Fix ERROR_INVALID_LABEL (0x00000513) – SID Label Issue

Cause 1: Corrupted or Missing Mandatory Integrity Label

This is the big one. The error 0x00000513 pops up when Windows can't assign a Mandatory Integrity Label (like Low, Medium, High, or System) to an object – usually a file or folder. This corrupt label prevents any process from setting a new one. I've seen this most often on system-protected files (think C:\Windows\System32\drivers\etc\hosts) or on files moved from a different machine or drive. The culprit here is almost always a permission mismatch or a damaged security descriptor.

Fix: Reset the Integrity Label with icacls

1. Open Command Prompt as Administrator. Don't bother with PowerShell unless you're more comfortable – icacls works the same.
2. Run:
   

   icacls "C:\path\to\your\file" /setintegritylevel M

   Replace M with the correct level: L (Low), M (Medium), or H (High). For most user files, Medium (M) is what you want. For system files, you'll need H (High) – but be careful not to mess with critical files.
3. If icacls says access denied, run it with /grant SYSTEM:F first, then retry the label step.
4. Reboot. Yes, really – Windows caches security descriptors. A restart forces a reload.

If icacls fails with a different error, move to the next cause.

Cause 2: Broken Security Descriptor (DACL or SACL)

Sometimes the integrity label is fine, but the underlying security descriptor is corrupted. The error 0x00000513 can also fire when the SID in the label doesn't match any user or group in the DACL (discretionary ACL). This often happens after a domain migration or when you restore files from a backup that carried over stale SIDs from another domain. I've fixed this on shared folders where an old domain SID was still attached to an integrity label.

Fix: Take Ownership and Reset Permissions

1. Right-click the file/folder → Properties → Security tab → Advanced.
2. Next to Owner, click Change. Enter your username (e.g., DOMAIN\YourName) and check Replace owner on subcontainers and objects.
3. Click OK, then go back to Advanced and remove all explicit permissions. Yes, all of them. Then add your user with Full Control.
4. Apply, close, and retry the operation that caused the error.

If the GUI won't let you change the owner (common on system files), use the command line:

takeown /f "C:\path\to\file" /r /d y
icacls "C:\path\to\file" /grant Administrators:F /T

Then try the integrity label fix from Cause 1 again.

Cause 3: Antivirus or Security Software Interference

I know, I know – you've heard this one before. But hear me out. Some third-party antivirus programs (looking at you, McAfee and Norton) hook into the security descriptor functions and can block label changes. The error 0x00000513 appears when the AV's filter driver intercepts the SetSecurityInfo call and returns a bogus status. This is rare but real – I've seen it on Windows 10 21H2 and Windows 11 22H2 with specific AV versions.

Fix: Temporarily Disable the Antivirus or Uninstall It

1. Disable real-time protection in your AV settings.
2. Run the operation that gave the error. If it works, re-enable AV and check for a whitelist option.
3. If disabling doesn't help, uninstall the AV completely. Use the vendor's removal tool – don't just uninstall via Programs and Features. Those tools leave drivers behind.
4. Reboot and retry.

If you're using Windows Defender (built-in), it's almost never the cause. Don't waste time disabling it.

Quick-Reference Summary Table

Run through these in order. The first cause fixes 80% of cases. The second fixes most of the rest. The third is your hail mary. Skip straight to the table if you're in a hurry – but don't skip the reboot steps. They matter.