RPC_NT_INVALID_TAG 0xC0020022 Fix – Tag Invalid Error
This RPC error usually means a service or app sent a malformed RPC call. Here's the real fix—check your DCOM settings and registry.
Yeah, 0xC0020022 is one of those errors that makes you want to throw a keyboard. I've seen it pop up in everything from legacy COM+ apps to modern SQL Server clusters. But here's the thing—it's almost always a DCOM authentication level mismatch or a corrupted registry entry.
The Quick Fix
Don't bother reinstalling the app or running SFC. The culprit here is almost always the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole key. Specifically, the DefaultAuthenticationLevel value.
Open Regedit and navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OleLook for a DWORD called DefaultAuthenticationLevel. If it's set to anything other than 1 (None) or 2 (Connect), that's your problem. The RPC stack expects a valid authentication tag, and this value tells DCOM what level to use. A misconfig here causes the tag is invalid error.
Change it to 2 (decimal) if you need some security, or 1 if you're in a closed environment and just want it working. Reboot the server or restart the RPC service:
net stop RpcSs && net start RpcSsTest your app again. 9 times out of 10, that's it.
If That Didn't Work
Check the DefaultAccessPermission and MachineLaunchRestriction keys in the same Ole path. Sometimes the ACL gets corrupted—maybe from a bad Group Policy push or a manual regedit that went sideways. Export the key first, then delete both values and let Windows recreate them on reboot.
Also check the event log under Application and Services Logs > Microsoft > Windows > DistributedCOM. Look for event ID 1007 or 1008. Those will tell you exactly which COM+ application is choking.
Why This Happens
The error code 0xC0020022 maps to RPC_NT_INVALID_TAG, which literally means the RPC runtime received a packet with a tag field that doesn't match any valid operation. Think of it like a shipping label with the wrong address—the package gets rejected.
In practice, this happens when a client and server have mismatched authentication levels. If the client sends a packet with a tag for Connect-level auth but the server expects None, the server tosses the packet and returns this error. Common triggers: updating from Windows Server 2012 R2 to 2019 without adjusting DCOM settings, or rolling out a security policy that changes authentication defaults.
Less Common Variations
Sometimes the issue is specific to a single app's DCOM configuration. Open Component Services (dcomcnfg.exe), drill into Component Services > Computers > My Computer > DCOM Config, and find the app throwing the error. Right-click it, go to Properties > Security, and make sure the Launch and Activation Permissions match the system-wide defaults.
Another variation: if you're using Windows Server 2008 R2 or older, check the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{your-app-guid} key. A missing or broken AppID value causes the same error. Compare it to a working server's registry if you can.
I've also seen this on clustered SQL Server instances where the SQL Server Browser service isn't running. The RPC endpoint mapper can't find the right port, so it throws the invalid tag. Start the Browser service and set it to Automatic.
Prevention
Stop blindly changing DCOM settings on production boxes. Use Group Policy to lock down the Ole key only for machines that need it. Document every regedit change in your change log—you'll thank me later.
Before you patch or upgrade a server, export the entire HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole key. That way you can roll back if the new security baseline breaks your COM+ apps.
And for the love of all that is holy, test authentication level changes in a lab first. I've seen a single wrong regvalue take down an entire ERP system for a day.
Was this solution helpful?