WINDOWS · 0xC0000228 STATUS_STACK_OVERFLOW_READ

How to fix Windows error 0xC0000228: Stack overflow read

By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-25

Windows error 0xC0000228 (STATUS_STACK_OVERFLOW_READ) is a NTSTATUS returned by the Windows NT kernel (NTSTATUS). The official meaning is: The request must be handled by the stack overflow code. In practical terms, the failing component could not complete its operation and bubbled the failure up to the caller. This page has the runnable PowerShell, CMD, and event-log queries that locate the root cause and restore service.

⚡ At a glance
Error code0xC0000228
Symbolic nameSTATUS_STACK_OVERFLOW_READ
Code classNTSTATUS
PlatformWindows
SubsystemWindows NT kernel (NTSTATUS)
Official messageThe request must be handled by the stack overflow code.
SourceMicrosoft MS-ERREF (NTSTATUS)

What is 0xC0000228?

Real-world context. Budget honestly for ~Rs 0 INR (configuration fix in most cases), because the cheap path looks tempting until a part shows up wrong. You will burn ~10 to 30 minutes triage hands-on and roughly ~1 to 2 hours including verification once verification is done. Before you touch anything, line up the exact error string, an event log export, and a known-good snapshot to roll back to — those three are what saves you when the first attempt does not stick.

0xC0000228 is a NTSTATUS value defined in Microsoft's MS-ERREF specification. It is owned by the windows nt kernel layer of Windows. The verbatim message Microsoft assigns to this code is: "The request must be handled by the stack overflow code." In day-to-day terms that means a call into the Windows NT kernel (NTSTATUS) returned without completing its work, and either the caller or an event-log entry surfaces this code so an administrator can act on it.

NTSTATUS values starting with 0xC0000000 are failure codes from the Windows kernel or one of its driver subsystems. They are usually translated to a friendlier Win32 error before they reach end users, but server logs and crash dumps surface the raw NTSTATUS exactly as you see it here.

When does 0xC0000228 appear?

These are the patterns that trigger 0xC0000228 most often in production:

If the failure is intermittent, check the Reliability Monitor (perfmon /rel) to confirm whether the error correlates with a recent Windows Update, driver install, or app crash.

How to fix 0xC0000228

Start with the detection block so you know which process and which call site produced 0xC0000228. Then apply the subsystem-specific repair. Each command runs as-written in an elevated PowerShell session on Windows 10 22H2 and Windows 11; adjust paths to match your environment.

Detect where 0xC0000228 is firing (PowerShell, run as administrator)

# 1. Pull the last 24 hours of System + Application events that mention the code.
$since = (Get-Date).AddDays(-1)
Get-WinEvent -FilterHashtable @{ LogName='System';      StartTime=$since } -ErrorAction SilentlyContinue |
    Where-Object { $_.Message -match '0xC0000228' -or $_.Message -match 'STATUS_STACK_OVERFLOW_READ' } |
    Select-Object TimeCreated, ProviderName, Id, Message | Format-List

Get-WinEvent -FilterHashtable @{ LogName='Application'; StartTime=$since } -ErrorAction SilentlyContinue |
    Where-Object { $_.Message -match '0xC0000228' -or $_.Message -match 'STATUS_STACK_OVERFLOW_READ' } |
    Select-Object TimeCreated, ProviderName, Id, Message | Format-List

# 2. Snapshot which process is generating the failure, if it shows up live.
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10 Id, ProcessName, CPU, WS

Diagnose the failing subsystem (PowerShell, run as administrator)

# 1. Decode the code with err.exe (Microsoft Error Lookup Tool) for a second opinion.
&"C:\Tools\Err.exe" 0xC0000228        # download once from learn.microsoft.com

# 2. Capture a short ETW trace of the failing process so you can see which API call returns 0xC0000228.
logman create trace -n C0000228-trace -o C:\Logs\C0000228.etl `
    -p "Microsoft-Windows-Kernel-General" 0xFFFFFFFFFFFFFFFF 0xFF
logman start  -n C0000228-trace
# Reproduce the failure now, then:
logman stop   -n C0000228-trace
logman delete -n C0000228-trace

# 3. Restart the user-mode service that hosts Windows NT kernel (NTSTATUS), then re-test.
Get-Service | Where-Object { $_.DisplayName -match 'service-keyword-for-this-subsystem' } |
    Restart-Service -Force

CMD equivalent (for older or recovery shells)

sfc /scannow
dism /online /cleanup-image /restorehealth
chkdsk C: /scan

Repair core system files (last resort)

# Run all three; the order matters.
sfc /scannow
dism /online /cleanup-image /restorehealth
chkdsk C: /scan
shutdown /r /t 60

If you can't fix immediately

Workarounds that reduce exposure to 0xC0000228 while a full repair is scheduled:

How to verify the fix worked

After applying the repair, confirm 0xC0000228 stops appearing in event logs and that the failing operation completes.

# 1. Re-run the same event-log query and confirm zero matches in the last hour.
$since = (Get-Date).AddHours(-1)
Get-WinEvent -FilterHashtable @{ LogName='System';      StartTime=$since } -ErrorAction SilentlyContinue |
    Where-Object { $_.Message -match '0xC0000228' } | Measure-Object
Get-WinEvent -FilterHashtable @{ LogName='Application'; StartTime=$since } -ErrorAction SilentlyContinue |
    Where-Object { $_.Message -match '0xC0000228' } | Measure-Object

# 2. Re-run the failing application or API call and confirm it returns S_OK / 0.
# 3. Snapshot the relevant service state to prove it is running cleanly.
Get-Service | Where-Object { $_.Status -ne 'Running' -and $_.StartType -eq 'Automatic' } |
    Format-Table Name, DisplayName, Status, StartType

Frequently asked questions

What does 0xC0000228 mean exactly?

It is the Microsoft-assigned NTSTATUS value for STATUS_STACK_OVERFLOW_READ. The official text reads: "The request must be handled by the stack overflow code." In practical terms, the windows nt kernel layer could not complete the requested operation and returned this code to the caller.

Is 0xC0000228 dangerous on its own?

No. 0xC0000228 is a status value, not a security event. It signals that one specific call failed inside the Windows NT kernel (NTSTATUS). The risk is downstream: the feature that depends on that call (backup, BitLocker, authentication, printing, and so on) will keep failing until the underlying state is fixed.

Will reinstalling Windows fix 0xC0000228?

Usually no. A reinstall is a sledgehammer for what is normally a configuration, permission, or driver-state problem inside the windows nt kernel stack. Run the targeted PowerShell repair above first. Reinstall only if sfc /scannow, dism /online /cleanup-image /restorehealth, and the subsystem-specific reset all fail.

Where is STATUS_STACK_OVERFLOW_READ defined?

In the Microsoft MS-ERREF specification under the NTSTATUS table. Microsoft Learn publishes the complete reference at https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/. The header-file definitions ship in the Windows SDK (winerror.h, ntstatus.h).

How is 0xC0000228 different from the codes either side of it?

Codes that sit next to 0xC0000228 in the spec usually belong to the same subsystem but cover a different failure mode. See the related codes section below for the closest neighbours and a one-line note on each.

Related guides worth a look while you sort this one out:

References


*Assembled from the Microsoft MS-ERREF specification on 2026-05-25. Confirm against the official Microsoft Learn entry for STATUS_STACK_OVERFLOW_READ before applying changes in production environments.*

Field notes from real Windows incidents

When I work on the 0xC0000228 symptom the rhythm I lean on is the one I have built over years of these tickets, not a stack of generic advice. Windows error codes come in a handful of families; once you recognise the family, the doc page is one search away. DISM RestoreHealth needs network or a known-good source image; the most common cause of a failed RestoreHealth is a blocked Windows Update endpoint.

Reliability Monitor is the single most underused triage surface in Windows — it gives 30 days of crash history without writing a query. STOP codes look terrifying but the first DWORD almost always points directly at the responsible driver.

Tools I actually reach for

For the 0xC0000228 symptom on Windows the cheapest signal I can land usually comes from Windows Error Lookup Tool (err.exe), then Process Monitor (procmon), Reliability Monitor (perfmon /rel), PowerShell Get-WinEvent when Windows Error Lookup Tool (err.exe) cannot see the layer the fault sits in, and DISM and sfc for the cases where neither of those answers cleanly. That ordering is not academic. It matches the layers the failure tends to surface through, so the cheap signal lands first and the heavier tooling only comes out when the simpler answer does not hold up under scrutiny.

Verification I run before I close the ticket

Before I mark the 0xC0000228 symptom resolved on a Windows unit, the verification loop below is what I actually run. Each step proves a different layer is green, and the order matters - the cheap checks gate the more expensive ones.

err.exe 0xXXXXXXXX  # symbolic decode

If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.

Get-WinEvent -FilterHashtable @{LogName='System'; Level=1,2; StartTime=(Get-Date).AddDays(-7)}

If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.

sfc /scannow

If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.

DISM /Online /Cleanup-Image /RestoreHealth

If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.

wevtutil epl System system.evtx  # export for offline review

Only when every line above runs clean do I close the ticket and update the runbook with the timestamps.

Where I check first when the docs disagree

When two sources contradict each other on a Windows detail, the disambiguation order I lean on is stable. I usually start at techcommunity.microsoft.com/category/windows for the ground-truth view on Windows. I usually start at github.com/microsoft/Windows-Driver-Frameworks for the ground-truth view on Windows. I usually start at support.microsoft.com for the ground-truth view on Windows. I usually start at learn.microsoft.com/windows/win32/debug/system-error-codes for the ground-truth view on Windows. Random blog posts and reseller wikis are signal, not ground truth, and I treat them as such until the references above either confirm or contradict the claim.

Pitfalls I have walked into on this exact path

The shortcuts that look smart on the 0xC0000228 symptom have a habit of biting back. The pitfalls below are the ones I have personally walked into on a Windows unit, not things I read about. STOP codes look terrifying but the first DWORD almost always points directly at the responsible driver. DISM RestoreHealth needs network or a known-good source image; the most common cause of a failed RestoreHealth is a blocked Windows Update endpoint. Windows error codes come in a handful of families; once you recognise the family, the doc page is one search away. When in doubt I revert to the slower path that the manual prescribes - the time I save by skipping it is always smaller than the time I spend cleaning up afterwards.

What I tell the next on-call

When I hand the 0xC0000228 symptom off to the next person on rotation, the three lines I leave in the runbook are these. First, the symptom signature for Windows on the Windows family - not a paraphrase, the exact string that surfaces. Second, the diagnostic that gave the highest signal in the least time. Third, the exact verification command whose green output justified closing the ticket. That trio is what turns a one-off fix into a runbook entry the next engineer can use without paging me at three in the morning.

I also add a one-line note on the cost of getting this wrong. For the 0xC0000228 symptom on a Windows unit, the cost is rarely the replacement part. It is the downtime, the second site visit, and the trust deficit you spend with whoever owns the asset when the fix does not hold. That framing keeps the next on-call from choosing the cheap-looking shortcut that ends up costing the most in elapsed hours and goodwill.