Other symptoms of the error
The error also appeared in the system event log as an Event
ID: 26 as shown here:
When faced with a stuck system, many people fall back on a
system restore as a quick fix. And while that often fixes the
problem especially if it was caused by a bad update, sometimes
it doesn't. Or it could leave your system vulnerable to malware
when the security hole that was plugged by the update is now an
easy mark for hackers to exploit.
The better path is to diagnose what is wrong... and for that I'm
going to turn to the program Process Monitor from Sysinternas.
Diagnosing the problem
This was a little bit of a chicken and the egg problem. In
order to diagnose what is wrong, I had to be able to run
programs on the impacted system while it was not operating
properly. However, since the system wasn't operating properly I
couldn't easily run various programs on it.
From task manager, it turns out you could run explorer.exe if you
navigated to it via the browse button and right clicked, Run As
Administrator. Same with running cmd.exe, so now I could run my 2nd
favorite general diagnostic tool - Process Monitor from Sysinternals.
With that running, I made the error happen and captured the results.
You can see the errant line highlighted and expanded here:
That isn't an eye chart - click on any of the smaller
pictures to see them full-size in all their glory.
When I tried to run explorer.exe from task manager it errored out
with access denied - which is what 0xC0000022 actually means if
translated from geek to semi-geek. So GdiPlus.dll is a file that was
updated for some security vulnerability or something else and when the
update was applied it was done with the wrong permissions ... a normal
user can't run it, so any program that a normal user runs that requires
that .DLL file also won't run as it will get an ACCESS DENIED error.
Unfortunately, the desktop is one of those programs that needs that
So what exactly are the permissions on that file as installed by the
This shows the permissions on the file when things are horked up - NT
AUTHORITY\SYSTEM has Full access, BUILTIN\Administrators has Full
access, and nobody else has any access. To comapre, the versions of
GDIPlus that were installed in November's updates had these permissions:
Note: This is on a stand-alone non domain joined system - your
mileage may vary. I looked at a system that was domain joined and the
file had the same permissions ... but again, your company and computer
might be different for some reason.
This shows permissions as NT SERVICE\TrustedInstaller - full, and the
rest (NT Authority\System, BUILTIN\Administrators, BUILTIN\Users) have
After fixing the first GdiPlus.dll permissions (the one that kept Explorer from working
and the system booting to a black screen with a mouse pointer and
nothing else), the desktop appeared but there were still problems. Office
didn't run, nor did many other programs. Following a similar diagnostic
process with Process Monitor lead to other files that also had their
permissions horked up. Here I'm trying to run Microsoft Expression Web
and it errored out on a different flavor of GdiPlus.dll:
Enough geeky stuff, SHOW ME THE FIX ALREADY!
This shows the 4 directories, each with their own GdiPlus.dll
with bad permissions caused by the update, all were installed on
my system 3/16/2017:
Those directories are (friendly text here so you can copy / paste if
you are rolling your own):
Inside each is a GdiPlus.DLL - you have to go into each directory,
use cacls to see the permissions and verify they are screwed up, then
set them with the following command:
cacls GdiPlus.dll /G "NT SERVICE\TrustedInstaller:F" "NT
AUTHORITY\SYSTEM:R" "BUILTIN\Administrators:R" "BUILTIN\Users:R"
(All of that is on one line - it might have wrapped on your screen.
Yes, I know you don't need quotes around everything, but spaces mess
things up so I'm in the habit of typing the quotes).
** This was for my stand-alone not domain joined computer! Your
permissions might be different depending on your environment! That is
why I showed you the permissions in another directory that wasn't horked
So the manual fix is to CD into each of those 4 directories and type
that cacls command. You can do this by booting into safe mode (which
worked on my system just fine) or from a booted system that has the
problem but you were manually able to run the cmd prompt as an
administrator, or numerous other methods.
If everything above read like stereo instructions (reference
to the movie Beetlejuice) and you want, for a few dollars I can
possibly assist remotely. You'll find contact information on the
'Contact Us' page, look at the menu top-left of this article.
If you found this helpful or not, please send me a brief email -- one
line will more than do. Or more! I love hearing tidbits from users I've
helped. Maybe share a line of what you searched for or how you found
I can be reached at:
das (at-sign) dascomputerconsultants (dot) com
Copyright (C) 2017 DAS Computer Consultants, LTD. All rights