ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying critical system events on a server monitoring dashboard
Event ID 26CriticalApplication PopupWindows

Windows Event ID 26 – Application Popup: System Process Terminated Unexpectedly

Event ID 26 indicates a critical system process has terminated unexpectedly, triggering Windows Error Reporting. This event typically signals serious system instability requiring immediate investigation.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 26Application Popup 5 methods 12 min
Event Reference

What This Event Means

Event ID 26 serves as Windows' early warning system for critical process failures that could lead to system-wide instability. When the Application Popup service detects that a system-critical process has terminated abnormally, it logs this event with detailed information about the failure. The event includes the process name, process ID, exit code, and timestamp, providing administrators with essential forensic data.

The Application Popup service monitors processes that Windows considers essential for system operation. These include core Windows services, security processes, and system components that, if terminated, could cause cascading failures throughout the operating system. The service uses internal process monitoring mechanisms to detect when these processes exit unexpectedly, whether due to crashes, forced termination, or other abnormal conditions.

In Windows 11 and Server 2025 environments, Microsoft has enhanced the detection capabilities to include more granular process monitoring and improved correlation with hardware telemetry. The event now provides better integration with Windows Defender and System Guard features, offering more context about potential security implications of process terminations.

The criticality of this event cannot be overstated. Systems experiencing frequent Event ID 26 occurrences often exhibit symptoms like random reboots, blue screens, service failures, or complete system lockups. The event serves as both a diagnostic tool and an early warning system, allowing administrators to identify and address underlying issues before they result in complete system failure.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Hardware failures including memory corruption, CPU instability, or storage device errors
  • Driver conflicts or corrupted device drivers causing system process crashes
  • Malware or rootkit activity terminating security processes or system components
  • System file corruption affecting critical Windows processes
  • Power supply issues causing unexpected process termination
  • Overheating components leading to system instability
  • Registry corruption affecting process startup or operation
  • Third-party security software conflicts with Windows processes
  • Windows Update failures leaving system processes in unstable states
  • Resource exhaustion causing critical processes to fail
Resolution Methods

Troubleshooting Steps

01

Analyze Event Details and System Context

Start by examining the specific details of Event ID 26 to understand which process terminated and under what circumstances.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSystem
  3. Filter for Event ID 26 by right-clicking the System log and selecting Filter Current Log
  4. Enter 26 in the Event IDs field and click OK
  5. Double-click the most recent Event ID 26 entry to view detailed information
  6. Note the process name, PID, exit code, and timestamp from the event description
  7. Use PowerShell to gather additional context about recent system events:
Get-WinEvent -FilterHashtable @{LogName='System'; Id=26} -MaxEvents 10 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap

# Check for related critical events in the same timeframe
Get-WinEvent -FilterHashtable @{LogName='System'; Level=1,2,3} -MaxEvents 50 | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-24)} | Format-Table TimeCreated, Id, LevelDisplayName, ProviderName

Document the process name and any error codes for further investigation in subsequent methods.

02

Check System File Integrity and Windows Health

Verify that critical system files are intact and Windows components are functioning correctly.

  1. Open an elevated Command Prompt by pressing Win + X and selecting Windows Terminal (Admin)
  2. Run System File Checker to scan for corrupted system files:
sfc /scannow
  1. If SFC finds issues, run DISM to repair the Windows image:
DISM /Online /Cleanup-Image /RestoreHealth
  1. Check Windows component health using PowerShell:
# Check Windows Update health
Get-WindowsUpdateLog

# Verify critical services are running
Get-Service | Where-Object {$_.Status -eq 'Stopped' -and $_.StartType -eq 'Automatic'} | Format-Table Name, Status, StartType

# Check for pending reboots
if (Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired" -ErrorAction SilentlyContinue) {
    Write-Host "Pending reboot required for Windows Updates" -ForegroundColor Yellow
}
  1. Review the CBS.log file for detailed information about system file repairs:
Get-Content C:\Windows\Logs\CBS\CBS.log | Select-String "error|corrupt|fail" | Select-Object -Last 20
Pro tip: Run these scans during maintenance windows as they can be resource-intensive and may require system restarts.
03

Investigate Hardware and Driver Issues

Examine hardware stability and driver conflicts that could cause critical process termination.

  1. Check system stability using Windows Memory Diagnostic:
mdsched.exe

Schedule a memory test for the next reboot and restart the system.

  1. After the memory test, check results in Event Viewer under Windows LogsSystem, filtering for Source: MemoryDiagnostics-Results
  2. Examine recent driver installations and updates:
# Check for recently installed drivers
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-Kernel-PnP'} -MaxEvents 50 | Where-Object {$_.TimeCreated -gt (Get-Date).AddDays(-7)} | Format-Table TimeCreated, Id, Message -Wrap

# List all installed drivers with dates
Get-WindowsDriver -Online | Sort-Object Date -Descending | Select-Object -First 20 | Format-Table ProviderName, ClassName, DriverVersion, Date
  1. Check Device Manager for problematic devices:
# Get devices with problems
Get-PnpDevice | Where-Object {$_.Status -ne 'OK'} | Format-Table FriendlyName, Status, InstanceId
  1. Review hardware error logs:
# Check for hardware errors
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-Kernel-Processor-Power','Microsoft-Windows-Kernel-General'} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
Warning: If memory errors are detected, schedule immediate hardware replacement as continued operation may result in data corruption.
04

Analyze Process Dumps and Windows Error Reporting

Examine crash dumps and Windows Error Reporting data to identify the root cause of process termination.

  1. Check if Windows Error Reporting has captured crash dumps:
# Check WER report locations
$WERPath = "$env:LOCALAPPDATA\Microsoft\Windows\WER\ReportQueue"
Get-ChildItem $WERPath -Recurse | Where-Object {$_.Name -like "*.dmp"} | Sort-Object LastWriteTime -Descending | Select-Object -First 10 | Format-Table Name, LastWriteTime, Length
  1. Configure system to create full memory dumps for critical process failures:
# Enable full memory dumps (requires restart)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl" -Name "CrashDumpEnabled" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl" -Name "DumpFile" -Value "C:\Windows\MEMORY.DMP"
  1. Check Windows Error Reporting settings and recent reports:
# View WER configuration
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting" | Format-List

# Check recent error reports
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='Windows Error Reporting'} -MaxEvents 20 | Format-Table TimeCreated, Id, Message -Wrap
  1. Use Process Monitor to capture real-time process activity:

Download and run Process Monitor (ProcMon) from Microsoft Sysinternals to capture detailed process and file system activity during the time when Event ID 26 occurs.

  1. Enable advanced logging for the specific process that's terminating:
# Enable process tracking in audit policy
auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable

# Check process termination events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4689} -MaxEvents 20 | Format-Table TimeCreated, Message -Wrap
05

Advanced System Recovery and Prevention

Implement comprehensive system recovery measures and establish monitoring to prevent future occurrences.

  1. Create a system restore point before making changes:
# Create restore point
Checkpoint-Computer -Description "Before Event ID 26 Investigation" -RestorePointType "MODIFY_SETTINGS"
  1. Reset Windows Error Reporting and related services:
# Stop and restart WER service
Stop-Service -Name "WerSvc" -Force
Start-Service -Name "WerSvc"

# Clear WER report queue
Remove-Item "$env:LOCALAPPDATA\Microsoft\Windows\WER\ReportQueue\*" -Recurse -Force -ErrorAction SilentlyContinue

# Reset Application Experience service
Restart-Service -Name "AeLookupSvc" -Force
  1. Configure enhanced monitoring and alerting:
# Create scheduled task to monitor for Event ID 26
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-Command Get-WinEvent -FilterHashtable @{LogName='System'; Id=26} -MaxEvents 1 | Out-File C:\Logs\Event26Alert.log -Append"
$Trigger = New-ScheduledTaskTrigger -AtStartup
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask -TaskName "Event26Monitor" -Action $Action -Trigger $Trigger -Settings $Settings -User "SYSTEM"
  1. Implement system hardening measures:
# Enable DEP for all programs
bcdedit /set nx AlwaysOn

# Configure automatic restart settings
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl" -Name "AutoReboot" -Value 0

# Enable boot logging
bcdedit /set bootlog yes
  1. Set up comprehensive logging and establish baseline monitoring:
# Increase system log size
Limit-EventLog -LogName System -MaximumSize 100MB -OverflowAction OverwriteAsNeeded

# Enable additional audit policies
auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable

# Create monitoring script
$MonitorScript = @"
Get-WinEvent -FilterHashtable @{LogName='System'; Id=26; StartTime=(Get-Date).AddHours(-1)} -ErrorAction SilentlyContinue | 
ForEach-Object {
    Send-MailMessage -To 'admin@company.com' -From 'server@company.com' -Subject 'Critical: Event ID 26 Detected' -Body `$_.Message -SmtpServer 'mail.company.com'
}
"@
$MonitorScript | Out-File C:\Scripts\Event26Monitor.ps1
Pro tip: Consider implementing Windows Performance Toolkit (WPT) for advanced performance analysis if Event ID 26 continues to occur after basic troubleshooting.

Overview

Event ID 26 from Application Popup represents one of the most serious system events you'll encounter in Windows environments. This event fires when a critical system process terminates unexpectedly, often resulting in system instability or immediate shutdown. The Application Popup service generates this event as part of Windows Error Reporting (WER) when the system detects that a vital process has crashed or been forcibly terminated.

Unlike standard application crashes, Event ID 26 specifically targets system-level processes that are essential for Windows operation. When this event appears in your logs, it indicates that Windows has detected a process termination that could compromise system stability. The event typically includes details about the terminated process, exit codes, and timing information that are crucial for root cause analysis.

This event commonly appears in the System log and requires immediate attention from system administrators. The timing and frequency of these events can indicate hardware failures, driver conflicts, malware activity, or critical system file corruption. Understanding the context and investigating the underlying cause is essential for maintaining system reliability and preventing potential data loss or extended downtime.

Frequently Asked Questions

What does Event ID 26 from Application Popup mean and how critical is it?+
Event ID 26 from Application Popup indicates that a critical system process has terminated unexpectedly. This is one of the most serious events in Windows, as it signals that a process essential for system stability has crashed or been forcibly terminated. The event is critical because it often precedes system instability, blue screens, or complete system failure. When you see this event, it requires immediate investigation as it typically indicates underlying hardware problems, driver conflicts, malware activity, or severe system corruption. The Application Popup service generates this event as part of Windows Error Reporting to alert administrators that system integrity may be compromised.
Which processes typically trigger Event ID 26 and what do they indicate?+
Event ID 26 is commonly triggered by the termination of critical Windows processes such as csrss.exe (Client Server Runtime Process), winlogon.exe (Windows Logon Process), lsass.exe (Local Security Authority Subsystem), services.exe (Service Control Manager), or smss.exe (Session Manager Subsystem). Each process termination indicates different potential issues: csrss.exe failures often point to hardware problems or driver conflicts, winlogon.exe termination suggests authentication system issues or malware, lsass.exe crashes indicate security subsystem problems, services.exe failures point to service management issues, and smss.exe termination suggests fundamental system startup problems. The specific process mentioned in the event details provides crucial clues about the root cause and helps direct troubleshooting efforts.
How can I prevent Event ID 26 from occurring in my Windows environment?+
Preventing Event ID 26 requires a multi-layered approach focusing on system stability and proactive monitoring. Implement regular hardware health checks including memory diagnostics, disk health monitoring, and temperature monitoring to catch hardware issues early. Maintain current drivers and Windows updates while testing them in non-production environments first. Deploy comprehensive endpoint protection to prevent malware that could terminate critical processes. Establish baseline monitoring using Performance Monitor and Windows Event Forwarding to detect anomalies before they cause process termination. Configure proper system resource allocation and monitoring to prevent resource exhaustion. Implement regular system file integrity checks using SFC and DISM. Most importantly, establish redundancy and backup systems so that if Event ID 26 does occur, you can quickly restore service with minimal downtime.
What should I do immediately when Event ID 26 appears in my logs?+
When Event ID 26 appears, take immediate action to prevent system failure and gather diagnostic information. First, check if the system is still stable and responsive - if not, plan for controlled shutdown and restart. Immediately capture the event details including the terminated process name, PID, exit code, and timestamp. Check for additional related events in the System and Application logs within the same timeframe. Run quick hardware diagnostics including memory test scheduling and disk health checks. Verify that critical services are still running and restart any that have stopped. Create a system restore point if the system is stable enough. Document all symptoms and recent changes to the system. If multiple Event ID 26 occurrences appear in quick succession, prepare for potential system failure and ensure backups are current. Contact hardware vendors if the events correlate with specific hardware components.
How do I analyze crash dumps related to Event ID 26 for root cause analysis?+
Analyzing crash dumps for Event ID 26 requires systematic examination of memory dumps and Windows Error Reporting data. First, locate crash dumps in %LOCALAPPDATA%\Microsoft\Windows\WER\ReportQueue\ and C:\Windows\Minidump\ directories. Use Windows Debugging Tools (WinDbg) or Visual Studio to analyze dump files - look for the faulting module, exception codes, and call stack information. Check the dump analysis for memory corruption patterns, driver issues, or third-party software conflicts. Correlate dump timestamps with Event ID 26 occurrences to confirm relationship. Use the !analyze -v command in WinDbg to get automated analysis of the crash. Look for common patterns like IRQL_NOT_LESS_OR_EQUAL, SYSTEM_SERVICE_EXCEPTION, or CRITICAL_PROCESS_DIED bug checks. Cross-reference any identified drivers or modules with recent updates or known issues. If dumps consistently point to the same module or driver, research vendor-specific solutions or consider rolling back recent changes. Document findings and create a remediation plan based on the root cause identified in the dump analysis.
Documentation

References (2)

1
Windows Error Reporting OverviewOfficial Microsoft documentation covering Windows Error Reporting architecture and configurationhttps://docs.microsoft.com/en-us/windows/win32/wer/windows-error-reporting
2
Debugging Tools for WindowsMicrosoft's comprehensive guide to Windows debugging tools including WinDbg for crash dump analysishttps://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-26#critical-events#system-stability

Related Windows Events

Windows Event Viewer displaying critical system events on a professional monitoring setup in a server room
Event 76
Application Popup
Windows EventError

Windows Event ID 76 – Application Popup: System Process Terminated Unexpectedly

Event ID 76 indicates a critical system process has terminated unexpectedly, triggering Windows to display an application error popup and potentially initiate system recovery procedures.

March 1812 min
System administrator analyzing Windows Event Viewer showing critical system errors on monitoring dashboard
Event 25
Application Popup
Windows EventError

Windows Event ID 25 – Application Popup: System Process Terminated Unexpectedly

Event ID 25 indicates a critical system process has terminated unexpectedly, triggering Windows Error Reporting. This event typically signals driver issues, memory corruption, or system instability requiring immediate investigation.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...