Fix FWP_E_TOO_MANY_SUBLAYERS (0x80320036) – too many WFP sublayers
Windows Filtering Platform hits a hard cap of 1024 sublayers. This error means some app or service leaked sublayers. Here's how to find and remove the extras.
Quick answer
Run netsh wfp show sublayers in an admin prompt to list all sublayers. Look for patterns—same app creating hundreds. Then use PowerShell to delete them in batches until you're under the 1024 cap. The real fix is uninstalling whatever software leaks sublayers.
What's actually happening here
Windows Filtering Platform (WFP) has a hard limit of 1024 sublayers. Each sublayer is a container for filter rules—think of it like a folder. The system itself uses maybe 20-30. The rest come from third-party software: VPN clients, antivirus suites, network monitoring tools, or badly written firewall add-ons.
I've seen this most often after removing a VPN client that didn't clean up after itself, or when a security suite goes rogue and creates a new sublayer every time its service restarts. The error 0x80320036 pops up when any app tries to register a new sublayer and the system says “no more room.”
The trigger is almost always a user installing and uninstalling multiple network security apps without rebooting, or a driver-level filter driver that leaks sublayers during updates.
Step-by-step fix
Step 1: Check how many sublayers you have
Open PowerShell or Command Prompt as Administrator. Run:
netsh wfp show sublayersThis dumps every sublayer with its GUID, name, and provider. Scroll to the bottom—it'll print the total count. If you see 1024, you're at the limit.
Step 2: Identify the culprit
Look for patterns in the output. You'll often see something like:
- “McAfee NetGuard” repeated 500 times
- “NordVPN Tunnel” with a different GUID each time
- “AcmeFilter” with incrementing numbers
The name tells you which software is responsible. If you can't tell from the name, look at the Provider GUID—you can cross-reference it with the software's installation folder or event logs.
Step 3: Delete the orphaned sublayers
Use PowerShell to remove them by GUID. For a batch delete of sublayers matching a pattern, save the GUIDs to a variable first:
$sublayers = netsh wfp show sublayers | Select-String -Pattern "{GUID-PATTERN}" -AllMatches | ForEach-Object { $_.Matches.Value }
foreach ($guid in $sublayers) { netsh wfp delete sublayer $guid }Replace GUID-PATTERN with a partial GUID or use a name filter. For example, to delete all sublayers containing “VPN” in their name:
$sublayers = netsh wfp show sublayers | Where-Object { $_ -match "VPN" } | ForEach-Object { if ($_ -match "{([^}]+)}") { $matches[1] } }
foreach ($guid in $sublayers) { netsh wfp delete sublayer $guid }Run netsh wfp show sublayers again to verify the count dropped.
Step 4: Reboot and retest
After deleting, reboot the machine. Then try whatever operation was failing—installing a VPN, enabling a firewall rule, or launching the security software. The 0x80320036 error should be gone.
Alternative fix if you can't identify the source
If the sublayer names are all generic “Microsoft” entries with no obvious owner, you might have a system file corruption or a driver that's misbehaving. Run:
sfc /scannow
dism /online /cleanup-image /restorehealthThat won't delete sublayers, but it can repair the component that tracks them. If that doesn't help, use Autoruns from Sysinternals to disable startup entries for network-related software one by one, rebooting each time, and checking the sublayer count afterwards.
I've also seen cases where a rogue Windows Filtering Platform callout driver (a .sys file) recreates sublayers on every boot. In that case, you need to find and remove the driver. Use driverquery and look for anything that references “wfp” or “callout” that isn't a Microsoft component.
Prevention tip
The only way to avoid this is to uninstall network security software properly—always use the vendor's official uninstaller, reboot, and then check netsh wfp show sublayers to confirm the count didn't go up. If you're a sysadmin managing many machines, run a scheduled task weekly that checks sublayer count and alerts you if it exceeds 950. That gives you buffer before the cap is hit.
Also, avoid installing multiple VPN clients on the same machine. Pick one and stick with it. VPN TAP and WFP drivers are notorious for leaving sublayers behind after uninstall.
Was this solution helpful?