0XC0000160: STATUS_ILL_FORMED_SERVICE_ENTRY fixed

Cause 1: Corrupted kernel driver or service entry from a failed installation

What's actually happening here: Windows loads a service or driver from its registry key under HKLM\System\CurrentControlSet\Services. If that key's ImagePath, Start value, or Type is missing or uses an invalid format — like a string that isn't a valid path or a DWORD with an out-of-range number — you get STATUS_ILL_FORMED_SERVICE_ENTRY at boot. The system can't parse the entry, so it stops dead.

This typically happens after you install a driver that gets interrupted (power loss, blue screen mid-install) or after a Windows Update that patches a service DLL but doesn't update the registry reference correctly. I've seen it most often on Server 2016 and 2019 after failed NVMe driver pushes via WSUS.

Fix: Use Last Known Good Configuration

1. Boot the machine. As soon as the Windows logo appears, hold the power button to force shutdown. Do this 3 times. On the 4th boot, Windows should show the Advanced Startup Options screen.
2. Select Troubleshoot > Advanced Options > Startup Settings > Restart.
3. After the restart, press F8 to load the menu, then choose Last Known Good Configuration.

The reason this works: Last Known Good Configuration restores the ControlSet001 version of the registry that worked on the last successful boot. It doesn't touch user profiles or data — it only reverts the CurrentControlSet to a LastKnownGood copy stored at shutdown. If the corruption happened during the last driver install, you're back to the pre-install state.

Cause 2: Malware that hooks a service entry

Malware authors often modify service entries to load their DLLs at boot. They'll change the ImagePath from C:\Windows\System32\svchost.exe -k netsvcs to something like svchost.exe -k netsvcs & rundll32 C:\malware.dll. Windows sees this malformed string, can't parse it as a valid command line, and throws 0xC0000160.

This is more common on workstations than servers, but I've cleaned it off a Server 2012 R2 box used for file sharing. The malware arrived via a malicious email attachment opened by an admin account.

Fix: Use System Restore from the recovery environment

1. Boot from Windows installation media or recovery drive.
2. Select your language, then click Repair your computer (bottom-left corner).
3. Go to Troubleshoot > Advanced Options > System Restore.
4. Choose a restore point from before the infection. If none exist, you'll need to use the offline registry editor (see next fix).

Pro tip: System Restore in the recovery environment uses a different engine than in Windows. It can restore the registry from volume shadow copies even if Windows won't boot. Don't skip this because you think restore points are useless — they often save the day when other tools fail.

Cause 3: Manual registry edit gone wrong

You were tweaking the registry — maybe to disable a service, change startup type, or move a driver path — and you accidentally deleted a required value or typed the wrong data type. The registry editor doesn't validate your input. Put a string where a DWORD belongs, and you get this error on next boot.

I've done this myself: I changed Start from 3 (Manual) to 4 (Disabled) on stornvme to test something, then rebooted before reverting. The NVMe driver wouldn't load, and bam — 0xC0000160.

Fix: Boot from recovery media and fix the registry offline

1. Boot from Windows installation media or a recovery drive.
2. Open Command Prompt from Troubleshoot > Advanced Options > Command Prompt.
3. Type regedit and press Enter. In regedit, select the HKEY_LOCAL_MACHINE hive.
4. Go to File > Load Hive. Navigate to C:\Windows\System32\config\SYSTEM (your Windows drive letter may be D: or E: in recovery mode).
5. Give the loaded hive a name like OfflineSystem.
6. Browse to OfflineSystem\ControlSet001\Services. Look for any service with missing or wrong data types. Common culprits: ImagePath (should be REG_EXPAND_SZ), Start (should be REG_DWORD), Type (should be REG_DWORD).
7. Fix the values. If you're unsure what the original value was, look at a working Windows machine's registry for the same service.
8. After fixing, select the OfflineSystem hive and go to File > Unload Hive. Reboot.

What's happening here: You're loading the offline SYSTEM hive into regedit's namespace. Windows isn't using this copy of the registry because it's not booted — so you can edit freely without the kernel fighting you. The ControlSet001 is the default boot set. Change that, and you change what the boot loader reads.

Quick-reference summary