Fix CRYPT_E_UNKNOWN_ALGO (0X80091002) error on Windows

Cause 1: Missing or outdated root certificates

The most common reason for CRYPT_E_UNKNOWN_ALGO is that Windows can't verify the digital signature on a file or update because it doesn't have the right root certificate installed. This happened a lot after Microsoft pushed SHA-2 code signing updates in 2019–2020. Older Windows 7 and 8.1 systems that didn't get the KB4474419 or KB4490628 updates would hit this error whenever they tried to install newer patches.

If you see 0x80091002 when running Windows Update, or when installing a driver or software package, it's almost certainly this. The system sees a certificate signed with SHA-2 but doesn't know how to process it.

Fix: Update the root certificate store manually

1. Check your Windows version. Press Win + R, type winver, then hit Enter. Write down the version number.
2. Download the appropriate SHA-2 update package. For Windows 7 SP1, grab KB4474419 from Microsoft Update Catalog. For Windows 8.1, get KB4490628. Pick the version matching your system (x86, x64, or ARM).
3. Install the update. Double-click the .msu file and follow the prompts. It'll take a couple minutes and may ask you to restart. After restart you should see the update in Control Panel > Programs > Installed updates.
4. Force a fresh certificate download. Open an elevated Command Prompt (right-click Start > Command Prompt (Admin) or Terminal Admin). Run this command:
   

   certutil -generateSSTFromWU C:\roots.sst

   This pulls the latest Microsoft root certificates from Windows Update. Wait for it to finish – it can take 30-60 seconds.
5. Import the certificates. Run:
   

   certutil -addstore -f Root C:\roots.sst

   You should see a list of certificates being added, with no errors.

After these steps, try whatever gave you the error again. For Windows Update, go to Settings > Update & Security > Check for updates. If it was a third-party installer, run it again. The error should be gone.

Cause 2: Corrupted system files (crypt32.dll or related)

If updating certificates didn't fix it, the problem might be with Windows itself. A corrupted crypt32.dll file – that's the Windows Cryptography module – can trigger 0x80091002. This usually happens after a failed update, a hard shutdown, or maybe a virus that messed with protected system files.

You'll know it's this if you see the error in Event Viewer under System logs with source Crypt32 or Schannel, or if you get the error when trying to run any crypto-related operation (like BitLocker, or even just opening a signed executable).

Fix: Run SFC and DISM scans

1. Open an elevated Command Prompt (Admin).
2. Run the System File Checker. Type:
   

   sfc /scannow

   This checks all protected system files and replaces any corrupted ones from a local cache. It'll take 10-20 minutes. When it finishes, you'll see one of three messages: "Windows Resource Protection did not find any integrity violations", "Windows Resource Protection found corrupt files and successfully repaired them", or "Windows Resource Protection found corrupt files but was unable to fix some of them". Write down what it says.
3. If SFC failed or found unfixable files, run DISM. DISM is the deployment image servicing tool – it fixes the component store that SFC uses. Run this:
   

   DISM /Online /Cleanup-Image /RestoreHealth

   This command downloads fresh files from Windows Update. It can take 20-40 minutes depending on your internet speed. Make sure you're connected.
4. After DISM completes, run sfc /scannow again. DISM might have fixed what SFC couldn't.
5. Restart your PC even if neither tool reported changes. Some fixes only apply after reboot.

I've seen this resolve about 70% of persistent 0x80091002 errors when certificates aren't the issue. If DISM fails to connect to Windows Update (common in offline environments), you can use a Windows installation ISO as a repair source – but that's an advanced step. The online method works for most people.

Cause 3: Third-party security software interfering

Sometimes the error isn't Windows at all – it's an overzealous antivirus or firewall that's blocking or tampering with cryptographic operations. I've seen this with Avast, McAfee, and even some corporate VPN clients. They hook into the Windows crypto API and can break certificate chain validation.

You'll suspect this if the error only happens when a specific security suite is running, or if it started right after you installed or updated your antivirus. The error might also trigger in a specific app but not in others.

Fix: Temporarily disable security software

1. Disable real-time protection. Open your antivirus dashboard and look for a setting like "Real-time scanning", "Self-defense", or "Web protection". Turn it off temporarily. Most suites give you a 15-minute or 1-hour disable option.
2. Test the operation that was failing. If the error doesn't appear, you've found the culprit.
3. If you're using a third-party firewall, also disable it temporarily. Some firewalls inspect SSL/TLS certificates and can corrupt the chain.
4. Permanent fix: Add an exception in your security software for the affected application or update source. For example, in Avast and AVG, go to Settings > Exceptions and add the file or folder path. For Windows Update, add C:\Windows\SoftwareDistribution\ as an exception.
5. If the problem persists after disabling everything, it's not the security software. Re-enable it and move back to the first two causes.

A quick note: Windows Defender usually doesn't cause this error. If you're using only Defender, skip this cause entirely.

Quick-reference summary table

Start with Cause 1 – you'll fix 8 out of 10 instances there. If not, move down the list. Don't skip the DISM step on Cause 2 even if SFC reports clean – I've seen cases where SFC misses corruption that DISM finds. And if you're on Windows 10 or 11, Cause 1 is still possible but less common; Cause 2 becomes more likely.