STATUS_FWP_ZERO_LENGTH_ARRAY (0XC0220022) fix
Windows Filtering Platform error when a rule array is empty. Usually caused by corrupted firewall rules or third-party security software.
Quick Answer
netsh wfp show state then netsh advfirewall reset — that's the nuclear fix. But first understand what's actually happening.
What's Actually Happening Here
STATUS_FWP_ZERO_LENGTH_ARRAY (0xC0220022) means the Windows Filtering Platform received an array that must contain at least one element — like a list of rules — but the array was empty. The WFP engine expects, for example, a filter condition array with at least one condition. When it gets zero, it throws this error. You'll see this in applications that interact with the firewall programmatically: VPN clients (like Cisco AnyConnect or OpenVPN), security suites (Malwarebytes, Norton), or even Windows Update itself. The trigger is usually a botched uninstall of third-party firewall software that leaves half-removed rules, or a registry cleaner that nuked essential WFP data. The real fix is to reset the entire WFP state and restore the default firewall policy.
Fix Steps
- Open an elevated Command Prompt. Press Win + X, select "Windows Terminal (Admin)" or "Command Prompt (Admin)". Don't skip the admin part — this won't work otherwise.
- Check WFP state for corruption. Run
netsh wfp show state. This dumps the entire WFP state to a file (wfpstate.xmlin your current directory). The dump itself might fail if the corruption is severe — that's a strong sign. If it succeeds, open the XML and search forZeroLengthArrayor0xC0220022to confirm the error's origin. - Reset the Windows Firewall to defaults. Run
netsh advfirewall reset. This removes all custom rules and restores the default policy. It's aggressive but necessary — partial fixes rarely work here because the WFP state is a single monolithic blob. - Reset Winsock and WFP. Run
netsh winsock reset catalogthennetsh int ip reset reset.log. These two commands rebuild the Winsock catalog and TCP/IP stack. Winsock and WFP are separate subsystems, but they share low-level network drivers — resetting both avoids a heisenbug where WFP works but specific apps still crash. - Reboot. The WFP driver (
FWPKCLNT.SYS) reloads the state from the registry on boot. A cold restart ensures the clean state is picked up. Soft reboot (Fast Startup) doesn't reload the driver — hold Shift while clicking Restart to bypass Fast Startup.
If the Main Fix Fails
Run sfc /scannow then DISM /Online /Cleanup-Image /RestoreHealth before trying anything else. Corrupted system files can prevent WFP from loading the default rules. If that still fails:
- Uninstall third-party security software completely — use the vendor's official removal tool, not just Add/Remove Programs. For example, Malwarebytes has
mb-support-1.9.0.1272.exe; Norton hasNorton Removal Tool. These leave registry keys WFP hates. - Check for a VPN or proxy that injects WFP filters. If you use a VPN like WireGuard or OpenVPN, disconnect and uninstall it temporarily. Some VPNs leave shims in WFP that produce zero-length arrays when the service is stopped but the shim remains.
- Repair install Windows (in-place upgrade) using the Media Creation Tool. This replaces the WFP core driver without wiping apps. I've seen this fix stubborn cases where the registry itself has corrupted WFP keys.
Prevention Tip
Never run registry cleaners (CCleaner's registry cleaner, Wise Registry Cleaner, etc.) on Windows 10 or 11. They frequently strip WFP-related registry entries under HKLM\SYSTEM\CurrentControlSet\Services\FwLwFj (yes, that's the real key name) because they look "empty" or "invalid" to the cleaner. Also, when uninstalling firewalls, always reboot before installing a different one — the previous firewall's kernel-mode driver might still be loaded and its WFP callouts linger.
Was this solution helpful?