Using an Administrator Console:

------------------------------------------------------------------------------

C:> sc query sppsvc

SERVICE_NAME: sppsvc

        ...

        WIN32_EXIT_CODE : 0 (0x0)

        ...

C:> taskkill /f /pid 4

ERROR: The process with PID 4 could not be terminated.

Reason: Access is denied.

C:> taskkill /f /s localhost /pid 4

SUCCESS: The process with PID 4 has been terminated.

C:> sc start sppsvc

SERVICE_NAME: sppsvc

        ...

        STATE : 2 STATE_PENDING

        ...

C:> sc query sppsvc

        ...

        WIN32_EXIT_CODE : 5 (0x5)

        ...

------------------------------------------------------------------------------

...What?

Currently confirmed on Win7 SP1 and Win2k8 R2.

PS - If you're using McAfee products and execute these commands you have less than 7 days before your machine BSODs from mfehidk.sys [PAGE_FAULT_IN_NON_PAGED_AREA]. Heads up.

FYI: I know that PID 4 is SYSTEM, trying to taskkill SYSTEM is a fairly absurd notion, the system doesn't actually kill SYSTEM, sppsvc is the software protection platform service, code 5 is "Access Denied". The response I got back from the machine (SUCCESS) was equally absurd, and furthermore causes an instability which will eventually BSOD workstations and servers loaded with McAfee products.

Commands return same output for machines without McAfee products, but no BSOD has been observed yet.

Not sure how sppsvc is indirectly related to all of this, but it has been a predictive indicator of system instability so far (100% accuracy across 40+ observed machines).

Update: Seems to affect Windows 8 machines as well. Performance is starting to slow for them, and attempting to reboot them sticks on the "Restarting..." page.

I'm not sure what you're up to here. Why are you manually using taskkill against the Software Protection Service? You have tried killing this on 40+ machines?

You should probably just leave it alone, as it is a necessary service. Quote from a different thread: http://social.technet.microsoft.com/Forums/windowsserver/en-US/4613002e-3cb7-4bf9-9aca-ebf34cfe231d/sppsvc-services-just-keep-stoping?forum=winserver8gen

"As far as I know, the Software Protection Service will start and stop on demand, which means, the service will be started when its called. This is a normal behavior in Windows Server 2008 R2...In addition, the Software Protection Service handles the digital license for Windows and Windows applications in Windows 7 and Windows Server 2008 R2. It used to be the Software Licensing Service in Windows Vista and Windows Server 2008. It's normally used for the activation of Windows. For example, when there's any changes to the KMS activation."

Sorry, I think you misunderstood.

------------------------------------------------------------------------------

RECAP:

taskkill /f /pid 4 returns "Access Denied"

taskkill /f /s localhost /pid 4 returns "Success"

This puzzles me because they are logically the same command.

------------------------------------------------------------------------------

Examining the system, I'm noticing that when the above command results in "Success" the entire system becomes unstable/weird, but only machines on my network with McAfee (likely any AV with a mapping to ntoskrnl.exe or even a handle to it) tools are BSOD'ing. Examination of the logs show the best indicator of system instability or otherwise weirdness is the sppsvc returning 0x5 ("Access Denied") which will immediately return that exit code after being run (manually started via sc or by waiting for it to automatically restart).

------------------------------------------------------------------------------

sc start sppsvc attempts to start the SPP service manually

sc query sppsvc will return WIN32_EXIT_CODE 5 (0x5) -- Access Denied

This is the best indicator of system weirdness. Anywhere between 1-6 days later the machine BSOD's

------------------------------------------------------------------------------

Reboots/crashes solve the problem except that it's bad for uptime to be rebooting servers and workstations in a game of whack-a-mole. I believe that if the first two commands would behave the same that this state could be avoided. My suspicion is that ntoskrnl.exe is getting killed and restarted and anything that had a mapping to that area of memory (mostly drivers) will now fault and BSOD the machine. This is most apparent with AV tools. If my suspicion is true, then this should be considered a bug if only because the machine behaves differently when performing the same actions (logically).

• Edited by MadigonLIVE Wednesday, October 23, 2013 2:12 PM
• Marked as answer by Andy QiMicrosoft contingent staff, Moderator Monday, November 04, 2013 4:43 PM

This "taskkill /f /s localhost /pid 4" worked for me. Thanks!

Thanks.

The /s parameter did the trick for me.

By the way, this was my problem:

1. Building a Web App (VS 2012 Trial Version)
2. Using a Web Server (WS 2012 Trial Version)
3. Web App calls to MS Word (winword.exe)
4. IIS configurations require ApplicationPoolIdentity = <myAdminLogin>
5. MS Word application gets hung
6. Command Prompt taskkill /f /im winword.exe wouldn't work

I'm thoroughly annoyed with the permissions on this machine right now, if you could imagine.

Thank you for your help.

• Edited by __Elias__ 8 hours 48 minutes ago