Soussan DAS Computer Consultants

Our Team
Cool Stuff
KeyholeKeyboardLaptop ComputerComputer Chip

Post Windows Update Error 0xC0000022 Diagnosis

In March 2017 while doing my monthly patching one of my main systems came to a grinding halt. Upon rebooting, the login screen appeared and after entering my user name and password the screen went black and a dialogue box appeared:

explorer.exe application error 0xc0000022

explorer.exe - Application Error. The application was unable to start correctly (0xc0000022). Click OK to close the application.

Upon clicking OK, the black screen remained. I could run task manager with Ctrl-Alt-Del, and the run dialogue box came up ... but none of the programs I ran would start - all would give me a similar dialogue box.

Searching the web showed a whole lot of people with the exact same problem going back many years. System restore was the #1 fix, followed by wiping and re-loading Windows. This has been seen on Windows 7, 8, 8.1, Server 2008, ... so apparently this can happen almost anywhere.

I'm going to first walk you through actually diagnosing what happened, then show you the fix!

Click Here for Press Release


Other symptoms of the error

The error also appeared in the system event log as an Event ID: 26 as shown here:

0xC0000022 Explorer.exe application error

When faced with a stuck system, many people fall back on a system restore as a quick fix. And while that often fixes the problem especially if it was caused by a bad update, sometimes it doesn't. Or it could leave your system vulnerable to malware when the security hole that was plugged by the update is now an easy mark for hackers to exploit.

The better path is to diagnose what is wrong... and for that I'm going to turn to the program Process Monitor from Sysinternas.

Diagnosing the problem

This was a little bit of a chicken and the egg problem. In order to diagnose what is wrong, I had to be able to run programs on the impacted system while it was not operating properly. However, since the system wasn't operating properly I couldn't easily run various programs on it.

From task manager, it turns out you could run explorer.exe if you navigated to it via the browse button and right clicked, Run As Administrator. Same with running cmd.exe, so now I could run my 2nd favorite general diagnostic tool - Process Monitor from Sysinternals.

With that running, I made the error happen and captured the results. You can see the errant line highlighted and expanded here:

That isn't an eye chart - click on any of the smaller pictures to see them full-size in all their glory.

When I tried to run explorer.exe from task manager it errored out with access denied - which is what 0xC0000022 actually means if translated from geek to semi-geek. So GdiPlus.dll is a file that was updated for some security vulnerability or something else and when the update was applied it was done with the wrong permissions ... a normal user can't run it, so any program that a normal user runs that requires that .DLL file also won't run as it will get an ACCESS DENIED error.

Unfortunately, the desktop is one of those programs that needs that file.

So what exactly are the permissions on that file as installed by the update?

This shows the permissions on the file when things are horked up - NT AUTHORITY\SYSTEM has Full access, BUILTIN\Administrators has Full access, and nobody else has any access. To comapre, the versions of GDIPlus that were installed in November's updates had these permissions:

What should GDIPlus.DLL permissions be

Note: This is on a stand-alone non domain joined system - your mileage may vary. I looked at a system that was domain joined and the file had the same permissions ... but again, your company and computer might be different for some reason.

This shows permissions as NT SERVICE\TrustedInstaller - full, and the rest (NT Authority\System, BUILTIN\Administrators, BUILTIN\Users) have Read.

After fixing the first GdiPlus.dll permissions (the one that kept Explorer from working and the system booting to a black screen with a mouse pointer and nothing else), the desktop appeared but there were still problems. Office didn't run, nor did many other programs. Following a similar diagnostic process with Process Monitor lead to other files that also had their permissions horked up. Here I'm trying to run Microsoft Expression Web and it errored out on a different flavor of GdiPlus.dll:

Enough geeky stuff, SHOW ME THE FIX ALREADY!

This shows the 4 directories, each with their own GdiPlus.dll with bad permissions caused by the update, all were installed on my system 3/16/2017:

Those directories are (friendly text here so you can copy / paste if you are rolling your own):

In C:\Windows\winsxs:

Inside each is a GdiPlus.DLL - you have to go into each directory, use cacls to see the permissions and verify they are screwed up, then set them with the following command:

cacls GdiPlus.dll /G "NT SERVICE\TrustedInstaller:F" "NT AUTHORITY\SYSTEM:R" "BUILTIN\Administrators:R" "BUILTIN\Users:R"

(All of that is on one line - it might have wrapped on your screen. Yes, I know you don't need quotes around everything, but spaces mess things up so I'm in the habit of typing the quotes).

** This was for my stand-alone not domain joined computer! Your permissions might be different depending on your environment! That is why I showed you the permissions in another directory that wasn't horked up **

So the manual fix is to CD into each of those 4 directories and type that cacls command. You can do this by booting into safe mode (which worked on my system just fine) or from a booted system that has the problem but you were manually able to run the cmd prompt as an administrator, or numerous other methods.

Shameless Plug

If everything above read like stereo instructions (reference to the movie Beetlejuice) and you want, for a few dollars I can possibly assist remotely. You'll find contact information on the 'Contact Us' page, look at the menu top-left of this article.

If you found this helpful or not, please send me a brief email -- one line will more than do. Or more! I love hearing tidbits from users I've helped. Maybe share a line of what you searched for or how you found this article.

I can be reached at:

das (at-sign) dascomputerconsultants (dot) com

David Soussan

Copyright (C) 2017 DAS Computer Consultants, LTD.  All rights reserved.