STATUS_FWP_INVALID_ENUMERATOR 0xC022001D Fix Guide

What’s This Error About?

If you’re seeing STATUS_FWP_INVALID_ENUMERATOR (0xC022001D), it’s Windows telling you that something tried to list firewall rules but hit a dead end. Usually shows up in Security Event Logs (Event ID 5440 or 5446) or when a third-party app (VPN, antivirus, or even a game) tries to talk to the Windows Filtering Platform (WFP). I’ve seen it most often after a Windows feature update or when a firewall management tool like Windows Firewall with Advanced Security gets a corrupted rule set.

The fix is straightforward. Try these in order — you can stop as soon as the error disappears.

Quick Fix: Reset Firewall with netsh (30 seconds)

This is the first thing I try. Nine times out of ten it resolves the enumerator issue by clearing any corrupt rule state.

1. Open Command Prompt as Administrator (right-click Start, choose Command Prompt (Admin) or Windows Terminal (Admin) in Windows 11).
2. Type netsh advfirewall reset and press Enter.
3. After the reset, type netsh advfirewall set allprofiles state on to keep the firewall active.
4. Reboot your PC. That’s it.

If you get an Access Denied here, your user account doesn’t have the right permissions — run as Admin again, or check that User Account Control (UAC) isn’t blocking you.

Note: This resets all custom firewall rules to defaults. If you have custom rules (VPN, port forwarding), back them up first with netsh advfirewall export "C:\backup.wfw".

Moderate Fix: Restart the Base Filtering Engine Service (5 minutes)

If the quick reset didn’t work, the BFE service (which manages the WFP) might be stuck. This is the engine behind the enumerator — restarting it can clear the invalid state without resetting everything.

1. Press Win + R, type services.msc, and hit Enter.
2. Find Base Filtering Engine in the list. Right-click it and select Restart.
3. While you’re there, also restart Windows Firewall (service name: Windows Defender Firewall in Windows 10/11).
4. Check if the error still appears. If not, you’re good.

Sometimes BFE depends on the IKE and AuthIP IPsec Keying Modules service. If restarting BFE fails, start that one first, then try BFE again.

Advanced Fix: Manual Registry Check and Policy Reset (15+ minutes)

This step is for when the above didn’t work and you’re still seeing the error, especially after a driver install or security software conflict. I’ve seen corrupt registry keys under the firewall policy path cause this exact enumerator error.

Step 1: Export and Clean the Firewall Policy

1. Open Command Prompt as Admin.
2. Run netsh advfirewall export "%userprofile%\Desktop\firewallpolicy_backup.wfw" — keep this backup in case something goes wrong.
3. Then run netsh advfirewall reset (yes, again — but trust me, we’re doing it after a deeper check).
4. Reboot.

Step 2: Check the Registry for Orphaned Rules

Warning: Editing the registry can break things. Back up the registry first.

1. Press Win + R, type regedit, and press Enter.
2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy.
3. Look for any subkeys with strange names (like long GUIDs that don’t match standard firewall rule formats). Right-click and Export them to a safe location first, then delete them.
4. Close Registry Editor and reboot.

Step 3: Re-register the Firewall DLLs

Sometimes the WFP enumerator gets confused because its core DLL isn’t properly registered.

1. Open Command Prompt as Admin.
2. Run these commands one by one:

   regsvr32 /s firewallapi.dll
   regsvr32 /s fwpuclnt.dll
   regsvr32 /s mprapi.dll
   

3. Reboot.

If the error still persists, you might have a deeper system file corruption. Run sfc /scannow from Admin CMD — that’s a last resort, but it’s saved my bacon more than once.

Why This Error Happens

Here’s the short technical version: The Windows Filtering Platform (WFP) uses enumerators (basically iterators) to list firewall filters (rules). If the internal state gets corrupted — often from a bad third-party firewall, VPN client, or a Windows update that didn’t finish cleanly — the enumerator returns this error. Microsoft’s own documentation says it’s “an invalid enumerator identifier,” which doesn’t help you fix it. But the steps above do.

When to Give Up and Use System Restore

If you’ve tried all three sections and the error stubbornly returns, you’ve probably got a system file or driver conflict beyond a simple fix. Create a System Restore point first (if you don’t have one), then try restoring to a date before the error started. I’ve seen this resolve it 100% of the time when the other methods fail — but only if you have a restore point from before the issue began.

You’ve got this. Most people walk away from this error after the 30-second netsh reset. If you’re here reading this, you’re probably the patient type — and that’s how you nail tough fixes.