CrowdStrike update causing BSOD for systems running Microsoft Windows: report

Eeek! Thanks for sharing! 

thanks for sharing this, a few of my customers and colleagues are running in this issue this morning.

Saw this in the news this morning. Notified my security team as I think we use it on some servers.  Thanks for sharing here as well.

I forgot we are testing CS out before implementing it. We had the agent on a handful of systems to test….which of course I had to fix this morning 🙄

Whew!  We did have this installed in two DCs but have since replaced it with Carbon Black.  So we are not affected. 😁

Some customers were tremendously affected. 

Until the real problem was discovered, it was necessary to return some backups here.

Close call! Remediation isn't too bad aside from it being a manual process. The OS file system is still reachable via admin$ so you can log into an unaffected system then remote to those affected & remove the problem .sys file. Bright side 😁

😳😳

For any wondering this is the workaround on affected systems or as Shane stated remotely from a working system to the admin$ share -

Workaround Steps:

1. Boot Windows into Safe Mode or the Windows Recovery Environment
2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
3. Locate the file matching “C-00000291*.sys”, and delete it.
4. Boot the host normally.

hi @Chris.Childerhose i had already posted the solution 😛

Here many impacted customers, all windows systems in BSOD were not responding in network. 
All O.S. Windows were in this condition similar to this sshot, no adminshare available. 😫

ragards

For any wondering this is the workaround on affected systems or as Shane stated remotely from a working system to the admin$ share -

Workaround Steps:

1. Boot Windows into Safe Mode or the Windows Recovery Environment
2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
3. Locate the file matching “C-00000291*.sys”, and delete it.
4. Boot the host normally.

hi @Chris.Childerhose i had already posted the solution 😛

Here many impacted customers, all windows systems in BSOD were not responding in network. 
All O.S. Windows were in this condition similar to this sshot, no adminshare available. 😫

ragards

Ah sorry I did not go back to the OP.  Oops my bad.  😋😂

Guess it doesn’t hurt to have it twice.  😆

For any wondering this is the workaround on affected systems or as Shane stated remotely from a working system to the admin$ share -

Workaround Steps:

1. Boot Windows into Safe Mode or the Windows Recovery Environment
2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
3. Locate the file matching “C-00000291*.sys”, and delete it.
4. Boot the host normally.

hi @Chris.Childerhose i had already posted the solution 😛

Here many impacted customers, all windows systems in BSOD were not responding in network. 
All O.S. Windows were in this condition similar to this sshot, no adminshare available. 😫

 

ragards

I had that screen too @Link State . I did have admin share, but maybe because I went into ‘advanced options’. Not directly from this screen did I have admin$. Apologies for any confusion. Again..appreciate your post.

I was even able to restart a couple VMs and it went to the login screen. Though, that may not be the norm. 🤷🏻‍♂️

Recovery options for Azure Virtual Machines (VM) affected by CrowdStrike Falcon agent - Microsoft Community Hub