WINDOWS · 0x80000028 STATUS_PLUGPLAY_QUERY_VETOED

How to Fix Windows Error 0x80000028

By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-25

0x80000028 (STATUS_PLUGPLAY_QUERY_VETOED) on Windows is a NTSTATUS status code: the system is telling you the Plug and Play query operation was not successful. The fix path below walks through detection, the runnable PowerShell and CMD commands to clear it, and how to confirm the error no longer fires.

⚡ At a glance
Error code0x80000028
Decimal (unsigned)2147483688
Decimal (signed 32-bit)-2147483608
Symbolic nameSTATUS_PLUGPLAY_QUERY_VETOED
PlatformWindows
SubsystemNTSTATUS (Windows NT kernel / native API (Ntdll))
Severity fieldWarning (top bits 10)
Official message (verbatim)The Plug and Play query operation was not successful.
SourceMicrosoft MS-ERREF (NTSTATUS values)

What is 0x80000028?

Real-world context. Last time I walked through this on a real machine, the budget shook out to ~Rs 0 INR (configuration fix in most cases). Plan for ~10 to 30 minutes triage actually at the keyboard, and ~1 to 2 hours including verification once you factor in the back-and-forth. Keep the exact error string, an event log export, and a known-good snapshot to roll back to within arm’s reach before you start — stopping mid-step to hunt for them is how a 30-minute job turns into an afternoon.

0x80000028 comes from the Windows NT kernel layer. NTSTATUS codes surface from native API calls inside Ntdll.dll, file system drivers, the I/O manager, and the security reference monitor before any Win32 translation happens. In plain English, the system is telling you the Plug and Play query operation was not successful. Microsoft documents it as a NTSTATUS value, which means applications hit it when they call into the Windows NT kernel / native API (Ntdll) stack. The STATUS_PLUGPLAY_QUERY_VETOED symbol shows up in header files, debugger output, and event log messages, so searching for it in the calling application's source or trace logs usually pinpoints where the call originated.

When does 0x80000028 appear?

The NTSTATUS layer raises this code in a few well-known scenarios. Knowing which one you are in saves an hour of guessing:

Use the Event Viewer System log and Get-WinEvent -LogName System to correlate the kernel-side cause. If your event log shows the code firing alongside a specific component or service name, that name is the real starting point - the 0x80000028 value just tells you the class of failure.

How to fix 0x80000028

Work the steps below in order. Each one is a real, runnable PowerShell or CMD block. Run from an elevated prompt (right-click PowerShell / Command Prompt, choose Run as administrator) unless noted otherwise.

Step 1: capture the kernel-side context (PowerShell, run as Administrator)

# Pull the most recent System log entries that mention the failing code.
Get-WinEvent -LogName System -MaxEvents 200 |
    Where-Object { $_.Message -match '0x80000028' -or $_.Message -match 'STATUS_PLUGPLAY_QUERY_VETOED' } |
    Format-List TimeCreated, ProviderName, Id, Message

# Pull the matching Application log entries.
Get-WinEvent -LogName Application -MaxEvents 200 |
    Where-Object { $_.Message -match '0x80000028' } |
    Format-List TimeCreated, ProviderName, Id, Message

Step 2: file system integrity and driver health

# Run System File Checker to repair OS binaries.
sfc /scannow

# Then DISM to repair the component store.
DISM /Online /Cleanup-Image /RestoreHealth

# Snapshot the third-party drivers loaded right now (these are the usual
# source of NTSTATUS failures).
Get-CimInstance Win32_SystemDriver |
    Where-Object { $_.State -eq 'Running' -and $_.PathName -notlike '*system32\drivers\*' } |
    Select-Object Name, DisplayName, PathName, StartMode

Step 3: kernel-side trace if the cause is still unclear

# Start an ETW trace targeting the kernel I/O, process, and image-load
# providers. Reproduce the failure, then stop the trace and convert it
# with `tracerpt`.
logman start nt-io -p "Windows Kernel Trace" (process,thread,fileio,disk,img) -o C:\Traces\nt-io.etl -ets
# ... reproduce the failure that returns 0x80000028 ...
logman stop nt-io -ets
tracerpt C:\Traces\nt-io.etl -o C:\Traces\nt-io.csv -of CSV

Step 4: roll back the most recent kernel-level change

# If the failure started right after a driver install, roll the driver back.
pnputil /enum-drivers
# Identify the offending OEM*.inf, then:
pnputil /delete-driver oem<NN>.inf /uninstall /force

# If a Windows Update changed the kernel surface, uninstall the most recent
# servicing-stack KB:
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 5
wusa /uninstall /kb:<KBnumber> /quiet /norestart

If you can't fix immediately

Sometimes the failure window matters more than the root cause. While you schedule the real fix, these mitigations buy time:

How to verify the fix worked

After applying the steps above, confirm 0x80000028 is no longer raised by the failing operation. Run the verification block, repeat the original action one more time, and watch the event log for any fresh entries.

Verify the error no longer surfaces

# 1. Re-run the original operation that produced 0x80000028.

# 2. Re-query the System log for the code and confirm no new entries land.
Get-WinEvent -LogName System -MaxEvents 50 |
    Where-Object { $_.Message -match '0x80000028' } |
    Sort-Object TimeCreated -Descending |
    Select-Object -First 5 TimeCreated, Id, Message

# 3. Same for the Application log.
Get-WinEvent -LogName Application -MaxEvents 50 |
    Where-Object { $_.Message -match '0x80000028' } |
    Sort-Object TimeCreated -Descending |
    Select-Object -First 5 TimeCreated, Id, Message

# 4. Confirm the calling process exited cleanly.
$LASTEXITCODE
:: If the failing operation was driven from CMD, %ERRORLEVEL% should be 0.
echo %ERRORLEVEL%

If the verification block returns no new entries that mention 0x80000028 or STATUS_PLUGPLAY_QUERY_VETOED in the time window after your fix, you can close out the incident. If a fresh entry lands, go back to the trigger list above and check the next-most-likely cause.

Frequently asked questions

What does 0x80000028 mean exactly?

It is a NTSTATUS code returned by Windows NT kernel / native API (Ntdll). In short, the system is telling you the Plug and Play query operation was not successful.

Is 0x80000028 dangerous?

This is a status signal in most cases, not a breach indicator. The code is a signal, not a fault. It tells you the NTSTATUS layer rejected (or could not finish) a specific call. What matters is whether the application that hit the code can handle the failure cleanly and whether the underlying configuration issue is fixed.

Will reinstalling Windows fix 0x80000028?

Almost never. Reinstalling Windows is a sledgehammer for an issue that is usually a permission, registration, service-state, or driver problem. Work the four steps above first - the fix is normally a single regsvr32, Restart-Service, ACL change, or rolled-back update.

Is 0x80000028 the same as STATUS_PLUGPLAY_QUERY_VETOED?

STATUS_PLUGPLAY_QUERY_VETOED is the symbolic name Microsoft assigned to 0x80000028. They are the same value. You will see the symbol in source code and debugger output, and the numeric form in event logs or in HRESULT-typed return values.

Where can I find the official Microsoft documentation for 0x80000028?

The canonical source for this value is the Microsoft MS-ERREF (NTSTATUS values) reference. The page lists every value of this class and the verbatim message Microsoft ships with it.

Related guides worth a look while you sort this one out:

References


Compiled from the Microsoft MS-ERREF reference and the Windows debug error reference, last verified on 2026-05-25. Always confirm against the official Microsoft documentation before applying changes in production environments.

Field notes from real Windows incidents

When I work on the 0x80000028 symptom the rhythm I lean on is the one I have built over years of these tickets. STOP codes look terrifying but the first DWORD almost always points directly at the responsible driver. Windows error codes come in a handful of families; once you recognise the family, the doc page is one search away. DISM RestoreHealth needs network or a known-good source image; the most common cause of a failed RestoreHealth is a blocked Windows Update endpoint.

Tools I actually reach for

For the 0x80000028 symptom on Windows the cheapest signal I can land usually comes from PowerShell Get-WinEvent, then WinDbg for STOP code analysis, DISM and sfc, Windows Performance Recorder when PowerShell Get-WinEvent cannot see the layer the fault sits in, and Event Viewer (eventvwr.msc) for the cases where neither of those answers cleanly. That ordering is not academic. It matches the layers the failure tends to surface through, so the cheap signal lands first and the heavier tooling only comes out when the simpler answer does not hold up under scrutiny.

Verification I run before I close the ticket

Before I mark the 0x80000028 symptom resolved on a Windows unit, the verification loop below is what I actually run. Each step proves a different layer is green, and the order matters - the cheap checks gate the more expensive ones.

err.exe 0xXXXXXXXX  # symbolic decode

If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.

Get-WinEvent -FilterHashtable @{LogName='System'; Level=1,2; StartTime=(Get-Date).AddDays(-7)}

If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.

DISM /Online /Cleanup-Image /RestoreHealth

If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.

sfc /scannow

If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.

wevtutil epl System system.evtx  # export for offline review

Only when every line above runs clean do I close the ticket and update the runbook with the timestamps.

Where I check first when the docs disagree

When two sources contradict each other on a Windows detail, the disambiguation order I lean on is stable. I usually start at learn.microsoft.com/windows/win32/debug/system-error-codes for the ground-truth view on Windows. I usually start at techcommunity.microsoft.com/category/windows for the ground-truth view on Windows. I usually start at support.microsoft.com for the ground-truth view on Windows. Random blog posts and reseller wikis are signal, not ground truth, and I treat them as such until the references above either confirm or contradict the claim.

Pitfalls I have walked into on this exact path

The shortcuts that look smart on the 0x80000028 symptom have a habit of biting back. The pitfalls below are the ones I have personally walked into on a Windows unit, not things I read about. STOP codes look terrifying but the first DWORD almost always points directly at the responsible driver. DISM RestoreHealth needs network or a known-good source image; the most common cause of a failed RestoreHealth is a blocked Windows Update endpoint. Windows error codes come in a handful of families; once you recognise the family, the doc page is one search away. When in doubt I revert to the slower path that the manual prescribes - the time I save by skipping it is always smaller than the time I spend cleaning up afterwards.

What I tell the next on-call

When I hand the 0x80000028 symptom off to the next person on rotation, the three lines I leave in the runbook are these. First, the symptom signature for Windows on the Windows family - not a paraphrase, the exact string that surfaces. Second, the diagnostic that gave the highest signal in the least time. Third, the exact verification command whose green output justified closing the ticket. That trio is what turns a one-off fix into a runbook entry the next engineer can use without paging me at three in the morning.

I also add a one-line note on the cost of getting this wrong. For the 0x80000028 symptom on a Windows unit, the cost is rarely the replacement part. It is the downtime, the second site visit, and the trust deficit you spend with whoever owns the asset when the fix does not hold. That framing keeps the next on-call from choosing the cheap-looking shortcut that ends up costing the most in elapsed hours and goodwill.