CrowdStrike Falcon BSOD Issue: Workaround to Bring Affected Workstations Back Online

CrowdStrike Falcon BSOD Issue

An update to the CrowdStrike Falcon software has been causing machines using this software to encounter Blue Screen of Death (BSOD) errors. This issue is widespread, affecting many organizations globally, including government agencies, banks, and airlines.

Details

  • Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor.
  • Windows hosts which have not been impacted do not require any action as the problematic channel file has been reverted.
  • Windows hosts which are brought online after 0527 UTC will also not be impacted
  • Hosts running Windows 7/2008 R2 are not impacted
  • This issue is not impacting Mac- or Linux-based hosts
  • Channel file “C-00000291*.sys” with timestamp of 0527 UTC or later is the reverted (good) version.
  • Channel file “C-00000291*.sys” with timestamp of 0409 UTC is the problematic version.

Current Action

  • CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes.
  • If hosts are still crashing and unable to stay online to receive the Channel File Changes, the following steps can be used to workaround this issue.

 

Workaround Steps for individual hosts:

 

  • Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then:
    • Boot Windows into Safe Mode or the Windows Recovery Environment
      • NOTE: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.
    • Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
    • Locate the file matching “C-00000291*.sys”, and delete it.
    • Boot the host normally. 

 

Workaround Steps for public cloud or similar environment including virtual:

Option 1:

  • Detach the operating system disk volume from the impacted virtual server
  • Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes
  • Attach/mount the volume to to a new virtual server
  • Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
  • Locate the file matching “C-00000291*.sys”, and delete it.
  • Detach the volume from the new virtual server
  • Reattach the fixed volume to the impacted virtual server

Option 2:

  • Roll back to a snapshot before 0409 UTC.

 

AWS-specific documentation:

 

Azure environments:

 

Bitlocker recovery-related KBs:

We will continue to monitor the situation closely and provide updates as more information becomes available.

Share:

Subscribe to TechMD Insights

More Posts

Witness a Real-Time Cyberattack: How AiTM Attacks Work and How to Stop Them

Have you ever wondered what happens during a successful cyberattack and how cybersecurity professionals respond? In real time, we’ll take you inside a particularly dangerous technique known as an Adversary-in-the-Middle (AiTM) attack, where a simulated cybercriminal steals a user’s token in Microsoft 365 (M365).

Your Business and the Dark Web: How to Stay Safe

Whether you’re a business owner, employee, or casual internet user, your personal information is constantly at risk of exposure. But what exactly is the dark web, and how can you protect yourself and your business from its threats?

Skip to content