Emergency Recovery Guide: Resolving CrowdStrike Update induced BSOD on Windows Systems

What Happened:

On July 19, 2024, at 04:09 UTC, CrowdStrike released a sensor configuration update to Windows systems. This update, part of the Falcon platform's regular protection mechanisms, unfortunately triggered a logic error that resulted in system crashes and blue screens (BSOD) on impacted systems.The issue was resolved with a remedial update released on July 19, 2024, at 05:27 UTC.

This problem was not related to or caused by a cyberattack.

How to Recover:

Download Automated Recovery Article: https://www.crowdstrike.com/wp-content/uploads/2024/07/Automated-Recovery-from-Blue-Screen-on-Windows-Instances-in-GCP.pdfWorkaround

Steps for Individual Hosts:

1. Reboot the Host: - Ensure the host is connected to a wired network for faster internet connectivity. - The host will attempt to download the reverted channel file upon reboot. - If the host crashes again, proceed to the next steps.
2. Boot Windows into Safe Mode or the Windows Recovery Environment (WinRE): - Connecting the host to a wired network and using Safe Mode with Networking can aid remediation.
3. Navigate to the CrowdStrike Directory: - Open the command prompt and navigate to the %WINDIR%\System32\drivers\CrowdStrike directory. - For WinRE/WinPE, first navigate to the appropriate partition (default is C:\) and then to the CrowdStrike directory:

C: cd windows\system32\drivers\crowdstrike         

4. Delete the Faulty File: - Locate the file matching “C-00000291*.sys” and delete it. - Do not delete or change any other files or folders.

5. Cold Boot the Host: - Shutdown the host completely. - Start the host from an off state.

by following these steps, you can recover your system from the blue screen issue caused by the recent update.

Resource: crowdstrike.com

CrowdStrike Microsoft Windows