Share via

w3wp.exe Crashes on PDF Uploads After September 2025 CU in SharePoint Server Subscription Edition

Titus Tolbert (Sr. Dev Operation, Hoka corp) 500 Reputation points
2025-09-26T02:16:10.13+00:00

We manage an on-premises SharePoint Server Subscription Edition (Version 24H2, Build 16.0.10391.12115) environment integrated with Microsoft 365 for hybrid content management, supporting 150+ sites and document libraries. Following deployment of the September 2025 Cumulative Update (KB5002784), we are encountering intermittent w3wp.exe process crashes during uploads of digitally signed or password-protected PDF files, with the faulting module identified as ucrtbase.dll (Exception code: 0xc0000409).

ULS logs indicate errors related to file processing in the Binary Large Object (BLOB) cache and AMSI integration, occurring sporadically on worker processes handling document conversion requests. This disrupts user workflows, particularly in compliance-heavy scenarios requiring protected documents, and has led to partial data loss in affected uploads. SharePoint 2016/2019 instances in our farm remain unaffected.

We have reviewed Stefan Gossner's summary of September 2025 CU issues and confirmed the problem aligns with the reported PDF upload crashes under investigation. https://blog.stefan-gossner.com/2025/09/25/summary-and-status-of-issues-identified-with-september-2025-cu-for-sharepoint/

Any visible workarounds, including temporary disabling of AMSI filtering for PDFs via registry keys (e.g., HKLM\SOFTWARE\Microsoft\SharePoint\AMSI) or file extension exclusions, without compromising security?

Microsoft 365 and Office | SharePoint Server | For business
0 comments
Answer accepted by question author
  1. Teddie-D 8,875 Reputation points Microsoft External Staff Moderator
    2025-09-26T06:12:44.73+00:00

    Hi @Titus Tolbert (Sr. Dev Operation, Hoka corp) 

    Thank you for posting your question in the Microsoft Q&A forum. 

    Based on the symptoms you described, this aligns with the known issue under investigation for SharePoint Server Subscription Edition post-September 2025 CU (KB5002784), as noted in Stefan Gossner's summary and related discussions. No full resolution is available yet, but Microsoft recommends opening a support ticket for escalation, with a potential fix targeted in the October 2025 CU.  
    While waiting for an official fix, here are some mitigations you may try: 

    1.Rename file extension or compress into ZIP before upload:  
    Temporarily rename the .pdf extension (e.g., to .pdfx or .doc) prior to upload, then revert post-upload if needed. Alternatively, compress the PDF into a .zip archive for upload and extract it server-side via workflows or user action. This helps bypass AMSI-triggered crashes. 

    2.Exclude .pdf extensions from SharePoint Antivirus scans 
    In Central Administration > Security > Manage antivirus settings, add pdf under Exclude these file extensions from the scan (comma-separated if adding others). Save and run a full scan job to propagate. 

    Please note: this exclusion applies only to SharePoint-integrated antivirus scanning, not to OS-level Defender AMSI. Depending on your configuration, it may or may not fully mitigate the crash. 

    The registry-based AMSI workaround should not be used, because it is unsupported and undocumented. Microsoft has not released any official guidance or registry key to disable AMSI scanning for PDFs in SharePoint. Implementing such changes may lead to system instability or introduce unsupported behavior and should not be used in production environments.  

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. 

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Benjamin Freitag 101 Reputation points
    2025-10-17T07:58:10.1133333+00:00

    We're having the same Issue.

    Unfortunately this is not fixed with the October 2025 CU. w3wp.exe still crashes on two servers when uploading PDF files having signatures and protection.

    I just opened a new support case.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.