Fix STATUS_BAD_DESCRIPTOR_FORMAT (0xC00000E7)

Quick answer: Run icacls * /t /reset in an elevated command prompt, then check wevtutil.exe or restore from a known-good backup of the affected folder or registry key.

I first ran into STATUS_BAD_DESCRIPTOR_FORMAT (0xC00000E7) on a client's Windows 10 machine that had a third-party antivirus uninstall go sideways. The error popped up every time they tried to open a shared folder or even launch the Event Viewer. It's a kernel-level error that means Windows encountered a security descriptor — that's the binary structure that defines who can access what — that's not in either absolute or self-relative format. Think of it like a PDF that's half Word document: the parser just gives up.

This usually happens after a failed software install, a rushed registry edit, or a corrupt user profile. I've also seen it after someone used a dodgy script that tried to bulk-change permissions and wrote garbage SDDL data instead of valid entries. The most common symptom? You get the error when trying to access a specific folder, a registry key, or a printer queue. One client couldn't log into their domain profile at all — the NTUSER.DAT file had a corrupt security descriptor.

Fix Steps

Identify the target. The error message usually tells you which file, folder, or registry key is the culprit. If it's vague, use Process Monitor (Procmon) from Sysinternals to filter by the error code. I've saved hours this way.
Open an elevated command prompt. Right-click Start, choose Command Prompt (Admin) or Windows Terminal (Admin).
Reset permissions on the affected item. If it's a folder, run:
```
icacls "C:\Path\To\Folder" /t /reset
```
The /t flag applies to all subfolders. The /reset flag replaces all ACLs with the default inherited permissions.
If it's a registry key, you'll need to use subinacl or the built-in regini tool. Honestly, subinacl is more reliable. Download it from Microsoft's site (it's old but works), then run:
```
subinacl /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\YourKey" /setowner=Administrators
```
Then reset the key's permissions via regedit: right-click the key, go to Permissions, and set it to inherit from parent.
Reboot. Some security descriptor changes only take effect after a restart. Especially if the target is a service or driver.

Alternative Fixes

If the main fix doesn't work, try these:

System Restore. Roll back to a point before the error started. This undoes any corrupt descriptor changes. Had a client whose Windows Store apps all crashed with this error — one restore point later, everything worked.
SFC and DISM. Corrupt system files can cause this. Run sfc /scannow first, then DISM /Online /Cleanup-Image /RestoreHealth.
Use a live Linux USB to back up data. If the error prevents you from accessing your user folder, boot from a Linux USB, mount the drive, and copy your files out. Then nuke the user profile from Windows and recreate it.
Delete and recreate the affected object. If it's a file or folder, move it out, delete it, then put it back. The new object will inherit correct default permissions.

Prevention Tips

Never manually edit security descriptors with a hex editor. I know it's tempting, but one wrong byte and you're here.
Use Group Policy or PowerShell scripts to manage permissions instead of raw SDDL strings — they validate the format before applying.
Keep backups. I use Veeam Agent for Windows — does file-level backups that include security descriptors. Saved my butt when a domain controller had this error on the Sysvol share.
Avoid third-party security tools that replace the Windows Security Manager. Several AV products have caused this exact error by injecting their own descriptor handlers.

One last thing: if you see this error on a domain controller, check the Sysvol replication status immediately. A corrupt NTDS permissions descriptor can take down the whole domain. Run dcdiag /test:sysvolcheck and repadmin /syncall to rule that out.