WINDOWS · 0xC0000603 STATUS_IMAGE_CERT_REVOKED

How to Fix Windows Error 0xC0000603

By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-25

⚡ At a glance
Error code0xC0000603
Symbolic nameSTATUS_IMAGE_CERT_REVOKED
PlatformWindows
Error classNTSTATUS
Official messageWindows cannot verify the digital signature for this file. The signing certificate for this file has been revoked.
SourceMicrosoft MS-ERREF (NTSTATUS)

What is 0xC0000603?

Real-world context. Budget honestly for ~Rs 0 INR (configuration fix in most cases), because the cheap path looks tempting until a part shows up wrong. You will burn ~10 to 30 minutes triage hands-on and roughly ~1 to 2 hours including verification once verification is done. Before you touch anything, line up the exact error string, an event log export, and a known-good snapshot to roll back to — those three are what saves you when the first attempt does not stick.

0xC0000603 is a Windows NTSTATUS value returned by the kernel or by a driver running in kernel mode. NTSTATUS codes are 32-bit values that the user-mode layer normally converts to a Win32 error before showing it, but tools that call into the native API directly (debuggers, kernel tracers, file-system filter drivers) surface the raw status. In plain English, this code says: image cert revoked. The official reference describes it like this: "Windows cannot verify the digital signature for this file. The signing certificate for this file has been revoked.". That description is the contract; the actual fix depends on which subsystem produced the value, which is what the rest of this guide walks through.

When does 0xC0000603 appear?

The same status code can come from very different code paths. Here are the scenarios I see most often when STATUS_IMAGE_CERT_REVOKED shows up on a real machine:

If your environment matches more than one of these, work the fix steps in order: cheap diagnostics first, system repair second, in-place reinstall as the last resort.

How to fix 0xC0000603

Run an elevated PowerShell prompt (right-click Start, then Windows Terminal (Admin) or PowerShell (Admin)). Each block below is a copy-paste recipe; adapt the placeholders in angle brackets to your environment before running.

Verify the signature on the suspect file (PowerShell, run as administrator)

Get-AuthenticodeSignature 'C:\Path\To\Affected.exe' | Format-List *
sigcheck.exe -accepteula -h -nobanner 'C:\Path\To\Affected.exe'

Run System File Checker and DISM to repair signed binaries in place (PowerShell, run as administrator)

sfc /scannow
DISM /Online /Cleanup-Image /RestoreHealth

Confirm Secure Boot and the kernel signing policy (PowerShell, run as administrator)

Confirm-SecureBootUEFI
Get-CimInstance Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | Format-List SecurityServicesConfigured, SecurityServicesRunning, RequiredSecurityProperties

CMD fallback (run as administrator)

sfc /scannow
dism /online /cleanup-image /restorehealth

Pull the matching event-log entry

$code = '0xC0000603'
Get-WinEvent -LogName System -MaxEvents 1000 | Where-Object { $_.Message -match $code } | Select-Object -First 10 TimeCreated, Id, ProviderName, Message | Format-List
Get-WinEvent -LogName Application -MaxEvents 1000 | Where-Object { $_.Message -match $code } | Select-Object -First 10 TimeCreated, Id, ProviderName, Message | Format-List

Back the registry up before any edit

$stamp = Get-Date -Format yyyyMMdd-HHmm
New-Item -ItemType Directory -Force -Path 'C:\Backup' | Out-Null
reg export 'HKLM\SOFTWARE' "C:\Backup\HKLM-Software-pre-windows-error-0xc0000603-$stamp.reg" /y
reg export 'HKLM\SYSTEM'   "C:\Backup\HKLM-System-pre-windows-error-0xc0000603-$stamp.reg" /y

If you can't fix immediately

Reduce the blast radius until the change window opens: stop the service that raises the error, isolate the host from production traffic, or fall back to a known-good snapshot. A short workaround beats a rushed change on a Friday night.

# Pause the affected service and capture state before changing anything.
Get-Service | Where-Object Status -eq 'Running' | Where-Object Name -match '<service-keyword>' | Stop-Service -Force -PassThru
Get-ScheduledTask | Where-Object State -ne 'Disabled' | Where-Object TaskName -match '<task-keyword>' | Disable-ScheduledTask

How to verify the fix worked

Work through these checks in order. If any one fails, repeat the matching fix step before moving on.

Frequently asked questions

What does 0xC0000603 mean exactly?

The Windows documentation defines it as a ntstatus that signals image cert revoked. In day-to-day terms, it is the operating system telling a calling program that the request cannot complete in the current state. The fix is almost always about restoring the state the caller expected, not about removing the code itself.

Is 0xC0000603 dangerous?

This is a status signal in most cases, not a breach indicator. The status code is a symptom, not the disease. The danger is in what produced it: a corrupted driver, a flaky disk, an exhausted resource, or a permission boundary that is wrong. Read the event-log context around the code before assuming the worst.

Will reinstalling Windows fix it?

Usually no, and it is the wrong first move. A clean install removes the entire configuration that produced the error, which makes it look fixed for a few days while you reinstall apps and drivers. The same condition tends to come back the moment the original workload is restored. Work the fix steps above before you reach for the install media.

What is the difference between 0xC0000603 and the symbolic name STATUS_IMAGE_CERT_REVOKED?

They are the same value. 0xC0000603 is the numeric form a developer prints, and STATUS_IMAGE_CERT_REVOKED is the C/C++ constant defined in the Windows headers. Tooling that consumes one will accept the other; the lookup is deterministic.

Where can I look up other NTSTATUS codes?

Microsoft maintains the full reference at MS-ERREF. For Win32 error names there is the System Error Codes index. Both are searchable by hex value and by the symbolic name.

Related guides worth a look while you sort this one out:

References

Field notes from real Windows incidents

When I work on the 0xC0000603 symptom the rhythm I lean on is the one I have built over years of these tickets. DISM RestoreHealth needs network or a known-good source image; the most common cause of a failed RestoreHealth is a blocked Windows Update endpoint. Windows error codes come in a handful of families; once you recognise the family, the doc page is one search away. STOP codes look terrifying but the first DWORD almost always points directly at the responsible driver.

Tools I actually reach for

For the 0xC0000603 symptom on Windows the cheapest signal I can land usually comes from WinDbg for STOP code analysis, then Event Viewer (eventvwr.msc), Reliability Monitor (perfmon /rel), Windows Performance Recorder when WinDbg for STOP code analysis cannot see the layer the fault sits in, and DISM and sfc for the cases where neither of those answers cleanly. That ordering is not academic. It matches the layers the failure tends to surface through, so the cheap signal lands first and the heavier tooling only comes out when the simpler answer does not hold up under scrutiny.

Verification I run before I close the ticket

Before I mark the 0xC0000603 symptom resolved on a Windows unit, the verification loop below is what I actually run. Each step proves a different layer is green, and the order matters - the cheap checks gate the more expensive ones.

err.exe 0xXXXXXXXX  # symbolic decode

If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.

wevtutil epl System system.evtx  # export for offline review

If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.

DISM /Online /Cleanup-Image /RestoreHealth

If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.

sfc /scannow

Only when every line above runs clean do I close the ticket and update the runbook with the timestamps.

Where I check first when the docs disagree

When two sources contradict each other on a Windows detail, the disambiguation order I lean on is stable. I usually start at support.microsoft.com for the ground-truth view on Windows. I usually start at techcommunity.microsoft.com/category/windows for the ground-truth view on Windows. I usually start at learn.microsoft.com/windows/win32/debug/system-error-codes for the ground-truth view on Windows. Random blog posts and reseller wikis are signal, not ground truth, and I treat them as such until the references above either confirm or contradict the claim.

Pitfalls I have walked into on this exact path

The shortcuts that look smart on the 0xC0000603 symptom have a habit of biting back. The pitfalls below are the ones I have personally walked into on a Windows unit, not things I read about. STOP codes look terrifying but the first DWORD almost always points directly at the responsible driver. Windows error codes come in a handful of families; once you recognise the family, the doc page is one search away. DISM RestoreHealth needs network or a known-good source image; the most common cause of a failed RestoreHealth is a blocked Windows Update endpoint. When in doubt I revert to the slower path that the manual prescribes - the time I save by skipping it is always smaller than the time I spend cleaning up afterwards.

What I tell the next on-call

When I hand the 0xC0000603 symptom off to the next person on rotation, the three lines I leave in the runbook are these. First, the symptom signature for Windows on the Windows family - not a paraphrase, the exact string that surfaces. Second, the diagnostic that gave the highest signal in the least time. Third, the exact verification command whose green output justified closing the ticket. That trio is what turns a one-off fix into a runbook entry the next engineer can use without paging me at three in the morning.

I also add a one-line note on the cost of getting this wrong. For the 0xC0000603 symptom on a Windows unit, the cost is rarely the replacement part. It is the downtime, the second site visit, and the trust deficit you spend with whoever owns the asset when the fix does not hold. That framing keeps the next on-call from choosing the cheap-looking shortcut that ends up costing the most in elapsed hours and goodwill.