Event ID 1000 Application Error cmd.exe kernelbase.dll

I've come across a re-occuring error in the event logs of my Windows 2012 R2 Hyper-V server. The error event is shown below.

Error 16/12/2020 15:47:31 Application Error 1000 (100) Faulting

application name: CMD.exe, version: 6.3.9600.17415, time stamp:0x545042b1 Faulting module name: KERNELBASE.dll, version: 6.3.9600.19678, time stamp: 0x5e82c88a Exception code: 0xc0000142 Fault offset: 0x00000000000ecf40 Faulting process id: 0x3290 Faulting application start time: 0x01d6d3c2c2c9aa7d Faulting application path: C:\Windows\System32\CMD.exe Faulting module path: KERNELBASE.dll Report Id: 0164a878-3fb6-11eb-8109-cd63031d6b26 Faulting package full name: Faulting package-relative application ID:

It appears to be happening at certain times in the afternoon, around 3pm and 4pm. I've checked to see if there are any scheduled tasks that are running at this time but cannot identify any. I've run an SFC scan to see if the kernelbase.dll has become corrupted but the scan returned with no issues.

Has anyone come across this issue before? and if so can you advise what was done to correct it?

You'd probably want to first find out who is actually executing cmd.exe, which is not included in the event. I would first look into your security event log to see if you have 4688 and 4689 events there. You can then look for the 4688 event that occurred around the same time the Application Error happened (although it's possible that cmd.exe ran for a while before it crashed).

If going through the security event log is too tedious, then you can also install a free trial version of EventSentry which normalizes process activity security events and makes them easier to search through.

The 4688 event may also include the command line arguments if the group policy is configured that way (see the system32 link above) that should help track down what's causing it.