To enhance security a new Exploit Protection Setting was added to Windows when installing September 2025 CU.
This setting works as expected on Windows Server 2022 but causes the SharePoint Administration Service to fail on Windows Server 2025.
Symptom
When running the SharePoint Configuration Wizard for SharePoint Server Subscription Edition on Windows Server 2025 fails and shows the following error:
Another symptom is that starting the SPAdminV4 service (SharePoint Administration) using the Services management console fails:
In the application event log the following error is listed:
Solution
This issue is currently under investigation.
To mitigate the problem using the following Workaround:
Open Windows Settings and navigate to the following Exploit Prevention settings:
Windows Settings
Privacy & Security
Windows Security
App & Browser Control
Exploit Protection Settings
Program Settings
WSSADMIN.EXE
Edit the settings for WSSADMIN.EXE and disable the following options:
- Export address filtering (EAF)
- Import address filtering (IAF)
- Validate stack integrity (StackPivot)
After applying these changes the SharePoint Administration Service can be started successfully.
Permalink
Hi Stefan,
per my research, it should be enough to only disable:
– IAF,
– EAF
– StackPivot
BR
Robi
Permalink
Hi Stefan. Should the title read: “SPAdminV4: instead of “SPTimerV4”?
Permalink
Hi Brett, yes indeed! Fixed it. Thanks, Stefan
Permalink
Hi Stefan,
Cen you confirm if this is affecting only SharePoint SE on Windows Server 2025? Or older SP versions might be impacted. Does this issue occur on Windows Server 2019 which also has Exploit Prevention feature?
Permalink
Hi Egor,
from my testing this affects only SharePoint Server Subscription Edition and only on Windows Server 2025.
So far I have also not seen any customer reports for this issue for older Windows Server versions.
Cheers,
Stefan
Permalink
I have not had success getting the farm to upgrade. We were on the old version of the workflow manager. Tried for quite a while, now a fresh 2022 server trying to re-join the existing workflow farm, keep getting this error:
PS C:\Program Files\Workflow Manager\1.0> Add-SBHost -SBFarmDBConnectionString ‘Data Source=[theserver];Initial Catalog=SbManagementDB;Integrated Security=True;Encrypt=False’ -RunAsPassword $SBRunAsPassword -EnableFirewallRules $true -CertificateAutoGenerationKey $SBCertificateAutoGenerationKey -Verbose;
Add-SBHost : Cannot validate argument on parameter ‘SBFarmDBConnectionString’. Could not load file or assembly
‘System.Memory, Version=4.0.1.1, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51’ or one of its dependencies. The
system cannot find the file specified.
I am getting this both in the program itself, and from powershell. I get this with both Add-SBHost and New-SBFarm… Any pointers?
Permalink
Hi SRH,
this is a known issue. Please check this article for details and a script to resolve it:
https://blog.stefan-gossner.com/2025/08/21/trending-issue-system-memory-dll-missing-after-installing-august-2025-cu-for-sharepoint-workflow-manager/
Cheers,
Stefan
Permalink
Upgrading Classic Workflow Manager to SPWFM is quite tricky, you have to perform things in exact sequence, and there are some known issues with the database connection strings. You may need to open a MS support case to help you resolve.
I found that I couldn’t skip straight to Aug2025 SPWFM when upgrading. I had to install the base version from April 2025, perform the Join Existing Workflow Farm tasks and schema upgrade tasks, and then afterwards patch to Aug2025 SPWFM CU.
The changes in Aug2025 SPWFM don’t seem to be able to cope with upgrading the Classic SPWFM farm in one hit. We needed manual workflow database table edits to remove “Asynchronous Processing=True” from the connection strings, and removing / re-joining the farm and reinstalling binaries a few times… alongside using Stefan’s script to add new SQL database connectivity layer assemblies into the GAC.
It took me days of rolling back snapshots and re-doing the upgrade sequence to find something that was successful. Fun times all around! Best of luck 🙂
Permalink
A lot of thanks. I have a test machine with that error. WS2025 and SPSE.
Permalink
Hi Stefan,
I have a test farm with the error and I´ve mitigate the SPAdminV4 start problem. But i still can´t complete the SharePoint Configuration Wizard because I am getting this new error:
Se inició una excepción de tipo Microsoft.SharePoint.PostSetupConfiguration.PostSetupConfigurationTaskException. Información adicional de la excepción:
Number of user defined objects dropped incorrectly = ‘2554’ (ID de evento:ajyyy)
User Defined Object [proc_GetVersion] Modified (ID de evento:ajyyz)
User Defined Object [proc_SetVersion] Modified (ID de evento:ajyyz)
User Defined Object [TVF_AllDocs_ALL] Modified (ID de evento:ajyyz)
User Defined Object [TVF_AllDocs_NoLock_ALL] Modified (ID de evento:ajyyz)
…
Any idea why this happens?
Permalink
Hi Ricardo,
I have not seen this error. I would suggest to open a ticket with Microsoft Support to get assistance.
Cheers,
Stefan
Permalink
Hi Stefan,
I solved all the issues after reviewing the db_owner permissions of the Farm service account in all SQL databases and running the configuration with the following command:
psconfig.exe -cmd helpcollections -installall -cmd secureresources -cmd services -install -cmd installfeatures -cmd applicationcontent -install -cmd upgrade -inplace b2b -force -wait
Permalink
Perfect! Thanks for the update!
Permalink
I tried on Windows 2025 and SP SE, even after adding db_owner permissions of the Farm Service Account in all SQL Databases -> same issue 🙁
Permalink
Hi Sarteel,
this issue discussed in this post is not related to SQL permissions.
It is caused by Windows Exploit Protection settings.
Cheers,
Stefan
Permalink
Hello, do you have any news about the investigation or not ?
Permalink
Hi Nathan,
the issue discussed in this blog post is currently being investigated.
Right now, please use the workaround discussed above in the article.
Cheers,
Stefan
Permalink
After Sep SPSE update, I am getting
Faulting application name: w3wp.exe, version: 10.0.20348.1, time stamp: 0x405e4c14
Faulting module name: KERNELBASE.dll, version: 10.0.20348.3932, time stamp: 0x4c7b412e
Exception code: 0xe0434352
Fault offset: 0x000000000003f46c
Faulting process id: 0x6a4
Faulting application start time: 0x01dc37a7ae8da7b5
Faulting application path: c:\windows\system32\inetsrv\w3wp.exe
Faulting module path: C:\Windows\System32\KERNELBASE.dll
Report Id: c73b67b3-a189-44ba-ad31-cb0c87f85833
Faulting package full name:
Faulting package-relative application ID:
Faulting application name: w3wp.exe, version: 10.0.20348.1, time stamp: 0x405e4c14
Faulting module name: owssvr.dll, version: 16.0.19127.20100, time stamp: 0x689cd397
Exception code: 0xc0000409
Fault offset: 0x000000000033b39b
Faulting process id: 0x24fc
Faulting application start time: 0x01dc37a6fdd54617
Faulting application path: c:\windows\system32\inetsrv\w3wp.exe
Faulting module path: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\isapi\owssvr.dll
Report Id: f8ac4061-0615-4689-a4bf-86ad154910cb
Faulting package full name:
Faulting package-relative application ID:
from app logs
and
A process serving application pool ‘SharePoint – 80’ suffered a fatal communication error with the Windows Process Activation Service. The process id was ‘13952’. The data field contains the error number.
from system logs.
Permalink
It turned out “Virto calendar web part” was causing the issue, after turning it off everything became normal.
Permalink
👍
Permalink
Still having the same issue but different cause, when a user attempt to access http://yoursharepointsite/_vti_bin/blah.asmx
It raises same app error eventID: 1000, Faulting module name: KERNELBASE.dll and Faulting module name: owssvr.dll and w3wp resets.
Permalink
Hi Alex,
I would recommend to open a ticket with Microsoft support to get this analyzed.
Support might provide you instructions to create a dump for the above crash to analyze what is causing this issue.
Cheers,
Stefan
Permalink
For the record, it happens with _vti_bin/sharedaccess.asmx and _vti_bin/sitedata.asmx
such as,
http://yoursharepointsite/site/_vti_bin/sharedaccess.asmx
http://yoursharepointsite/site/_vti_bin/sitedata.asmx
I am not sure how and what is accessing it. It seems it is Sharepoint 2010 or 2013 feature?
Permalink
Moin Stefan,
do you have any idea how this solution can be applied to a Server Core?
Best regards
jo
Permalink
Hi Jo,
I would assume, that there are ways to configure this using PowerShell – but this Windows feature is not my area of expertise.
Maybe someone else can provide insights?
Cheers,
Stefan
Permalink
I’m not an expert but the follwing PowerShell CmdLet should disable the Exploit Prevention settings for the WSSADMIN.EXE.
Set-ProcessMitigation
https://learn.microsoft.com/en-us/powershell/module/processmitigations/set-processmitigation?view=windowsserver2025-ps
#Disable – Export address filtering (EAF)
Set-ProcessMitigation -Name WSSADMIN.EXE -Disable EnableExportAddressFilter
#Disable – Import address filtering (IAF)
Set-ProcessMitigation -Name WSSADMIN.EXE -Disable EnableImportAddressFilter
#Disable – Validate stack integrity (StackPivot)
Set-ProcessMitigation -Name WSSADMIN.EXE -Disable EnableRopStackPivot
Permalink
I setup a fresh SharePoint Server Subscription Edition on Windows Server 2025 with the latest October Updates.
Surprisingly, the Windows Exploit Protection doesn’t have any configurations for SharePoint processes like WssAdmin.exe, OwsTimer.exe, etc.
Stefan, do you have any further information on this? Were these security enhancements removed? What are the current recommendations for the Exploit Protection Settings?
Permalink
Really? Thats interesting.
Haven’t tried that. So far I only upgraded to October CU and did not create a fresh installation.
I assume you did not just install the binaries but ran the SharePoint configuration wizard to create the farm, correct?
Cheers,
Stefan
Permalink
Yes, I installed SharePoint Server Subscription Edition RTM, then installed the October 2025 binaries and then ran the SharePoint Products Configuration Wizard to create the farm.
Permalink
during a routine W2022 server 4Server deployment we installed this patch and immediately after SPConfig we lost all HTTP/S endpoints. User URLs, SecurityTokenSErvice. Everything.
But nothing really “logged” in Evemts, ULS, Etc.
All App Pools are running and were before, all sites up. Cannot access CA or user endpoints.
Wow this is catastrophic! Last patch was September so…
Permalink
in my environment i have the October 2025 binaries installed. The SharePoint Products Configuration Wizard runs successful. Even i have disabled the Exploit Prevention settings for the WSSADMIN.EXE as suggested.
Nevertheless, i can’t get the SharePoint Administration Service running.
Any ideas?
Permalink
Hi Werner,
did you remove the Exploit Protection Setting entry for WSSAdmin or did you only disable certain settings?
If you only disabled, try to remove the whole entry. If this does not work the reason is most likely caused by 3rd party apps which redirect system calls to their own application. AV solutions and system monitoring software are candidates for this.
Uninstall the AV solutions and monitoring software and try again. Just disable is not sufficient as this will in most cases not revert the redirected system calls – instead it only disables some of the logic in the redirected methods.
Cheers,
Stefan
Permalink
Hi Stefan
Great, it has helped to remove the whole entry. it works now as expected.
thx and cheers,
Werner
Permalink
Hi Stefan, has this problem been fixed in the current CU? Best regards, Reto