Since we upgrades our UF to v7.2.9, we are seeing lots of application crash errors in the application event log on our hosts. This is happening on large volumes of hosts. Initially I thought it may be a specific counter, but it occurs when the Splunk-Perfmon.exe process is running, even if no perfmon collection is occurring. I don't see any errors in Splunk itself and the Splunk-Perfmon process itself keeps running and sending data. Looking into these errors, there seems to be some suggestion this is related to "data execution prevention" which is blocking Splunk trying to run code in data memory (error include code c0000005 which is an access denied error) , but I have not been able to confirm this. servers previously running v6 did not show this error, only when upgraded did the error start to appear.

example error below

SourceName=Windows Error Reporting
EventCode=1001
EventType=4
Type=Information
ComputerName=xxxxxxxxxxxx
TaskCategory=The operation completed successfully.
OpCode=Info
RecordNumber=230239
Keywords=Classic
Message=Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: splunk-perfmon.exe
P2: 1794.2305.24028.63924
P3: 5ddcfc22
P4: splunk-perfmon.exe
P5: 1794.2305.24028.63924
P6: 5ddcfc22
P7: c0000005
P8: 00000000005bc5d8
P9:
P10:

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_splunk-perfmon.e_2f9ed6fb118b57ac0e734f67ff573c73ad1654a_64da0b14_48835327