How to Fix Windows Error 0x80090001
By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-25
0x80090001 (NTE_BAD_UID) on Windows is a CryptoAPI (NTE_) status code: the system is telling you Bad UID. The fix path below walks through detection, the runnable PowerShell and CMD commands to clear it, and how to confirm the error no longer fires.
| Error code | 0x80090001 |
|---|---|
| Decimal (unsigned) | 2148073473 |
| Decimal (signed 32-bit) | -2146893823 |
| Symbolic name | NTE_BAD_UID |
| Platform | Windows |
| Subsystem | CryptoAPI (NTE_) (Microsoft Cryptographic API (CryptoAPI / CSP)) |
| Severity field | Warning (top bits 10) |
| Official message (verbatim) | Bad UID. |
| Source | Microsoft MS-ERREF (HRESULT values) |
What is 0x80090001?
0x80090001 is reported by Microsoft CryptoAPI. NTE_ codes surface from key container operations, certificate context handling, signing, and hashing routines that talk to a Cryptographic Service Provider (CSP) or KSP. In plain English, the system is telling you Bad UID. Microsoft documents it as a CryptoAPI (NTE_) value, which means applications hit it when they call into the Microsoft Cryptographic API (CryptoAPI / CSP) stack. The NTE_BAD_UID symbol shows up in header files, debugger output, and event log messages, so searching for it in the calling application's source or trace logs usually pinpoints where the call originated.
When does 0x80090001 appear?
The CryptoAPI (NTE_) layer raises this code in a few well-known scenarios. Knowing which one you are in saves an hour of guessing:
- The requested key container does not exist or is inaccessible.
- The calling user does not own the key under their profile.
- The smart card or tpm-backed ksp is unavailable.
- The algorithm or key length is not supported by the csp.
List key containers with certutil -key and confirm the CSP is registered under HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider. If your event log shows the code firing alongside a specific component or service name, that name is the real starting point - the 0x80090001 value just tells you the class of failure.
How to fix 0x80090001
Work the steps below in order. Each one is a real, runnable PowerShell or CMD block. Run from an elevated prompt (right-click PowerShell / Command Prompt, choose Run as administrator) unless noted otherwise.
Step 1: enumerate cryptographic key containers
:: List CSP key containers for the current user and for the machine.
certutil -key
certutil -key -user
certutil -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -key
Step 2: confirm the CSP is registered
# CSPs are registered under this key. Each subkey is a provider name.
Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Cryptography\Defaults\Provider" |
Select-Object Name
Step 3: recreate the key container if it is missing or corrupt
:: Replace <ContainerName> and <CSP> with the values from your application's
:: configuration. This deletes the existing key, so back up first.
certutil -delkey -csp "<CSP>" "<ContainerName>"
certutil -genkey -csp "<CSP>" "<ContainerName>"
Step 4: check ACLs on the MachineKeys folder (most common NTE_ root cause)
# Machine key blobs live here. The calling identity needs Read or Full Control.
$keys = "$env:ProgramData\Microsoft\Crypto\RSA\MachineKeys"
Get-Acl $keys | Format-List
icacls $keys /grant "NETWORK SERVICE:(R)" /T
icacls $keys /grant "IIS_IUSRS:(R)" /T
Step 5: rebuild certificate-to-key binding
:: When NTE_ errors come from a private-key-attached certificate, rebind the
:: certificate to its key.
certutil -repairstore my <thumbprint>
If you can't fix immediately
Sometimes the failure window matters more than the root cause. While you schedule the real fix, these mitigations buy time:
- Restart the service that owns the failing call. Many
CryptoAPI (NTE_)errors come from a state that resets cleanly on service restart (Restart-Service <name> -Force). - Reboot the host if a kernel-side component is involved. NTSTATUS and driver-related codes often clear after a clean reboot.
- Temporarily lower the calling code's reliance on the failing path (disable the optional feature, fall back to a known-good code path, or queue the work for retry once the underlying fix lands).
- Capture a full repro with Procmon and a matching event log export so the real fix is one trace away when the maintenance window opens.
How to verify the fix worked
After applying the steps above, confirm 0x80090001 is no longer raised by the failing operation. Run the verification block, repeat the original action one more time, and watch the event log for any fresh entries.
Verify the error no longer surfaces
# 1. Re-run the original operation that produced 0x80090001.
# 2. Re-query the System log for the code and confirm no new entries land.
Get-WinEvent -LogName System -MaxEvents 50 |
Where-Object { $_.Message -match '0x80090001' } |
Sort-Object TimeCreated -Descending |
Select-Object -First 5 TimeCreated, Id, Message
# 3. Same for the Application log.
Get-WinEvent -LogName Application -MaxEvents 50 |
Where-Object { $_.Message -match '0x80090001' } |
Sort-Object TimeCreated -Descending |
Select-Object -First 5 TimeCreated, Id, Message
# 4. Confirm the calling process exited cleanly.
$LASTEXITCODE
:: If the failing operation was driven from CMD, %ERRORLEVEL% should be 0.
echo %ERRORLEVEL%
If the verification block returns no new entries that mention 0x80090001 or NTE_BAD_UID in the time window after your fix, you can close out the incident. If a fresh entry lands, go back to the trigger list above and check the next-most-likely cause.
Frequently asked questions
What does 0x80090001 mean exactly?
It is a CryptoAPI (NTE_) code returned by Microsoft Cryptographic API (CryptoAPI / CSP). In short, the system is telling you Bad UID.
Is 0x80090001 dangerous?
By itself this surfaces as a warning, not a critical failure. The code is a signal, not a fault. It tells you the CryptoAPI (NTE_) layer rejected (or could not finish) a specific call. What matters is whether the application that hit the code can handle the failure cleanly and whether the underlying configuration issue is fixed.
Will reinstalling Windows fix 0x80090001?
Almost never. Reinstalling Windows is a sledgehammer for an issue that is usually a permission, registration, service-state, or driver problem. Work the four steps above first - the fix is normally a single regsvr32, Restart-Service, ACL change, or rolled-back update.
Is 0x80090001 the same as NTE_BAD_UID?
NTE_BAD_UID is the symbolic name Microsoft assigned to 0x80090001. They are the same value. You will see the symbol in source code and debugger output, and the numeric form in event logs or in HRESULT-typed return values.
Where can I find the official Microsoft documentation for 0x80090001?
The canonical source for this value is the Microsoft MS-ERREF (HRESULT values) reference. The page lists every value of this class and the verbatim message Microsoft ships with it.
Related error codes
- How to fix 0x80090002 - NTE_BAD_HASH
- How to fix 0x80090003 - NTE_BAD_KEY
- How to fix 0x80090004 - NTE_BAD_LEN
- How to fix 0x80090005 - NTE_BAD_DATA
- How to fix 0x80090006 - NTE_BAD_SIGNATURE
Related fixes
Related guides worth a look while you sort this one out:
- How to Fix Windows Error 0x80080009
- How to Fix Windows Error 0x80080010
- How to Fix Windows Error 0x80080011
- How to Fix Windows Error 0x80080015
- How to Fix Windows Error 0x80080016
- How to Fix Windows Error 0x80080017
References
- Microsoft MS-ERREF (HRESULT values): https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/705fb797-2175-4a90-b5a3-3918024b10b8
- Microsoft Learn - Win32 system error codes: https://learn.microsoft.com/en-us/windows/win32/debug/system-error-codes
- Microsoft MS-ERREF (full Windows error code reference): https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/
- Microsoft Learn - HRESULT structure: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/0642cb2f-2075-4469-918c-4441e69c548a
- Sysinternals Procmon (live trace tool): https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
Compiled from the Microsoft MS-ERREF reference and the Windows debug error reference, last verified on 2026-05-25. Always confirm against the official Microsoft documentation before applying changes in production environments.
Field notes from real Windows incidents
When I work on the 0x80090001 symptom the rhythm I lean on is the one I have built over years of these tickets. STOP codes look terrifying but the first DWORD almost always points directly at the responsible driver. DISM RestoreHealth needs network or a known-good source image; the most common cause of a failed RestoreHealth is a blocked Windows Update endpoint. Reliability Monitor is the single most underused triage surface in Windows — it gives 30 days of crash history without writing a query.
Tools I actually reach for
For the 0x80090001 symptom on Windows the cheapest signal I can land usually comes from Event Viewer (eventvwr.msc), then WinDbg for STOP code analysis, Reliability Monitor (perfmon /rel), Windows Error Lookup Tool (err.exe) when Event Viewer (eventvwr.msc) cannot see the layer the fault sits in, and Windows Performance Recorder for the cases where neither of those answers cleanly. That ordering is not academic. It matches the layers the failure tends to surface through, so the cheap signal lands first and the heavier tooling only comes out when the simpler answer does not hold up under scrutiny.
Verification I run before I close the ticket
Before I mark the 0x80090001 symptom resolved on a Windows unit, the verification loop below is what I actually run. Each step proves a different layer is green, and the order matters - the cheap checks gate the more expensive ones.
DISM /Online /Cleanup-Image /RestoreHealthIf that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
wevtutil epl System system.evtx # export for offline reviewIf that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
err.exe 0xXXXXXXXX # symbolic decodeIf that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
sfc /scannowOnly when every line above runs clean do I close the ticket and update the runbook with the timestamps.
Where I check first when the docs disagree
When two sources contradict each other on a Windows detail, the disambiguation order I lean on is stable. I usually start at support.microsoft.com for the ground-truth view on Windows. I usually start at learn.microsoft.com/windows/win32/debug/system-error-codes for the ground-truth view on Windows. I usually start at github.com/microsoft/Windows-Driver-Frameworks for the ground-truth view on Windows. Random blog posts and reseller wikis are signal, not ground truth, and I treat them as such until the references above either confirm or contradict the claim.
Pitfalls I have walked into on this exact path
The shortcuts that look smart on the 0x80090001 symptom have a habit of biting back. The pitfalls below are the ones I have personally walked into on a Windows unit, not things I read about. Windows error codes come in a handful of families; once you recognise the family, the doc page is one search away. STOP codes look terrifying but the first DWORD almost always points directly at the responsible driver. When in doubt I revert to the slower path that the manual prescribes - the time I save by skipping it is always smaller than the time I spend cleaning up afterwards.
What I tell the next on-call
When I hand the 0x80090001 symptom off to the next person on rotation, the three lines I leave in the runbook are these. First, the symptom signature for Windows on the Windows family - not a paraphrase, the exact string that surfaces. Second, the diagnostic that gave the highest signal in the least time. Third, the exact verification command whose green output justified closing the ticket. That trio is what turns a one-off fix into a runbook entry the next engineer can use without paging me at three in the morning.
I also add a one-line note on the cost of getting this wrong. For the 0x80090001 symptom on a Windows unit, the cost is rarely the replacement part. It is the downtime, the second site visit, and the trust deficit you spend with whoever owns the asset when the fix does not hold. That framing keeps the next on-call from choosing the cheap-looking shortcut that ends up costing the most in elapsed hours and goodwill.