Boot Windows into Safe Mode or the Windows Recovery Environment
Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
Locate the file matching “C-00000291*.sys”, and delete it.
Boot the host normally.
Page 1 / 1
Eeek! Thanks for sharing!
thanks for sharing this, a few of my customers and colleagues are running in this issue this morning.
Saw this in the news this morning. Notified my security team as I think we use it on some servers. Thanks for sharing here as well.
I forgot we are testing CS out before implementing it. We had the agent on a handful of systems to test….which of course I had to fix this morning
Whew! We did have this installed in two DCs but have since replaced it with Carbon Black. So we are not affected.
Some customers were tremendously affected.
Until the real problem was discovered, it was necessary to return some backups here.
Whew! We did have this installed in two DCs but have since replaced it with Carbon Black. So we are not affected.
Close call! Remediation isn't too bad aside from it being a manual process. The OS file system is still reachable via admin$ so you can log into an unaffected system then remote to those affected & remove the problem .sys file. Bright side
Some customers were tremendously affected.
Until the real problem was discovered, it was necessary to return some backups here.
For any wondering this is the workaround on affected systems or as Shane stated remotely from a working system to the admin$ share -
Workaround Steps:
Boot Windows into Safe Mode or the Windows Recovery Environment
Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
Locate the file matching “C-00000291*.sys”, and delete it.
Boot the host normally.
For any wondering this is the workaround on affected systems or as Shane stated remotely from a working system to the admin$ share -
Workaround Steps:
Boot Windows into Safe Mode or the Windows Recovery Environment
Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
Locate the file matching “C-00000291*.sys”, and delete it.
Boot the host normally.
hi @Chris.Childerhose i had already posted the solution
Here many impacted customers, all windows systems in BSOD were not responding in network. All O.S. Windows were in this condition similar to this sshot, no adminshare available.
ragards
For any wondering this is the workaround on affected systems or as Shane stated remotely from a working system to the admin$ share -
Workaround Steps:
Boot Windows into Safe Mode or the Windows Recovery Environment
Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
Locate the file matching “C-00000291*.sys”, and delete it.
Boot the host normally.
hi @Chris.Childerhose i had already posted the solution
Here many impacted customers, all windows systems in BSOD were not responding in network. All O.S. Windows were in this condition similar to this sshot, no adminshare available.
ragards
Ah sorry I did not go back to the OP. Oops my bad.
Guess it doesn’t hurt to have it twice.
For any wondering this is the workaround on affected systems or as Shane stated remotely from a working system to the admin$ share -
Workaround Steps:
Boot Windows into Safe Mode or the Windows Recovery Environment
Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
Locate the file matching “C-00000291*.sys”, and delete it.
Boot the host normally.
hi @Chris.Childerhose i had already posted the solution
Here many impacted customers, all windows systems in BSOD were not responding in network. All O.S. Windows were in this condition similar to this sshot, no adminshare available.
ragards
I had that screen too @Link State . I did have admin share, but maybe because I went into ‘advanced options’. Not directly from this screen did I have admin$. Apologies for any confusion. Again..appreciate your post.
I was even able to restart a couple VMs and it went to the login screen. Though, that may not be the norm. ♂️