Fix NTE_BAD_SIGNATURE 0X80090006 in 3 steps – real fix

NTE_BAD_SIGNATURE (0X80090006) – Invalid signature

You're trying to install a Windows Update, open an app, or maybe just log into something, and boom — error 0X80090006 with that lovely message: Invalid signature. It's a cryptographic error. Windows couldn't verify a digital signature on some file or key.

This usually happens after a botched update, a system file got corrupted, or something in the Windows cryptographic store is out of whack. Had a client last month whose Windows Update kept failing with this exact code. Took me 15 minutes to fix once I knew what to do.

Here's the order I'd try. Start with the simplest fix. It works more often than you'd think.

Fix 1: Reboot and retry (30 seconds)

I know, sounds stupid. But I've seen this error pop up from a temporary glitch in the Windows cryptographic service. A full restart clears whatever was holding a stale state.

1. Close everything.
2. Click Start > Power > Restart.
3. After reboot, try whatever you were doing again — update, install, whatever.

If the error's gone, you're done. If not, move to the next step.

Fix 2: Run SFC and DISM (5 minutes)

Corrupted system files are the most common reason for this signature error. The built-in System File Checker (SFC) and Deployment Image Servicing and Management (DISM) tools can fix them.

1. Open Command Prompt as admin (search cmd, right-click, Run as administrator).
2. Type this and press Enter:
   

   sfc /scannow

   Wait for it to finish. It'll say either no errors found, or it'll fix something and ask you to reboot.
3. Reboot if it fixed anything.
4. Still broken? Back in the same admin command prompt, run this:
   

   DISM /Online /Cleanup-Image /RestoreHealth

   This scans Windows image for corruption and uses Windows Update to pull clean files.
5. Wait. It takes a few minutes. When done, reboot again.

Had a client with a Windows 11 Pro machine that wouldn't update because of a corrupted crypt32.dll. SFC found it, DISM fixed the source files, and the error vanished. Try this before going nuclear.

Fix 3: Reset Windows Cryptographic Services and Credential Manager (15+ minutes)

If the first two didn't work, the problem is deeper — maybe a corrupted key store in Credential Manager, or the Cryptographic Services themselves are hosed. This takes a bit more time.

Step 3a: Stop and restart Cryptographic Services

1. Press Win + R, type services.msc, press Enter.
2. Scroll down to Cryptographic Services. Right-click it, choose Stop.
3. Browse to C:\Windows\System32\catroot2 and rename that folder to catroot2.old. (Right-click > Rename.)
4. Go back to Services, right-click Cryptographic Services again, choose Start.
5. Reboot.

Step 3b: Clear Credential Manager

Sometimes a bad saved credential — like a cached login for a domain or a network share — has a wonky signature. Clear them out.

1. Open Control Panel (search for it).
2. Click User Accounts > Credential Manager.
3. Under Windows Credentials, look for anything related to your problem app or service. Click the arrow to expand, then Remove.
4. You can also remove Generic Credentials that look suspicious (like something with no name).
5. Reboot.

Step 3c: Check Windows Update cache

Corrupted update files can also trigger this. Reset the Windows Update components.

1. Open Command Prompt as admin again.
2. Run these commands one at a time:
   

   net stop wuauserv
   net stop cryptSvc
   net stop bits
   net stop msiserver

3. Then rename the update cache folder:
   

   ren C:\Windows\SoftwareDistribution SoftwareDistribution.old

4. Restart the services:
   

   net start wuauserv
   net start cryptSvc
   net start bits
   net start msiserver

5. Reboot and try your update again.

After this, the error should be gone. If not, you might be dealing with a hardware issue — like a failing hard drive that's corrupting files. But that's rare. 9 times out of 10, one of these steps kills the NTE_BAD_SIGNATURE error.