How to Fix Windows Error 0x00090313
By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-25
0x00090313 (SEC_I_COMPLETE_NEEDED) on Windows is a Security Support Provider (SSPI) status code: the system is telling you the function completed successfully, but CompleteToken must be called. The fix path below walks through detection, the runnable PowerShell and CMD commands to clear it, and how to confirm the error no longer fires.
| Error code | 0x00090313 |
|---|---|
| Decimal (unsigned) | 590611 |
| Symbolic name | SEC_I_COMPLETE_NEEDED |
| Platform | Windows |
| Subsystem | Security Support Provider (SSPI) (Security Support Provider Interface) |
| Severity field | Success (top bits 00) |
| Official message (verbatim) | The function completed successfully, but CompleteToken must be called. |
| Source | Microsoft MS-ERREF (HRESULT values) |
What is 0x00090313?
0x00090313 is raised by SSPI - the Windows authentication layer that wraps Kerberos, NTLM, Schannel, and Negotiate. These status codes are usually informational, signalling that the security context needs another round-trip or that the caller must take a follow-up action. In plain English, the system is telling you the function completed successfully, but CompleteToken must be called. Microsoft documents it as a Security Support Provider (SSPI) value, which means applications hit it when they call into the Security Support Provider Interface stack. The SEC_I_COMPLETE_NEEDED symbol shows up in header files, debugger output, and event log messages, so searching for it in the calling application's source or trace logs usually pinpoints where the call originated.
When does 0x00090313 appear?
The Security Support Provider (SSPI) layer raises this code in a few well-known scenarios. Knowing which one you are in saves an hour of guessing:
- Kerberos or NTLM negotiation requires another round of token exchange.
- Schannel TLS handshake is in progress and needs continuation.
- An lsa mode security context expired and must be renegotiated.
- Credentials are incomplete and the caller must supply more material.
Enable SSPI/Schannel ETW tracing with logman to capture the full handshake and find the failing step. If your event log shows the code firing alongside a specific component or service name, that name is the real starting point - the 0x00090313 value just tells you the class of failure.
How to fix 0x00090313
Work the steps below in order. Each one is a real, runnable PowerShell or CMD block. Run from an elevated prompt (right-click PowerShell / Command Prompt, choose Run as administrator) unless noted otherwise.
Step 1: capture the failing SSPI / Schannel handshake
:: Start a Schannel + Negotiate ETW trace, reproduce the failure, then stop.
logman create trace SChannel -ow -o C:\Traces\sspi.etl -p {37D2C3CD-C5D4-4587-8531-4696C44244C8} 0xFFFFFFFF 0xff -nb 16 16 -bs 1024 -mode Circular -f bincirc -max 4096 -ets
:: ... reproduce the failing operation ...
logman stop SChannel -ets
Step 2: refresh Kerberos tickets
# Purge and re-acquire tickets for the current user / service.
klist purge
klist get host/<target-host>
klist
Step 3: confirm clock skew is below 5 minutes
# Compare local time against the domain controller (Kerberos requires <5min skew).
w32tm /query /status
w32tm /resync /force
Step 4: enable verbose Schannel logging for TLS failures
# Turn on verbose Schannel event logging, reproduce, then turn it back off.
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" -Force | Out-Null
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" -Name "EventLogging" -Value 7 -Type DWord
# Reproduce the failure, then revert.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" -Name "EventLogging" -Value 1 -Type DWord
If you can't fix immediately
Sometimes the failure window matters more than the root cause. While you schedule the real fix, these mitigations buy time:
- Restart the service that owns the failing call. Many
Security Support Provider (SSPI)errors come from a state that resets cleanly on service restart (Restart-Service <name> -Force). - Reboot the host if a kernel-side component is involved. NTSTATUS and driver-related codes often clear after a clean reboot.
- Temporarily lower the calling code's reliance on the failing path (disable the optional feature, fall back to a known-good code path, or queue the work for retry once the underlying fix lands).
- Capture a full repro with Procmon and a matching event log export so the real fix is one trace away when the maintenance window opens.
How to verify the fix worked
After applying the steps above, confirm 0x00090313 is no longer raised by the failing operation. Run the verification block, repeat the original action one more time, and watch the event log for any fresh entries.
Verify the error no longer surfaces
# 1. Re-run the original operation that produced 0x00090313.
# 2. Re-query the System log for the code and confirm no new entries land.
Get-WinEvent -LogName System -MaxEvents 50 |
Where-Object { $_.Message -match '0x00090313' } |
Sort-Object TimeCreated -Descending |
Select-Object -First 5 TimeCreated, Id, Message
# 3. Same for the Application log.
Get-WinEvent -LogName Application -MaxEvents 50 |
Where-Object { $_.Message -match '0x00090313' } |
Sort-Object TimeCreated -Descending |
Select-Object -First 5 TimeCreated, Id, Message
# 4. Confirm the calling process exited cleanly.
$LASTEXITCODE
:: If the failing operation was driven from CMD, %ERRORLEVEL% should be 0.
echo %ERRORLEVEL%
If the verification block returns no new entries that mention 0x00090313 or SEC_I_COMPLETE_NEEDED in the time window after your fix, you can close out the incident. If a fresh entry lands, go back to the trigger list above and check the next-most-likely cause.
Frequently asked questions
What does 0x00090313 mean exactly?
It is a Security Support Provider (SSPI) code returned by Security Support Provider Interface. In short, the system is telling you the function completed successfully, but CompleteToken must be called.
Is 0x00090313 dangerous?
In isolation it is mostly an indicator, not a vulnerability. The code is a signal, not a fault. It tells you the Security Support Provider (SSPI) layer rejected (or could not finish) a specific call. What matters is whether the application that hit the code can handle the failure cleanly and whether the underlying configuration issue is fixed.
Will reinstalling Windows fix 0x00090313?
Almost never. Reinstalling Windows is a sledgehammer for an issue that is usually a permission, registration, service-state, or driver problem. Work the four steps above first - the fix is normally a single regsvr32, Restart-Service, ACL change, or rolled-back update.
Is 0x00090313 the same as SEC_I_COMPLETE_NEEDED?
SEC_I_COMPLETE_NEEDED is the symbolic name Microsoft assigned to 0x00090313. They are the same value. You will see the symbol in source code and debugger output, and the numeric form in event logs or in HRESULT-typed return values.
Where can I find the official Microsoft documentation for 0x00090313?
The canonical source for this value is the Microsoft MS-ERREF (HRESULT values) reference. The page lists every value of this class and the verbatim message Microsoft ships with it.
Related error codes
- How to fix 0x00090312 - SEC_I_CONTINUE_NEEDED
- How to fix 0x00090314 - SEC_I_COMPLETE_AND_CONTINUE
- How to fix 0x00090315 - SEC_I_LOCAL_LOGON
- How to fix 0x00090317 - SEC_I_CONTEXT_EXPIRED
- How to fix 0x00090320 - SEC_I_INCOMPLETE_CREDENTIALS
Related fixes
Related guides worth a look while you sort this one out:
- How to Fix Windows Error 0x0004D00A
- How to Fix Windows Error 0x0004D010
- How to Fix Windows Error 0x0008
- How to Fix Windows Error 0x00080012
- How to Fix Windows Error 0x00080013
- How to Fix Windows Error 0x00090312
References
- Microsoft MS-ERREF (HRESULT values): https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/705fb797-2175-4a90-b5a3-3918024b10b8
- Microsoft Learn - Win32 system error codes: https://learn.microsoft.com/en-us/windows/win32/debug/system-error-codes
- Microsoft MS-ERREF (full Windows error code reference): https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/
- Microsoft Learn - HRESULT structure: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/0642cb2f-2075-4469-918c-4441e69c548a
- Sysinternals Procmon (live trace tool): https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
Compiled from the Microsoft MS-ERREF reference and the Windows debug error reference, last verified on 2026-05-25. Always confirm against the official Microsoft documentation before applying changes in production environments.
Field notes from real Windows incidents
When I work on the 0x00090313 symptom the rhythm I lean on is the one I have built over years of these tickets, not a stack of generic advice. DISM RestoreHealth needs network or a known-good source image; the most common cause of a failed RestoreHealth is a blocked Windows Update endpoint. Reliability Monitor is the single most underused triage surface in Windows — it gives 30 days of crash history without writing a query.
Windows error codes come in a handful of families; once you recognise the family, the doc page is one search away. STOP codes look terrifying but the first DWORD almost always points directly at the responsible driver.
Tools I actually reach for
For the 0x00090313 symptom on Windows the cheapest signal I can land usually comes from Event Viewer (eventvwr.msc), then WinDbg for STOP code analysis, Reliability Monitor (perfmon /rel), Process Monitor (procmon) when Event Viewer (eventvwr.msc) cannot see the layer the fault sits in, and Windows Performance Recorder for the cases where neither of those answers cleanly. That ordering is not academic. It matches the layers the failure tends to surface through, so the cheap signal lands first and the heavier tooling only comes out when the simpler answer does not hold up under scrutiny.
Verification I run before I close the ticket
Before I mark the 0x00090313 symptom resolved on a Windows unit, the verification loop below is what I actually run. Each step proves a different layer is green, and the order matters - the cheap checks gate the more expensive ones.
DISM /Online /Cleanup-Image /RestoreHealthIf that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
sfc /scannowIf that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
wevtutil epl System system.evtx # export for offline reviewIf that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
Get-WinEvent -FilterHashtable @{LogName='System'; Level=1,2; StartTime=(Get-Date).AddDays(-7)}If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
err.exe 0xXXXXXXXX # symbolic decodeOnly when every line above runs clean do I close the ticket and update the runbook with the timestamps.
Where I check first when the docs disagree
When two sources contradict each other on a Windows detail, the disambiguation order I lean on is stable. I usually start at techcommunity.microsoft.com/category/windows for the ground-truth view on Windows. I usually start at github.com/microsoft/Windows-Driver-Frameworks for the ground-truth view on Windows. I usually start at support.microsoft.com for the ground-truth view on Windows. Random blog posts and reseller wikis are signal, not ground truth, and I treat them as such until the references above either confirm or contradict the claim.
Pitfalls I have walked into on this exact path
The shortcuts that look smart on the 0x00090313 symptom have a habit of biting back. The pitfalls below are the ones I have personally walked into on a Windows unit, not things I read about. STOP codes look terrifying but the first DWORD almost always points directly at the responsible driver. Windows error codes come in a handful of families; once you recognise the family, the doc page is one search away. When in doubt I revert to the slower path that the manual prescribes - the time I save by skipping it is always smaller than the time I spend cleaning up afterwards.
What I tell the next on-call
When I hand the 0x00090313 symptom off to the next person on rotation, the three lines I leave in the runbook are these. First, the symptom signature for Windows on the Windows family - not a paraphrase, the exact string that surfaces. Second, the diagnostic that gave the highest signal in the least time. Third, the exact verification command whose green output justified closing the ticket. That trio is what turns a one-off fix into a runbook entry the next engineer can use without paging me at three in the morning.
I also add a one-line note on the cost of getting this wrong. For the 0x00090313 symptom on a Windows unit, the cost is rarely the replacement part. It is the downtime, the second site visit, and the trust deficit you spend with whoever owns the asset when the fix does not hold. That framing keeps the next on-call from choosing the cheap-looking shortcut that ends up costing the most in elapsed hours and goodwill.