Fix TRUST_E_NO_SIGNER_CERT (0X80096002) fast

Quick answer for advanced users: Run DISM /Online /Cleanup-Image /RestoreHealth then sfc /scannow in an elevated Command Prompt. If that doesn't stick, manually replace %windir%\System32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb with a clean copy from a working system.

What actually triggers 0X80096002

You'll see this error when Windows tries to verify a file's digital signature but can't find or trust the signer's certificate. I've seen it most often during Windows Update—specifically when installing cumulative updates on Windows 10 22H2 or Windows 11 23H2. Also pops up when you run signtool verify on a signed executable that's been tampered with.

The core issue: Windows keeps a catalog of trusted certificates in the CatRoot2 folder. If that catalog gets corrupted—maybe from a bad disk sector, a botched uninstall, or a third-party cleaner nuking files it shouldn't—the signature check fails with this error. Last month I had a client whose HP printer driver installer threw this exact code. Took me 10 minutes to fix with DISM.

Fix steps: The order matters

1. Boot into safe mode with networking. Press F8 during startup or hold Shift while clicking Restart. This stops third-party software from interfering.
2. Open Command Prompt as administrator. Search for "cmd", right-click, select "Run as administrator".
3. Run DISM first. Type:

   DISM /Online /Cleanup-Image /RestoreHealth

   This repairs the component store—the foundation for all system file checks. Let it finish. Takes 5-15 minutes depending on your disk speed.
4. Then run SFC. Type:

   sfc /scannow

   This checks and replaces corrupted system files. Don't skip DISM first—SFC won't fix everything if the store is broken.
5. Reboot and test. Try whatever triggered the error. If it's gone, you're done.

When DISM+SFC don't work: Manual catalog replacement

If the error persists (happens about 10% of the time), the CatRoot2 catalog is too far gone. Here's the nuclear option:

1. Find a working Windows PC with the same version (e.g., Windows 11 23H2).
2. On that PC, copy the entire folder C:\Windows\System32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} to a USB drive.
3. On your broken PC, rename the existing folder to CatRoot2.old (don't delete it).
4. Copy the good folder from USB into C:\Windows\System32\CatRoot2\.
5. Reboot. Windows will rebuild the catalog. Run Windows Update again.

Caveat: This only works if both systems are on the exact same build number. Use winver to check. If they don't match, you'll cause more errors.

Alternative fix: SFC from installation media

If you can't boot into Windows normally, use the Recovery Environment:

1. Boot from a Windows installation USB or DVD.
2. On the setup screen, click "Repair your computer" → "Troubleshoot" → "Command Prompt".
3. Run:

   sfc /scannow /offbootdir=C:\ /offwindir=C:\Windows

   Replace C: with the actual drive letter of your Windows partition (might be D: in WinRE).
4. This bypasses the need for the current system to be running.

Prevention: Stop cleaners from nuking your catalog

The number one cause I see? Third-party registry cleaners and disk cleanup tools that delete catdb files thinking they're junk. They're not. Set these ground rules:

• Never use "cleaner" apps that promise to fix Windows—CCleaner's registry cleaner is notorious for this.
• If you must use Disk Cleanup, uncheck "Delivery Optimization Files"—those contain update catalogs.
• For IT pros: add %windir%\System32\CatRoot2 to your file integrity monitoring tool's exclusions list.

One more thing: if the error shows up only for a specific signed executable (like a driver installer), that file might genuinely have an invalid or revoked certificate. Download it fresh from the vendor's site—don't trust a cached copy.