0XC0000372: Blocked by Windows Safer Policy — Direct Fix
You're hitting a group policy restriction blocking an app. The quick fix is to run it as Admin or adjust the local Safer policy. Here's how.
You opened an app and got hit with error 0XC0000372
It says your administrator restricted access by policy rule %2. That's frustrating, especially when you know you didn't set anything up. I've seen this a hundred times — the culprit here is almost always a Windows Software Restriction Policy (SRP) or a leftover Safer policy entry. Let's get it sorted.
Fix #1: Run the app as Administrator
Right-click the executable (.exe) and select Run as administrator. If it works, it's a permissions or token issue — the policy isn't properly applying to elevated processes. That's not a permanent fix, but it confirms the cause.
Fix #2: Disable Local Safer Policy (the real fix)
Press Win + R, type secpol.msc, and hit Enter. Go to Security Settings → Software Restriction Policies. If you see a folder for Additional Rules, there's an active SRP. Right-click Software Restriction Policies and choose Delete Software Restriction Policies. Reboot. Try the app again.
No SRP there? Check Application Control Policies → Windows Safer Policies → Safer Policies. You might see a rule like S-1-16-4096 or something tied to a specific path. Delete any rule that matches your blocked app's path. Reboot.
Fix #3: Check group policy via GPEdit
Run gpedit.msc. Navigate to Computer Configuration → Windows Settings → Security Settings → Software Restriction Policies. Same drill — if it's configured, either disable it or add your app's path to Additional Rules as a new Path Rule set to Unrestricted.
On Windows 10/11 Home edition, gpedit.msc isn't installed by default. You can enable it manually, but it's easier to use the registry method below.
Fix #4: Registry cleanup (when GPEdit isn't available)
Open Regedit as Administrator. Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiersLook for a value named DefaultLevel. If it's set to 0x00040000 (Disallowed), that's your problem. Change it to 0x00010000 (Unrestricted) or delete the CodeIdentifiers key entirely. Reboot immediately.
Why does this error happen?
0XC0000372 is Windows' way of saying "something blocked this app based on a policy rule." The Safer policy system was introduced in Windows XP and still exists in Windows 10/11. It's often left over from old company images, security software (like McAfee or Symantec), or a rogue GPO that didn't clean up after itself. The error code's second part — "by policy rule %2" — means the rule is stored but the UI to manage it is disabled (hence the "NO_SAFER_UI" part). It's a ghost rule in most cases.
Less common variations
App runs but then immediately crashes with 0XC0000372
Same cause — the policy blocks a DLL the app needs. Use Process Monitor to see which file triggers the ACCESS_DENIED. Whitelist that DLL in SRP.
Error on every app except browsers
Your policy likely has a path rule covering everything except %ProgramFiles% or %SystemRoot%. Check Additional Rules in secpol.msc for an All Files rule set to Disallowed. Delete it.
Error only when user is not local admin
Policy is applying via GPO from a domain controller. You can't fix it locally — you need to talk to your IT team to remove the policy from the OU your computer is in. In the meantime, run the app as a local admin (if you have the password).
Prevention
Don't enable Software Restriction Policies unless you really need to. They're a pain to maintain. If you must use them, always test with a path rule before applying a hash or certificate rule — those break silently. Also, when uninstalling security software (especially Symantec or McAfee), reboot twice and check secpol.msc for leftover entries. I've seen those tools leave Safer policy artifacts that survive reboots. Finally, if you're managing a fleet, use AppLocker instead — it's newer, clearer, and has proper UI. SRP is legacy Microsoft should have killed years ago.
Was this solution helpful?