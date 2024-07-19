CrowdStrike, a leading cybersecurity technology provider, offers security services for endpoints, cloud workloads, identity, and data. Trusted by over 298 of the Fortune 500, 43 U.S. states, 6 out of the top 10 healthcare providers, and 8 out of the top 10 financial services firms, CrowdStrike is a prominent player in the industry.

Its Falcon platform is a unified, cloud-delivered security solution designed to prevent all types of attacks, including malware and beyond. However, a recent update to the Falcon Sensor agent on Windows has triggered a critical issue: a Blue Screen of Death (BSOD) boot loop that renders affected systems unusable. This widespread problem has disrupted operations across various sectors, notably impacting airlines, banks, and healthcare providers.

CrowdStrike has acknowledged the issue and halted further deployment of the faulty update. An alert sent to users confirms that they are aware of crashes on Windows hosts related to the Falcon Sensor, specifically bugcheck/blue screen errors. Unfortunately, an official solution to recover Windows PCs caught in the BSOD boot loop remains elusive. There are several workarounds to fix the issue, read about them below.

Official Workaround for CrowdStrike BSOD issue on Windows PCs:

Boot your Windows PC into Safe Mode or Windows Recovery Environment.

Go to C:\Windows\System32\drivers\CrowdStrike

Locate and delete file matching "C-00000291*.sys"

Boot normally

Another way is to prevent CrowdStrike from starting using either of the following methods:

Method 1:

Go into Command Prompt from Recovery options.

Navigate to C:\Windows\System32\Drivers

Rename CrowdStrike to Crowdstrike_Old

Restart the PC.

Method 2:

Boot your Windows PC into Safe Mode or Windows Recovery Environment.

Go to Windows Registry

Edit the following key to disable the csagent.sys from loading. HKLM:\SYSTEM\CurrentControlSet\Services\CSAgent\Start from a 1 to a 4



If you are running Windows on a AWS EC2 instance, you can try the following method:

Detach the EBS volume from the impacted EC2

Attach the EBS volume to a new EC2

Fix the CrowdStrike driver folder as per the workaround suggested by CrowdStrike

Detach the EBS volume from the new EC2 instance

Attach the EBS volume to the impacted EC2 instance

The above method can also be applied for Windows instances running on Google Cloud Platform.

Update 1:

CrowdStrike CEO George Kurtz tweeted the following in response to the outages caused by CrowdStrike.

CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed. We… — George Kurtz (@George_Kurtz) July 19, 2024

Developing...

Source: CrowdStrike