Jump to content
  • How to fix CrowdStrike BSOD issue on Windows PCs [Update]


    Karlston

    • 320 views
    • 5 minutes
     Share


    • 320 views
    • 5 minutes

    CrowdStrike, a leading cybersecurity technology provider, offers security services for endpoints, cloud workloads, identity, and data. Trusted by over 298 of the Fortune 500, 43 U.S. states, 6 out of the top 10 healthcare providers, and 8 out of the top 10 financial services firms, CrowdStrike is a prominent player in the industry.

     

    Its Falcon platform is a unified, cloud-delivered security solution designed to prevent all types of attacks, including malware and beyond. However, a recent update to the Falcon Sensor agent on Windows has triggered a critical issue: a Blue Screen of Death (BSOD) boot loop that renders affected systems unusable. This widespread problem has disrupted operations across various sectors, notably impacting airlines, banks, and healthcare providers.

     

    CrowdStrike has acknowledged the issue and halted further deployment of the faulty update. An alert sent to users confirms that they are aware of crashes on Windows hosts related to the Falcon Sensor, specifically bugcheck/blue screen errors. Unfortunately, an official solution to recover Windows PCs caught in the BSOD boot loop remains elusive. There are several workarounds to fix the issue, read about them below.

     

    Official Workaround for CrowdStrike BSOD issue on Windows PCs:

     

    • Boot your Windows PC into Safe Mode or Windows Recovery Environment.
    • Go to C:\Windows\System32\drivers\CrowdStrike
    • Locate and delete file matching "C-00000291*.sys"
    • Boot normally

     

    Another way is to prevent CrowdStrike from starting using either of the following methods:

     

    Method 1:

     

    • Go into Command Prompt from Recovery options.
    • Navigate to C:\Windows\System32\Drivers
    • Rename CrowdStrike to Crowdstrike_Old
    • Restart the PC.

     

    Method 2:

     

    • Boot your Windows PC into Safe Mode or Windows Recovery Environment.
    • Go to Windows Registry
    • Edit the following key to disable the csagent.sys from loading.
      • HKLM:\SYSTEM\CurrentControlSet\Services\CSAgent\Start from a 1 to a 4

     

    If you are running Windows on a AWS EC2 instance, you can try the following method:

     

    • Detach the EBS volume from the impacted EC2

    • Attach the EBS volume to a new EC2

    • Fix the CrowdStrike driver folder as per the workaround suggested by CrowdStrike

    • Detach the EBS volume from the new EC2 instance

    • Attach the EBS volume to the impacted EC2 instance

       

    The above method can also be applied for Windows instances running on Google Cloud Platform.

     

    Update 1:

     

    CrowdStrike CEO George Kurtz tweeted the following in response to the outages caused by CrowdStrike.

     

    CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed. We…

     

    — George Kurtz (@George_Kurtz) July 19, 2024

    Here's the official summary of the details published by CrowdStrike:

     

    Summary

     

    CrowdStrike is aware of reports of crashes on Windows hosts related to the Falcon Sensor.

     

    Details

     

    Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor.

     

    Windows hosts which have not been impacted do not require any action as the problematic channel file has been reverted.

     

    Windows hosts which are brought online after 0527 UTC will also not be impacted

     

    Hosts running Windows 7/2008 R2 are not impacted

     

    This issue is not impacting Mac- or Linux-based hosts

     

    Channel file "C-00000291*.sys" with timestamp of 0527 UTC or later is the reverted (good) version.

     

    Channel file "C-00000291*.sys" with timestamp of 0409 UTC is the problematic version.

     

    Current Action:

     

    CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes.

     

    If hosts are still crashing and unable to stay online to receive the Channel File Changes, the following steps can be used to workaround this issue:

     

    Workaround Steps for individual hosts:

     

    Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then:

     

    Note: Bitlocker-encrypted hosts may require a recovery key.

     

    Boot Windows into Safe Mode or the Windows Recovery Environment

     

    NOTE: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.

     

    Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory

     

    Locate the file matching “C-00000291*.sys”, and delete it.

     

    Boot the host normally.

     

    Workaround Steps for public cloud or similar environment including virtual:

     

    Option 1:

     

    Detach the operating system disk volume from the impacted virtual server

     

    Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes

     

    Attach/mount the volume to to a new virtual server

     

    Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory

     

    Locate the file matching “C-00000291*.sys”, and delete it.

     

    Detach the volume from the new virtual server

     

    Reattach the fixed volume to the impacted virtual server

     

    Option 2:

     

    Roll back to a snapshot before 0409 UTC.

     

    AWS-specific documentation:

     

    To attach an EBS volume to an instance

     

    Detach an Amazon EBS volume from an instance

     

    Azure environments:

     

    Please see this Microsoft article

     

    Bitlocker recovery-related KBs:

     

    BitLocker recovery in Microsoft Azure

     

    BitLocker recovery in Microsoft environments using SCCM

     

    BitLocker recovery in Microsoft environments using Active Directory and GPOs

     

    BitLocker recovery in Microsoft environments using Ivanti Endpoint Manager

     

    Source: CrowdStrike

     

    Source

     

    Hope you enjoyed this news post.

    Thank you for appreciating my time and effort posting news every single day for many years.

    2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...