365labs - Microsoft 365 and cybersecurity consultancy

View Original

CrowdStrike Update Causes Widespread BSOD Issues on Windows hosts

Paul Barton

19th July 2024

Today, many users across the globe are facing significant disruptions due to a problematic update from CrowdStrike. The update has led to Blue Screen of Death (BSOD) errors on Windows 10 and Windows 11 systems, causing them to get stuck at the "Recovery" screen with the message, "It looks like Windows didn’t load correctly."

What Happened?

CrowdStrike's recent update, specifically affecting the `csagent.sys` driver in their Falcon endpoint protection software, has inadvertently caused systems to crash. This issue has been reported by numerous businesses and institutions, including airlines, banks, and media outlets, across various regions such as the UK, Australia, Europe, and the US.

Impact

The BSOD issue has disrupted critical operations:

- Airlines: Airports and airlines reporte disruptions in check-in procedures for several airlines.

- Media: In the UK, Sky News experienced outages.

- Finance: Various banks faced system crashes, affecting their services.

CrowdStrike acknwledd the issue and is actively investigating. They have already rolled back the problematic update, but systems that were affected need manual intervention to resolve the BSOD error.

Temporary Fixes

If you are experiencing this issue, you can try the following steps to resolve it temporarily:

Safe Mode and Delete the Affected File

1. Boot into Safe Mode by selecting "See advanced repair options" on the Recovery screen, navigating to "Troubleshoot" > "Advanced options" > "Startup Settings," and then clicking "Restart." Press 4 or F4 to start in Safe Mode.

2. Open Command Prompt in Safe Mode.

3. Navigate to the CrowdStrike directory: `cd C:\Windows\System32\drivers\CrowdStrike`.

4. Locate the file with the pattern `C-00000291*.sys` and delete it using `del C-00000291*.sys`.

Method 2: Safe Mode and Rename the CrowdStrike Folder

1. Boot into Safe Mode as described above.

2. Open Command Prompt in Safe Mode.

3. Navigate to the drivers directory: `cd \windows\system32\drivers`.

4. Rename the CrowdStrike folder: `ren CrowdStrike CrowdStrike_old`.

These steps should help you bypass the BSOD and boot your system normally until CrowdStrike releases a permanent fix.

Despite some media reports this is not a Microsoft issue.

Stay secure and stay informed.