0X8009001C

NTE_SIGNATURE_FILE_BAD (0X8009001C) Fix: Corrupt Digital Signature

Cybersecurity & Malware Intermediate 👁 1 views 📅 Jun 8, 2026

This error means Windows can't read a digital signature file. The fix: rebuild the CNG key isolation service cache.

Quick answer for pros

Delete the contents of C:\ProgramData\Microsoft\Crypto\Keys and restart the CNG Key Isolation service. Then re-register the signing certificate. Don’t skip the backup step below.

What’s actually happening here

This error popped up for me on a Windows 11 23H2 machine after a failed BitLocker recovery. The machine had been signing PowerShell scripts with a self-signed certificate for internal tooling. The digital signature file—stored by the CNG (Cryptography Next Generation) subsystem—got corrupted during a forced reboot. The OS can’t parse it, so any operation that verifies or applies a digital signature fails with 0X8009001C. You’ll see it in Event Viewer under Cryptographic Services or get it directly from tools like signtool.exe or certutil. It’s more common with self-signed certificates that use the Microsoft Software Key Storage Provider, especially if the machine has seen a hard shutdown or disk corruption.

I know this error is infuriating because it can block deployments, driver installs, and even Windows Update. But the fix is straightforward once you know where the corrupt data lives.

Step-by-step fix

  1. Back up the CNG keys folder. Open an admin PowerShell and run: 
    Copy-Item -Path "C:\ProgramData\Microsoft\Crypto\Keys" -Destination "C:\ProgramData\Microsoft\Crypto\Keys_Backup" -Recurse
    This saves your key material in case something goes wrong.
  2. Stop the CNG Key Isolation service. Run: 
    Stop-Service -Name "KeyIso" -Force
  3. Delete the keys folder contents. Clear the corrupt files: 
    Remove-Item -Path "C:\ProgramData\Microsoft\Crypto\Keys\*" -Recurse -Force
    Don’t delete the folder itself—just its contents.
  4. Restart the service. It will recreate the folder structure automatically: 
    Start-Service -Name "KeyIso"
  5. Re-register your certificate. If you used a self-signed cert before, generate a new one and import it into the Personal store. If it was a CA-signed cert, re-import the PFX with the private key marked as exportable. For example: 
    certutil -importPFX -p YourPassword "C:\path\to\cert.pfx"
  6. Test the signature. Try signing a file again with signtool sign /fd SHA256 /a "C:\path\to\file.exe". The error should be gone.

Alternative fixes when the main one doesn’t work

Sometimes the CNG cache rebuild doesn’t take. Here’s what else to try:

  • Run the System File Checker. Open cmd as admin and run sfc /scannow. If it finds corruption, it might fix the CNG DLLs (ncrypt.dll, bcrypt.dll). I’ve seen this work after a bad update rollback.
  • Use DISM to check the component store. DISM /Online /Cleanup-Image /RestoreHealth can fix underlying system file issues that cause the key store to corrupt repeatedly.
  • Update or reinstall your signing certificate. If you’re using a third-party code signing cert (like from DigiCert or Sectigo), revoke the old one and issue a new one. Corrupt CNG keys can’t be repaired; they have to be replaced.
  • Switch to a different key storage provider. When generating a new self-signed cert, specify -KeySpec KeyExchange -KeyAlgorithm RSA -KeyLength 2048 -KeyExportPolicy Exportable in PowerShell, but avoid the Microsoft Software Key Storage Provider if it keeps failing. Use the Microsoft Strong Cryptographic Provider instead:
New-SelfSignedCertificate -Subject "CN=TestSigning" -CertStoreLocation Cert:\CurrentUser\My -KeySpec KeyExchange -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3") -KeyAlgorithm RSA -KeyLength 2048 -Provider "Microsoft Strong Cryptographic Provider"

Preventing this from happening again

This error usually follows a forced shutdown or disk space exhaustion. To avoid it in the future:

  • Never hard reset a machine while signing operations are running. If you see a certificate dialog, wait for it to finish.
  • Monitor disk space on the system drive. The CNG keys folder is small but can corrupt if writes are interrupted. Keep at least 10% free space.
  • Export your private keys regularly. Run certutil -exportPFX on all signing certs after creation and store the PFX files in a secure backup location. That way you can re-import without regenerating.
  • Consider using a hardware security module (HSM). If you sign code frequently, a USB token or TPM-based key storage won’t corrupt from a bad shutdown. It’s overkill for occasional use, but for CI/CD pipelines it’s worth the investment.

Was this solution helpful?

0X8009001C NTE_SIGNATURE_FILE_BAD digital signature file corrupt CNG key isolation service Windows security error file signing error code signing certificate Windows 10 0X8009001C Windows 11 0X8009001C signature verification failed corrupt signature file fix