Edit

Share via

Windows Stop Error - #0x000000EF "Critical Process Died"

  • Article

Applies to: ✔️ Windows VMs

This article provides steps to resolve issues where a critical process dies during boot in an Azure VM.

Symptom

When you use Boot diagnostics to view the screenshot of the VM, you will see that the screenshot displays the error #0x000000EF with the message Critical Process Died.

Screenshot shows Your PC ran into a problem and needs to restart. We're just collecting some error info, and then you can restart.

Cause

Usually, this is due to a critical system process failing during boot. You can read more about critical process issues at "Bug Check 0xEF: CRITICAL_PROCESS_DIED".

Solution

Process Overview

Tip

If you have a recent backup of the VM, you may try restoring the VM from the backup to fix the boot problem.

  1. Create and Access a Repair VM.
  2. Fix any OS Corruption.
  3. Recommended: Before you rebuild the VM, enable serial console and memory dump collection.
  4. Rebuild the VM.

Note

When encountering this boot error, the Guest OS is not operational. You will be troubleshooting in Offline mode to resolve this issue.

Create and Access a Repair VM

  1. Use steps 1-3 of the VM Repair Commands to prepare a Repair VM.
  2. Using Remote Desktop Connection connect to the Repair VM.

Fix any OS Corruption

  1. Open an elevated command prompt.

  2. Run the following System File Checker (SFC) command:

    sfc /scannow /offbootdir=<BOOT DISK DRIVE>:\ /offwindir=<BROKEN DISK DRIVE>:\windows

    • Where <BOOT DISK DRIVE> is the boot partition of the broken VM, and <BROKEN DISK DRIVE> is the OS partition of the broken VM. Replace the greater than / less than symbols as well as the text contained within them, e.g. "< text here >", with the appropriate letter.

  3. Next, use step 5 of the VM Repair Commands to reassemble the VM and see if it boots.

  4. If the VM is still not booting, then continue to collect the memory dump file.

Collect the memory dump file

If the issue persists after running SFC, analysis of a memory dump file will be required to determine the cause of the issue. To collect the memory dump file, follow these steps:

Step 1: Locate the dump file and submit a support ticket

Part 1: Attach the OS disk to a recovery VM

  1. Take a snapshot of the OS disk of the affected VM to create a backup. For more information, see Create a snapshot of a virtual hard disk.

  2. Attach the OS disk to a recovery VM.

  3. Use remote desktop protocol (RDP) to connect remotely to the recovery VM.

  4. If the OS disk of the affected VM is encrypted, turn off encryption before you go to the next step. For more information, see Decrypt the encrypted OS disk.

Part 2: Locate the dump file and submit a support ticket

  1. On the recovery VM, go to the Windows folder on the attached OS disk. For example, if the drive letter that's assigned to the attached OS disk is F, go to F:\Windows.

  2. Locate the Memory.dmp file, and then submit a support ticket and attach the dump file.

If you can't find the dump file, go to the next steps to enable the dump log and the serial console, and then reproduce the issue.

Step 2: Enable the dump log and the serial console

Important

This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For protection, back up the registry before you modify it so that you can restore it if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows.

To enable the dump log and the serial console, follow these steps:

  1. Open an elevated command prompt session as an administrator.

  2. Run the following BCDEdit commands using the /ems and /emssettings options:

    Enable the serial console:

    bcdedit /store <volume-letter-containing-the-bcd-folder>:\boot\bcd /ems {<boot-loader-identifier>} ON
bcdedit /store <volume-letter-containing-the-bcd-folder>:\boot\bcd /emssettings EMSPORT:1 EMSBAUDRATE:115200

  3. Verify that the free space on the OS disk is larger than the memory size (RAM) on the VM.

    If there isn't enough space on the OS disk, change the location where the memory dump file is created, and refer that location to any data disk attached to the VM that has enough free space. To change the location, replace %SystemRoot% with the drive letter of the data disk, such as F:, in the following commands.

    To enable the OS dump file, run the following load, add, and unload commands to implement the suggested configuration using the reg tool:

    Load the registry hive from the broken OS disk:

    reg load HKLM\<broken-system> <volume-letter-of-broken-os-disk>:\windows\system32\config\SYSTEM

    Enable on ControlSet001:

    reg add "HKLM\<broken-system>\ControlSet001\Control\CrashControl" /v CrashDumpEnabled /t REG_DWORD /d 1 /f
reg add "HKLM\<broken-system>\ControlSet001\Control\CrashControl" /v DumpFile /t REG_EXPAND_SZ /d "%SystemRoot%\MEMORY.DMP" /f
reg add "HKLM\<broken-system>\ControlSet001\Control\CrashControl" /v NMICrashDump /t REG_DWORD /d 1 /f

    Enable on ControlSet002:

    reg add "HKLM\<broken-system>\ControlSet002\Control\CrashControl" /v CrashDumpEnabled /t REG_DWORD /d 1 /f
reg add "HKLM\<broken-system>\ControlSet002\Control\CrashControl" /v DumpFile /t REG_EXPAND_SZ /d "%SystemRoot%\MEMORY.DMP" /f
reg add "HKLM\<broken-system>\ControlSet002\Control\CrashControl" /v NMICrashDump /t REG_DWORD /d 1 /f

    Unload the broken OS disk:

    reg unload HKLM\<broken-system>

To enable Serial Console and memory dump collection, follow these steps:

  1. Open an elevated command prompt session as an administrator.

  2. Run the following BCDEdit commands using the /ems and /emssettings options:

    Enable the serial console:

    bcdedit /store <volume-letter-containing-the-bcd-folder>:\boot\bcd /ems {<boot-loader-identifier>} ON
bcdedit /store <volume-letter-containing-the-bcd-folder>:\boot\bcd /emssettings EMSPORT:1 EMSBAUDRATE:115200

  3. Verify that the free space on the OS disk is larger than the memory size (RAM) on the VM.

    If there isn't enough space on the OS disk, change the location where the memory dump file is created, and refer that location to any data disk attached to the VM that has enough free space. To change the location, replace %SystemRoot% with the drive letter of the data disk, such as F:, in the following commands.

    To enable the OS dump file, run the following load, add, and unload commands to implement the suggested configuration using the reg tool:

    Load the registry hive from the broken OS disk:

    reg load HKLM\<broken-system> <volume-letter-of-broken-os-disk>:\windows\system32\config\SYSTEM

    Enable on ControlSet001:

    reg add "HKLM\<broken-system>\ControlSet001\Control\CrashControl" /v CrashDumpEnabled /t REG_DWORD /d 1 /f
reg add "HKLM\<broken-system>\ControlSet001\Control\CrashControl" /v DumpFile /t REG_EXPAND_SZ /d "%SystemRoot%\MEMORY.DMP" /f
reg add "HKLM\<broken-system>\ControlSet001\Control\CrashControl" /v NMICrashDump /t REG_DWORD /d 1 /f

    Enable on ControlSet002:

    reg add "HKLM\<broken-system>\ControlSet002\Control\CrashControl" /v CrashDumpEnabled /t REG_DWORD /d 1 /f
reg add "HKLM\<broken-system>\ControlSet002\Control\CrashControl" /v DumpFile /t REG_EXPAND_SZ /d "%SystemRoot%\MEMORY.DMP" /f
reg add "HKLM\<broken-system>\ControlSet002\Control\CrashControl" /v NMICrashDump /t REG_DWORD /d 1 /f

    Unload the broken OS disk:

    reg unload HKLM\<broken-system>

Rebuild the Original VM

Use step 5 of the VM Repair Commands to reassemble the VM.

Contact us for help

If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.