012 R2, 2016, 2019, 2022
# Run from an elevated PowerShell prompt
# =============================================================

# --- 1. List all crash dumps with timestamps ---
Write-Host "`n[1] Crash Dump Files" -ForegroundColor Cyan
$dumpPath = "C:\Windows\Minidump"
if (Test-Path $dumpPath) {
    Get-ChildItem $dumpPath -Filter "*.dmp" | Sort-Object LastWriteTime -Descending |
        Select-Object Name, @{N='SizeMB';E={[math]::Round($_.Length/1MB,2)}}, LastWriteTime
} else {
    Write-Warning "No minidump directory found. Ensure kernel dump is configured."
}

# --- 2. Check current dump configuration ---
Write-Host "`n[2] Crash Dump Configuration" -ForegroundColor Cyan
$reg = Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl'
Write-Host "CrashDumpEnabled: $($reg.CrashDumpEnabled)  (2=Kernel, 1=Complete, 7=Automatic)"
Write-Host "DumpFile: $($reg.DumpFile)"
Write-Host "MiniDumpDir: $($reg.MiniDumpDir)"

# --- 3. Set to Kernel Memory Dump if not already configured ---
# Uncomment to apply:
# Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl' -Name CrashDumpEnabled -Value 2

# --- 4. List recent System event errors (last 24 hours) ---
Write-Host "`n[3] Critical/Error Events (last 24h)" -ForegroundColor Cyan
$since = (Get-Date).AddHours(-24)
Get-WinEvent -FilterHashtable @{LogName='System'; Level=1,2; StartTime=$since} -ErrorAction SilentlyContinue |
    Select-Object TimeCreated, Id, ProviderName, Message |
    Sort-Object TimeCreated -Descending |
    Select-Object -First 20 |
    Format-Table -AutoSize

# --- 5. List recently installed drivers ---
Write-Host "`n[4] Recently Installed/Modified Drivers (last 30 days)" -ForegroundColor Cyan
$cutoff = (Get-Date).AddDays(-30)
Get-WinEvent -LogName System -ErrorAction SilentlyContinue |
    Where-Object { $_.Id -eq 7045 -and $_.TimeCreated -gt $cutoff } |
    Select-Object TimeCreated, @{N='Service';E={$_.Properties[0].Value}} |
    Sort-Object TimeCreated -Descending

# --- 6. List all non-Microsoft kernel drivers ---
Write-Host "`n[5] Third-Party Kernel Drivers (signed by non-Microsoft vendors)" -ForegroundColor Cyan
Get-WmiObject Win32_SystemDriver | Where-Object { $_.State -eq 'Running' } |
    ForEach-Object {
        $path = $_.PathName -replace '\\\?\\',''
        if (Test-Path $path) {
            $sig = Get-AuthenticodeSignature $path -ErrorAction SilentlyContinue
            if ($sig.SignerCertificate.Subject -notmatch 'Microsoft') {
                [PSCustomObject]@{
                    Name    = $_.Name
                    State   = $_.State
                    Path    = $path
                    Signer  = $sig.SignerCertificate.Subject
                }
            }
        }
    } | Format-Table -AutoSize

# --- 7. Check WHEA hardware errors ---
Write-Host "`n[6] WHEA Hardware Error Events" -ForegroundColor Cyan
Get-WinEvent -LogName 'System' -ErrorAction SilentlyContinue |
    Where-Object { $_.ProviderName -like '*WHEA*' } |
    Select-Object TimeCreated, Id, Message |
    Sort-Object TimeCreated -Descending |
    Select-Object -First 10

# --- 8. Run SFC scan (requires reboot to apply fixes) ---
Write-Host "`n[7] Running System File Checker..." -ForegroundColor Cyan
sfc /scannow

# --- 9. Run DISM health check ---
Write-Host "`n[8] Running DISM Health Check..." -ForegroundColor Cyan
DISM /Online /Cleanup-Image /CheckHealth

# --- 10. Export Driver Verifier status ---
Write-Host "`n[9] Driver Verifier Status" -ForegroundColor Cyan
verifier /querysettings

# --- 11. Enable Driver Verifier on all non-Microsoft drivers (UNCOMMENT TO USE) ---
# WARNING: This will cause intentional BSODs on the offending driver. Use in test/maintenance only.
# verifier /standard /all
# Write-Host "Driver Verifier enabled. Reboot required. Monitor for BSOD, then run: verifier /reset" -ForegroundColor Yellow

# --- 12. Collect hotfix history ---
Write-Host "`n[10] Recent Windows Updates" -ForegroundColor Cyan
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 15 | Format-Table -AutoSize

Write-Host "`nDiagnostic collection complete. Review output above and check C:\Windows\Minidump for crash files." -ForegroundColor Green
Write-Host "Open dumps with WinDbg and run: !analyze -v" -ForegroundColor Green

Error Medic Editorial

The Error Medic Editorial team consists of senior DevOps engineers, SREs, and Windows Server administrators with combined experience managing enterprise infrastructure across Fortune 500 environments, government data centers, and cloud-hybrid deployments. Our contributors hold certifications including MCSE, CKA, and AWS Solutions Architect, and have spent thousands of hours analyzing kernel crash dumps, building automated remediation runbooks, and writing the guides they wished existed when facing production outages at 3 AM.

Sources

Explore More windows Guides

Acer Aspire Blue Screen of Death Fix: How to Stop BSOD Crashes on Acer Laptops

Fix Acer Aspire Blue Screen of Death errors fast. Step-by-step guide covering driver updates, RAM checks, overheating, and Windows repair commands.

Acer Aspire Blue Screen of Death Fix: Step-by-Step Troubleshooting Guide (BSOD Errors Solved)

Fix Acer Aspire blue screen of death errors fast. Covers MEMORY_MANAGEMENT, DRIVER_IRQL, KERNEL_SECURITY_CHECK and more. Step-by-step commands included.

Acer Aspire Blue Screen of Death Fix: Stop Codes, Causes & Complete Solutions

Fix Acer Aspire Blue Screen of Death errors fast. Covers MEMORY_MANAGEMENT, DRIVER_IRQL, KERNEL_SECURITY_CHECK_FAILURE & more with exact commands.