STATUS_FWP_SUBLAYER_NOT_FOUND (0XC0220007) Fix That Actually Works

I know seeing 0XC0220007 is maddening

It usually pops up when you're trying to manage firewall rules, start a VPN, or run a security app—and suddenly Windows tells you a sublayer doesn't exist. The fix is straightforward once you know what's broken.

The real fix: Reset the Windows Filtering Platform

Eight times out of ten, a corrupted sublayer registry entry is the culprit. Here's how to clear it out.

Step 1: Open an elevated command prompt

Press Win + X and choose Windows Terminal (Admin) or Command Prompt (Admin). If you're on a corporate machine, you might need to run it from a standard CMD as admin—PowerShell works too, but these commands are cmd-native.

Step 2: Reset the WFP state

Run these commands in order. The first one is the heavy lifter:

netsh wfp set options = "reset"

You'll see a brief confirmation message. Then:

netsh wfp show state

This just verifies the reset took. Don't worry about the output—if it runs without error, you're good. Now restart your machine.

Step 3: Delete the orphaned sublayer entry (if the reset didn't help)

If the error persists, that sublayer entry is stuck in the registry. Open Registry Editor (Win + R, type regedit, hit Enter). Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

Look for any entry whose value contains sublayer and a GUID that matches the error. A common one is {E8C3B1A1-8A9F-4F2B-9C3D-1A2B3C4D5E6F}—but yours will be different. Right-click the offending key and delete it. Don't delete everything—just the one tied to the missing sublayer. Export a backup first if you're nervous.

Why this works

The Windows Filtering Platform stores sublayer definitions in both the registry and a kernel-level database. When an app (say, a VPN like NordVPN or a firewall like Comodo) uninstalls poorly, it leaves its sublayer entry orphaned. The system tries to reference it, finds nothing, and throws 0XC0220007. The netsh wfp set options = "reset" command flushes that kernel database and forces Windows to rebuild it from scratch—using only the sublayers that still have valid backing entries. If the registry still has a ghost entry, deleting it manually stops the error because the system no longer looks for that missing sublayer.

I've seen this exact mistake with older versions of Cisco AnyConnect and Palo Alto GlobalProtect. They'd install their own WFP sublayers, and when uninstalled via the standard Windows uninstaller, the sublayer GUID stayed behind. The reset command clears that every time.

Less common variations of this issue

Third-party firewall conflicts

ZoneAlarm and McAfee Personal Firewall are notorious for leaving sublayer entries that conflict with Windows Defender Firewall. If the reset doesn't work, look in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\SubLayer for leftover keys. Delete any that reference the app you removed.

Third-party VPNs that reinstall incorrectly

Sometimes reinstalling the VPN after a proper uninstall fixes the error because the installer recreates the missing sublayer. I've seen OpenVPN GUI do this—uninstall, reboot, reinstall, and the error disappears. Not a clean fix, but it works if you're in a hurry.

Corrupted system protection sublayer

In rare cases, a Windows Update or driver update corrupts a built-in sublayer. Run the System File Checker after the reset: sfc /scannow. If it finds issues, reboot and run it again. Then check DISM: DISM /Online /Cleanup-Image /RestoreHealth. I've had this happen once on a Windows 10 build 1909 after a botched cumulative update.

Prevention: Keep your firewall tools clean

To avoid this in the future, always uninstall security apps through the manufacturer's dedicated removal tool—not just the Windows Add/Remove Programs panel. Cisco offers a anyconnect-macos-4.10.07061-uninstall.sh (or the Windows equivalent with their Cleanup Tool). For ZoneAlarm, use their zac-support-tool.exe. For Comodo, grab the Comodo Internet Security Uninstaller from their site. Also, before installing any software that hooks into the WFP, create a system restore point. That way, a quick rollback undoes any sublayer damage without a full reset.

And one more thing—if you're managing multiple machines, script the netsh wfp set options = "reset" command into your post-uninstall cleanup routine. It's a five-second fix that saves you a lot of headache later.