vmwp.exe - Avast antivirus and Hyper-V 2016 have an issue since july 2024

[Tom610]

Starting last week we had 3 customers until now that all have Hyper-V Servers with Windows Server 2016 in place that where unable to start most of their VMs. This problem ist related to an application error that looks like this (german eventlog):

Protokollname: Application
Quelle:        Application Error
Datum:         28.07.2024 14:29:18
Ereignis-ID:   1000
Aufgabenkategorie:(100)
Ebene:         Fehler
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      Servername
Beschreibung:
Name der fehlerhaften Anwendung: vmwp.exe, Version: 10.0.14393.3986, Zeitstempel: 0x5f77fd5c
Name des fehlerhaften Moduls: ntdll.dll, Version: 10.0.14393.3986, Zeitstempel: 0x5f77fd0d
Ausnahmecode: 0xc0000409
Fehleroffset: 0x000000000009598f
ID des fehlerhaften Prozesses: 0x269c
Startzeit der fehlerhaften Anwendung: 0x01dae0e9c43038c6
Pfad der fehlerhaften Anwendung: C:\Windows\System32\vmwp.exe
Pfad des fehlerhaften Moduls: C:\Windows\SYSTEM32\ntdll.dll
Berichtskennung: 67b11b99-0415-4be5-bdb4-388c7e0f632e
Vollständiger Name des fehlerhaften Pakets:
Anwendungs-ID, die relativ zum fehlerhaften Paket ist:
Ereignis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2024-07-28T12:29:18.511213100Z" />
    <EventRecordID>332694</EventRecordID>
    <Channel>Application</Channel>
    <Computer>HV01</Computer>
    <Security />
  </System>
  <EventData>
    <Data>vmwp.exe</Data>
    <Data>10.0.14393.3986</Data>
    <Data>5f77fd5c</Data>
    <Data>ntdll.dll</Data>
    <Data>10.0.14393.3986</Data>
    <Data>5f77fd0d</Data>
    <Data>c0000409</Data>
    <Data>000000000009598f</Data>
    <Data>269c</Data>
    <Data>01dae0e9c43038c6</Data>
    <Data>C:\Windows\System32\vmwp.exe</Data>
    <Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
    <Data>67b11b99-0415-4be5-bdb4-388c7e0f632e</Data>
    <Data>
    </Data>
    <Data>
    </Data>
  </EventData>
</Event>

In all 3 cases deinstallation of avast solved the issue and after the reboot of the Hypver-V Server all VMs started...

[Paul321]

I have the exact same issue with Server 2016 and Hyper-V. It just started to happen and removing Avast is the answer but not the fix

[Matthew229]

Same issue here, can't start VMs on Hyper-V 2016 servers. Anyone had a response from Avast?

[Daniel2186]

Hello All,

I am replying as a senior technical engineer with the SMB support.

The issue is currently with the dev team.

It appears that vmwp.exe is currently being flagged and blocked without a pop up.
As a precaution the .exe can be excluded from being scanned by all shields.

Once we have an update, we will let you know.

[Infratech Solutions]

It appears that vmwp.exe is currently being flagged and blocked without a pop up.

Is it possible that in other .exe we have the same behavior (blocked without a pop up)?

[Tom610]

I strongly recommend this: https://learn.microsoft.com/en-us/troubleshoot/windows-server/virtualization/antivirus-exclusions-for-hyper-v-hosts