STATUS_TOO_MANY_LUIDS_REQUESTED (0XC0000074) Fix — LUID Allocation Limit Hit

You'll hit error code 0XC0000074 — STATUS_TOO_MANY_LUIDS_REQUESTED — when a program tries to allocate more locally unique identifiers (LUIDs) than Windows can assign in a single call. This usually happens in security infrastructure: LSASS, a service talking to Active Directory, or a custom app that's building a massive access control list (ACL). The exact message reads: "The number of LUIDs requested cannot be allocated with a single allocation."

What's actually happening here

Every LUID is a 64-bit value Windows uses to identify things like logon sessions, privileges in an access token, or system resources. The kernel gives them out from a per-machine pool. The limit per allocation call is 64 LUIDs. If your code or a driver asks for more than that in one shot, you get this error. It's not a system-wide shortage — it's the request size that's the problem.

The trigger is almost always a poorly written driver, a misbehaving security product (antivirus, firewall, endpoint protection), or a service that generates huge security descriptors. I've seen it most often on Windows Server 2019/2022 during domain controller operations where a third-party tool tries to assign privileges to hundreds of groups at once.

The fix

1. Identify the offending process — Check Event Viewer under Windows Logs > System. Look for event ID 0xC0000074 or source "LSA" (Local Security Authority). The log usually names the process that made the failing call. If you can't find it, use Procmon from Sysinternals with a filter for Result is BUFFER OVERFLOW or STATUS_TOO_MANY_LUIDS_REQUESTED. Record the process name and PID.
2. Update or remove the offending software — If it's a third-party driver or security suite, check the vendor's support site for an update that limits LUID requests. In most cases, this is a bug in their code — they're calling AllocateLocallyUniqueId in a loop and batching too many requests. Uninstall the software temporarily to confirm the error stops. If it does, you've found your culprit.
3. Adjust LUID pool size (advanced, registry tweak) — Windows does not expose a direct UI for LUID pool limits, but you can increase the maximum number of LUIDs the kernel can allocate in one burst. Only do this if you cannot fix the app. Open regedit and go to:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

   Create a DWORD (32-bit) value named LuidAllocationLimit. Set it to a decimal value between 64 and 512. The default is 64. I'd start with 128 — doubling it is safe. Reboot for the change to take effect.
4. Check for driver conflicts — Use driverquery /v in an admin command prompt to list all drivers. Look for any unsigned or out-of-date drivers, especially from security software. Update them or disable them one at a time to narrow down the problem. A bad NDIS filter driver (common with VPNs) is a frequent cause.
5. Rebuild the security descriptor cache — Some services cache large ACLs that exhaust LUIDs. Run secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose to reset local security policy to defaults. This clears any corrupted or oversized security descriptors. Reboot after.

If it still fails

If the error persists after removing third-party software and resetting security policy, you're likely looking at a kernel-mode driver issue that a normal uninstall doesn't clean up. Run verifier.exe (Driver Verifier) on the offending driver — it will stress-test the driver and may catch the exact API call pattern causing the overflow. Enable only the "Special pool" and "Force IRQL checking" options to avoid false positives. If Driver Verifier blue-screens your machine, you've found the driver. Remove it via pnputil /delete-driver or in Safe Mode.

One more thing: on Windows Server systems with many RDP sessions, each session gets LUIDs for its logon session. If you're running terminal services with thousands of sessions, the system can legitimately run out of LUIDs across the whole pool. In that case, the registry tweak in step 3 is your only option — and you may need to set it to 512. Test after each increment.