How to Solve CrowdStrike BSOD Error Stand Alone and Cloud Systems | iiQ8

How to Solve CrowdStrike BSOD Error

 

How to Solve CrowdStrike BSOD Error

 

 

Summary

  • CrowdStrike is aware of reports of crashes on Windows hosts related to the Falcon Sensor.

Details

  • Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor.
  • Windows hosts which have not been impacted do not require any action as the problematic channel file has been reverted.
  • Windows hosts which are brought online after 0527 UTC will also not be impacted
  • Hosts running Windows 7/2008 R2 are not impacted
  • This issue is not impacting Mac- or Linux-based hosts
  • Channel file “C-00000291*.sys” with timestamp of 0527 UTC or later is the reverted (good) version.
  • Channel file “C-00000291*.sys” with timestamp of 0409 UTC is the problematic version.

Current Action

  • CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes.
  • If hosts are still crashing and unable to stay online to receive the Channel File Changes, the following steps can be used to workaround this issue:

How to Solve CrowdStrike BSOD Error Stand Alone and Cloud Systems | iiQ8




Microsoft Windows Major Service Outage Globally | iiQ8 Solution for Windows Error

Workaround Steps for individual hosts:

    • Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then:
      • Boot Windows into Safe Mode or the Windows Recovery Environment
        • NOTE: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.
      • Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
      • Locate the file matching “C-00000291*.sys”, and delete it.
      • Boot the host normally.

Note: Bitlocker-encrypted hosts may require a recovery key.

How to Solve CrowdStrike BSOD Error Stand Alone and Cloud Systems | iiQ8

Workaround Steps for public cloud or similar environment including virtual:

Option 1:

    • ​​​​​​​Detach the operating system disk volume from the impacted virtual server
    • Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes
    • Attach/mount the volume to to a new virtual server
    • Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
    • Locate the file matching “C-00000291*.sys”, and delete it.
    • Detach the volume from the new virtual server
    • Reattach the fixed volume to the impacted virtual server

 

Top 50 Linux Commands For a Regular User

Option 2:

  • ​​​​​​​Roll back to a snapshot before 0409 UTC.

AWS-specific documentation:

Azure environments:

Bitlocker recovery-related KBs:





How to Solve CrowdStrike BSOD Error Stand Alone and Cloud Systems | iiQ8

 

How to Manage IT Staff ? | iiQ8 Information Technology

Spread iiQ8

July 19, 2024 7:25 PM

237 total views, 0 today