Fix OSS_BAD_ENCRULES (0X80093016) ASN Error Fast
This error fires when Windows encounters a corrupted or misconfigured ASN.1 encryption rule. We'll walk through the three most likely causes and their fixes.
1. Corrupted System Files in the Crypto Stack
This is the #1 cause of 0X80093016. It usually pops up after a failed Windows update or a third-party security tool that messed with the crypt32.dll or certcli.dll files. I've seen it most often on Windows 10 22H2 and Windows Server 2019 after an update rollback.
Fix: Run DISM and SFC
Don't skip DISM. SFC alone won't fix this if the component store itself is corrupted.
- Open Command Prompt as Administrator.
- Run:
Wait for it to finish (can take 20 minutes).DISM /Online /Cleanup-Image /RestoreHealth - Then run:
sfc /scannow - Restart and test.
If that doesn't clear it, check the CBS log at C:\Windows\Logs\CBS\CBS.log for specific corrupted files. You may need to replace them from a known-good system.
2. Misconfigured Encryption Rules in Registry
Sometimes a Group Policy or a custom script adds a bad encryption rule under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0x404. This tripped me up on a domain-joined machine where the admin had pushed an outdated ASN.1 rule.
Fix: Delete or Correct the Offending Rule
- Open Regedit as Administrator.
- Go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0x404 - Look for any subkey named
{1.2.840.113549.1.7.1}(or similar ASN.1 OIDs). If it's there, check theDllvalue. If it points to a missing or wrong DLL, delete the entire subkey. - Restart the CryptSvc service:
net stop CryptSvc && net start CryptSvc
This is the fix I've used on at least a dozen machines where the error showed up in Event Viewer under Crypt32 source.
3. Third-Party Security Software Interference
Overzealous antivirus suites—especially McAfee, Symantec, and some ESET versions—can intercept the crypto API and inject broken encoding rules. The error usually appears when you try to sign a file or validate a certificate.
Fix: Disable Real-Time Scanning Temporarily
Don't uninstall yet. Just disable the real-time protection, recreate the operation, and see if the error vanishes.
- For McAfee: Disable "Real-Time Scanning" from the system tray icon.
- For Symantec Endpoint Protection: Turn off "Auto-Protect".
- For Windows Defender (if you're using it): This is rarely the culprit, but try
in PowerShell as Admin.Set-MpPreference -DisableRealtimeMonitoring $true
If the error goes away, you need to add an exclusion for your crypto operations or update the AV's rules. If it doesn't, re-enable protection and move on.
Quick-Reference Summary
| Cause | Symptom | Fix | Time |
|---|---|---|---|
| Corrupted system files | Error after update or security tool | DISM + SFC | 30 min |
| Bad registry rule | Error on specific OID operations | Delete subkey under EncodingType 0x404 | 10 min |
| Third-party AV interference | Error on signing/cert validation | Disable real-time scanning temporarily | 5 min |
Start with the DISM/SFC scan—that fixes the majority of cases. If you're still stuck, check the registry and then the AV. I've seen this error vanish after just deleting a stray registry key that had been lingering since a botched Group Policy update.
Was this solution helpful?