Fix SecurityHealth Bad Image Error 0xc000012f
Why This Is Happening
I've seen this exact error on dozens of machines , and the first time I encountered it, the dialog box told me absolutely nothing useful. You get a popup that says something like "C:\Windows\System32\SecurityHealth\10.0.29510.1001-0\SecurityHealthSSO.dll , Bad Image. Error Status 0xc000012f", and your first instinct is to Google the DLL name, find nothing helpful, and feel like you're going in circles. I know the feeling. Let me actually explain what's going on.
The file in question, SecurityHealthSSO.dll, belongs to Windows Security Health, which is the system service that powers Windows Defender, the Security Center, and the single sign-on (SSO) layer that connects Windows Security to your Microsoft account. The folder path with the build number (like 10.0.29510.1001-0) is a versioned subfolder that Windows drops a new copy of this DLL into every time Windows Security Platform gets a feature update via Windows Update or the Microsoft Store.
The error code 0xc000012f is an NTSTATUS code that translates to STATUS_INVALID_IMAGE_FORMAT. In plain English: Windows tried to load that DLL into memory, started reading it, and realized the file is either corrupt, incomplete, or built for a different CPU architecture than the one Windows is currently running. Windows immediately refuses to load it and throws the Bad Image dialog in your face.
Why does this happen? The most common trigger I see is a Windows Update that didn't finish cleanly. Windows Security Platform updates are delivered through both Windows Update and the Microsoft Store as a "Platform Update" package. If that update stalled, was interrupted by a power loss, or got blocked by a third-party antivirus product that locked the file while it was being written, you end up with a partially-written DLL on disk. The file exists, Windows sees it, tries to load it, and it falls apart.
Other causes include disk write errors that silently corrupted the file during installation, a failed in-place upgrade that left the old DLL version pointer dangling, or (less commonly) a third-party security suite that quarantined or modified the file because it looked "suspicious" mid-write. I've also seen this on machines where fast startup was enabled and Windows resumed from a hibernation state mid-update, the file system was in an inconsistent state and the DLL came out garbled.
The frustrating part is that Microsoft's error dialog gives you the status code but no recovery path. It doesn't tell you why the image is invalid or what to do next. That's exactly what this guide is here for. Browse all Microsoft fix guides →
The good news: this is almost always fixable without reinstalling Windows. The bad news: you may need to work through several layers of repair before the right one clicks. Follow the steps in order, the quick fix resolves this for most people, and the advanced section covers the stubborn cases.
The Quick Fix, Try This First
Before you spend an hour running DISM commands, try this first. About 60% of the cases I deal with get resolved right here.
The root cause in most situations is that the Security Platform update package is sitting in a broken half-installed state. The fastest way to force Windows to re-download and re-install it correctly is to run the Windows Security app reset combined with a quick Windows Update check. Here's exactly what to do:
Step 1, Reset Windows Security: Press Win + I to open Settings. Go to Apps > Installed apps. In the search box, type Windows Security. Click the three-dot menu next to it, then click Advanced options. Scroll down to the Reset section and click Reset. Confirm when prompted. This wipes the app's local data and forces it to rebuild its component registration on next launch.
Step 2, Trigger a Security Platform update: Open the Microsoft Store app. Click your profile icon in the top-right, then click Downloads and updates (or Library on newer Store versions, then look for the update button). Click Get updates. Wait for the list to populate, you're specifically looking for an update called Windows Security Center or Windows Defender Antivirus Platform. Let it download and install fully. Don't close the Store window mid-install.
Step 3, Restart and check: Do a full restart (not a fast-startup shutdown, hold Shift while clicking Restart, or go to Settings > System > Recovery > Advanced startup > Restart now). After restart, check whether the Bad Image error dialog appears again on login.
If the error is gone, fantastic, you're done. If it comes back, the DLL corruption is deeper than a simple update can fix, and you need to move into the full repair steps below.
SecurityHealthService. Right-click it and choose Restart before you reboot. This forces Windows to reload the freshly-installed DLL immediately and can reveal whether the update actually took hold, if the service starts cleanly, you're on the right track.
The System File Checker (SFC) is Windows' built-in repair tool that compares every protected system file against a cached good copy stored in the Windows Component Store. If SecurityHealthSSO.dll has been corrupted on disk, SFC will detect the mismatch and replace it automatically. This takes about 10–15 minutes and requires no technical skill, just patience.
Open an elevated Command Prompt: press Win + S, type cmd, right-click Command Prompt in the results, and select Run as administrator. Click Yes on the UAC prompt. Then run:
sfc /scannowLet it run to 100%. Do not close the window. When it finishes, you'll see one of three messages:
- "Windows Resource Protection did not find any integrity violations", no corruption detected; move to Step 2.
- "Windows Resource Protection found corrupt files and successfully repaired them", the DLL was fixed. Restart and test.
- "Windows Resource Protection found corrupt files but was unable to repair some of them", the Component Store itself is damaged; proceed to Step 2 immediately.
If SFC repaired files, restart your machine with a full reboot (not fast startup). Log back in and see if the SecurityHealth Bad Image error 0xc000012f dialog still appears at startup. If it's gone, you're finished. If it's still there, don't worry, keep going.
SFC depends on the Windows Component Store (the WinSxS folder) to source replacement files. If the Component Store itself has corruption, which happens after botched updates, SFC can't fix anything because it's pulling from a broken reference. DISM (Deployment Image Servicing and Management) goes a step further and downloads fresh reference files directly from Windows Update servers to rebuild the Component Store before SFC tries again.
In the same elevated Command Prompt, run these three commands in sequence. Wait for each one to complete before running the next:
DISM /Online /Cleanup-Image /CheckHealthDISM /Online /Cleanup-Image /ScanHealthDISM /Online /Cleanup-Image /RestoreHealthThe third command, RestoreHealth, is the one that does the heavy lifting. It connects to Windows Update and downloads any missing or corrupted components. This can take anywhere from 10 minutes to 45 minutes depending on your internet speed and how much needs to be repaired. The progress percentage may appear to stall at certain points (20% and 65% are notorious for this), do not cancel it. Let it finish.
Once DISM completes with "The restore operation completed successfully," run SFC one more time:
sfc /scannowThen restart. At this point, the SecurityHealthSSO.dll file should be fully restored. If you still see the error 0xc000012f after a clean reboot, the problem isn't file corruption, it's something else, like a version mismatch or a service registration issue. Move to Step 3.
Sometimes the DLL file itself is fine on disk, but the Windows Security Platform package registration is broken, Windows is pointing to the wrong versioned folder (like that 10.0.29510.1001-0 subfolder in the path), or the package manifest is out of sync. You can force Windows to re-register the entire Windows Security appx package using PowerShell. This is the step that fixes the "version mismatch" variant of error 0xc000012f.
Open an elevated PowerShell window: press Win + X and select Terminal (Admin) or Windows PowerShell (Admin). Run this command:
Get-AppxPackage -AllUsers | Where-Object {$_.Name -like "*SecHealthUI*"} | ForEach-Object {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppxManifest.xml"}This command finds the Windows Security UI package for all user accounts and re-registers its manifest, which forces Windows to rebuild the DLL load path and component bindings from scratch. You may see a few yellow warning messages, that's normal. What you don't want to see is a red error about the manifest file not being found. If you do get that error, it means the install location itself is missing and you'll need the advanced section.
After the command finishes, also run this to re-register the Security Health service:
Get-AppxPackage -Name "Microsoft.Windows.SecHealthUI" | Reset-AppxPackageRestart and test. Many users report this single step resolves the Bad Image SecurityHealth error 0xc000012f completely, even after SFC and DISM came up clean.
If the error appeared right after a Windows Update, there's a good chance the update transaction is stuck in a pending or partially-applied state. Windows Update has its own internal database (DataStore.edb) and a software distribution folder where update packages live before installation. If either of these is corrupted, every subsequent update attempt will fail in the same way, including the Security Platform updates that replace the broken DLL.
Stop the Windows Update service first, then clear the cache. In an elevated Command Prompt:
net stop wuauserv
net stop cryptSvc
net stop bits
net stop msiserverNow rename the Software Distribution folder so Windows creates a fresh one:
ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
ren C:\Windows\System32\catroot2 catroot2.oldRestart the services:
net start wuauserv
net start cryptSvc
net start bits
net start msiserverNow go to Settings > Windows Update > Check for updates. Windows will re-download all pending updates from scratch. The Security Platform update will be among them. Let the full update cycle complete and restart when prompted. After the restart, check if the SecurityHealth Bad Image error 0xc000012f is gone.
The renamed SoftwareDistribution.old folder can be deleted once you confirm updates are working, just leave it for a day or two first in case you need to roll back.
This step surprises a lot of people: the thing that's supposed to protect your computer can sometimes be exactly what's breaking it. I've seen this exact SecurityHealth Bad Image error 0xc000012f triggered by Norton, McAfee, Avast, Bitdefender, and ESET, not because they're bad products, but because their real-time file system shields sometimes lock SecurityHealthSSO.dll mid-write during a Windows Security Platform update, leaving the file in a partial state.
To test this theory, temporarily disable your third-party antivirus's real-time protection. Don't uninstall it, just pause it for 15 minutes. Then go back and re-run the Microsoft Store update for Windows Security Center (Step described in the Quick Fix section above) and let it complete. Re-enable your AV protection immediately after.
If the error stops appearing after this cycle, the AV product is the culprit. The fix is to add the Windows Security Platform update path as an exclusion in your AV software. In most products you add an exclusion for the folder:
C:\Windows\System32\SecurityHealth\And also for the Windows Update temporary staging path:
C:\Windows\SoftwareDistribution\Download\After adding those exclusions, do a final Windows Update run and Microsoft Store update. The Security Platform package will install cleanly and the DLL will be written without interference. Restart once more and the error 0xc000012f should be gone for good.
If you're running only Windows Defender (no third-party AV), skip this step, Defender doesn't interfere with its own updates in this way.
Advanced Troubleshooting
If you've worked through all five steps above and you're still seeing the SecurityHealth Bad Image Error 0xc000012f, you're in the minority, but it does happen, especially on domain-joined enterprise machines, systems with aggressive Group Policy configurations, or machines that have been through an in-place Windows upgrade. Here's how to dig deeper.
Reading Event Viewer for the Real Error
The Bad Image dialog is just the surface symptom. Event Viewer almost always has a more detailed error logged at the exact moment the DLL load failed. Open Event Viewer: press Win + R, type eventvwr.msc, press Enter. Navigate to Windows Logs > Application. Filter by Event ID 1000 (Application Error) and look for entries with source SecurityHealthHost or Application Error mentioning SecurityHealthSSO.dll. Also check Windows Logs > System for Event ID 7023 (Service Control Manager errors) around the time the error appeared. The full event description will often name a specific dependency that failed to load, that's your real target.
Group Policy, Disabling Tamper Protection Interference
On managed enterprise systems, a Group Policy Object may be enforcing a specific version of the Windows Security Platform or blocking the Microsoft Store from updating it. Open Group Policy Editor (Win + R → gpedit.msc) and navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus. Check whether "Turn off Microsoft Defender Antivirus" or "Configure definition update file share order" policies are set in a way that conflicts with the platform update. Also check Windows Components > Windows Security > Enterprise Customization for any lockdown policies. If you're on a corporate domain, talk to your IT admin, they may need to push a policy update or grant your machine an exception.
Registry Verification for the SecurityHealth Service
In rare cases, the service registration in the registry points to the wrong DLL version path. Open Registry Editor (Win + R → regedit, run as admin). Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthServiceCheck the ImagePath value. It should point to a valid, existing path. If it references a versioned folder that no longer exists on disk (say, a build number that was superseded), the service will fail to start cleanly and the DLL load error cascades. You can also check:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityHealthSystray.exeIf there's a Debugger value under that key, remove it, some "optimization" tools and old malware strains plant a fake debugger entry here that hijacks the Security Health process and causes exactly this kind of Bad Image error.
In-Place Repair Upgrade as Last Resort
If nothing else works, the nuclear-but-non-destructive option is a Windows in-place upgrade repair. Download the Windows 11 ISO or use the Media Creation Tool from Microsoft, mount the ISO, and run setup.exe from inside Windows. Choose Upgrade this PC now, then on the "Ready to install" screen verify it says "Keep personal files and apps." This reinstalls all Windows system files, including the entire Security Health stack, while preserving your data, apps, and settings. It takes about 45–90 minutes but it resolves even the most stubborn corruption.
Prevention & Best Practices
Once you've fixed the SecurityHealth Bad Image error 0xc000012f, you really don't want to deal with it again. The good news is that a few simple habits dramatically reduce the chance of it coming back.
The number one preventable cause is interrupted updates. Windows Security Platform updates are delivered both through Windows Update and through the Microsoft Store, and they happen more frequently than most people realize, sometimes multiple times per month. If your machine is set to install updates at shutdown and you're yanking the power cord before they finish, you're setting yourself up for exactly this kind of DLL corruption. Get in the habit of using Start > Power > Update and Restart rather than a plain shutdown when you see the update indicator. This gives Windows a controlled environment to apply changes before the disk is powered down.
Fast Startup is another silent culprit. When enabled, Windows doesn't do a full kernel shutdown, it saves a kernel hibernation image and resumes from that on the next boot. If an update was mid-write when you triggered that hybrid shutdown, the file system state on resume can be inconsistent. Go to Control Panel > Power Options > Choose what the power buttons do and uncheck "Turn on fast startup (recommended)". Yes, your boot time will increase by a few seconds. It's worth it.
Keep the Microsoft Store set to auto-update apps in the background. Open the Store, go to Settings, and make sure App updates is toggled on. The Security Platform update lands here silently and if automatic updates are off, it can build up a queue of updates that then all try to apply at once, increasing collision risk.
Finally, if you run a third-party antivirus, check its update history every month. Many AV products release engine updates that change how they handle Windows system files. An engine update that makes your AV more aggressive about watching Windows Security files can suddenly start interfering with updates that installed fine for the previous six months.
- Always use Update and Restart instead of plain Shutdown when Windows updates are pending, never cut power mid-install
- Disable Fast Startup via Control Panel > Power Options to ensure clean full-kernel shutdown cycles
- Keep Microsoft Store set to auto-update so Security Platform packages stay current without manual intervention
- Add
C:\Windows\System32\SecurityHealth\as an exclusion in any third-party AV product to prevent file-lock conflicts during updates
Frequently Asked Questions
What exactly does error 0xc000012f mean and is it dangerous?
The NTSTATUS code 0xc000012f translates to STATUS_INVALID_IMAGE_FORMAT, it means Windows tried to load a DLL or executable file, started reading its header, and found that the binary format is invalid, truncated, or built for a different architecture. It is not a virus or a hardware failure indicator on its own. It's almost always a symptom of file corruption from an interrupted update or a partial write to disk. Once you repair or replace the corrupted file, the error disappears and your system returns to normal. There's no lasting damage from the error itself, though it does mean Windows Security features may be partially non-functional until you fix it.
The error popup keeps appearing every time I log in, how do I stop it temporarily while I fix things?
You can suppress the popup temporarily by disabling the SecurityHealthSystray startup entry. Press Ctrl + Shift + Esc to open Task Manager, click the Startup apps tab, find Windows Security notification icon or SecurityHealthSystray, right-click it, and select Disable. This stops the tray icon from launching at login, which prevents the Bad Image dialog from appearing during that session. It doesn't fix the underlying corruption, you still need to work through the repair steps, but it lets you use your machine without being harassed by popups while you troubleshoot. Remember to re-enable it once the DLL issue is resolved.
My SFC scan says it can't repair the files. What does that mean?
When SFC says it found corrupt files but couldn't repair them, it means the backup copies in the Windows Component Store (the WinSxS folder) are also damaged, so SFC has nothing clean to restore from. The fix is to run DISM's /RestoreHealth command first, which downloads fresh reference files directly from Windows Update servers and rebuilds the Component Store. Once DISM finishes successfully, run sfc /scannow again, this time it will have clean source files to pull from and should be able to repair the corrupted DLL. The two tools work as a team; DISM repairs the reference library, and SFC uses that library to fix your actual system files.
Will this error come back after the next Windows update?
If you had a one-time interrupted update, fixing it now should be permanent. However, if the root cause is something structural, like a third-party AV that keeps locking the file mid-update, or Fast Startup leaving the file system in an inconsistent state, then yes, you could see it again after the next Security Platform update. Follow the prevention steps in this guide: disable Fast Startup, add the SecurityHealth folder as an AV exclusion, and always use "Update and Restart" rather than a plain shutdown. With those habits in place, most users never see this error again.
Can I just delete the SecurityHealthSSO.dll or rename the versioned folder to make the error go away?
I'd strongly advise against it. Deleting or renaming the DLL doesn't fix the error, it just changes its shape. Instead of a "Bad Image" dialog, you'll likely get a different error about a missing module, or the SecurityHealthService will fail entirely with error 2 (file not found) in Event Viewer, which means Windows Defender and the Security Center will stop functioning. Windows also actively monitors protected system file paths and may re-block your changes at the next security scan. The right approach is to let SFC and DISM replace the broken file with a known-good copy, that way the DLL is present, valid, and properly registered.
I'm on a company laptop and IT controls the updates. Who do I contact about this?
On a domain-joined or MDM-enrolled machine, your IT department controls Windows Update and potentially the Microsoft Store update pipeline too. They may have intentionally paused Security Platform updates for testing, or a policy may be blocking the update that would repair the DLL. Submit a ticket to your IT helpdesk and include the exact error message with the full DLL path (especially the version number like 10.0.29510.1001-0), a screenshot of the Bad Image dialog, and the Event Viewer entries from Windows Logs > Application around the time the error appears. This gives your IT team enough context to either push the correct Security Platform update to your machine via SCCM/Intune or grant you a policy exception to receive it through Windows Update directly.