How to fix CrowdStrike BSOD issue on Windows PCs [Update]

CrowdStrike, a leading cybersecurity technology provider, offers security services for endpoints, cloud workloads, identity, and data. Trusted by over 298 of the Fortune 500, 43 U.S. states, 6 out of the top 10 healthcare providers, and 8 out of the top 10 financial services firms, CrowdStrike is a prominent player in the industry.

Its Falcon platform is a unified, cloud-delivered security solution designed to prevent all types of attacks, including malware and beyond. However, a recent update to the Falcon Sensor agent on Windows has triggered a critical issue: a Blue Screen of Death (BSOD) boot loop that renders affected systems unusable. This widespread problem has disrupted operations across various sectors, notably impacting airlines, banks, and healthcare providers.

CrowdStrike has acknowledged the issue and halted further deployment of the faulty update. An alert sent to users confirms that they are aware of crashes on Windows hosts related to the Falcon Sensor, specifically bugcheck/blue screen errors. Unfortunately, an official solution to recover Windows PCs caught in the BSOD boot loop remains elusive. There are several workarounds to fix the issue, read about them below.

Official Workaround for CrowdStrike BSOD issue on Windows PCs:

  • Boot your Windows PC into Safe Mode or Windows Recovery Environment.
  • Go to C:\Windows\System32\drivers\CrowdStrike
  • Locate and delete file matching "C-00000291*.sys"
  • Boot normally

Another way is to prevent CrowdStrike from starting using either of the following methods:

Method 1:

  • Go into Command Prompt from Recovery options.
  • Navigate to C:\Windows\System32\Drivers
  • Rename CrowdStrike to Crowdstrike_Old
  • Restart the PC.

Method 2:

  • Boot your Windows PC into Safe Mode or Windows Recovery Environment.
  • Go to Windows Registry
  • Edit the following key to disable the csagent.sys from loading.
    • HKLM:\SYSTEM\CurrentControlSet\Services\CSAgent\Start from a 1 to a 4

If you are running Windows on a AWS EC2 instance, you can try the following method:

  • Detach the EBS volume from the impacted EC2

  • Attach the EBS volume to a new EC2

  • Fix the CrowdStrike driver folder as per the workaround suggested by CrowdStrike

  • Detach the EBS volume from the new EC2 instance

  • Attach the EBS volume to the impacted EC2 instance

The above method can also be applied for Windows instances running on Google Cloud Platform.

Update 1:

CrowdStrike CEO George Kurtz tweeted the following in response to the outages caused by CrowdStrike.

CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed. We…

— George Kurtz (@George_Kurtz) July 19, 2024

Here"s the official summary of the details published by CrowdStrike:

Summary

CrowdStrike is aware of reports of crashes on Windows hosts related to the Falcon Sensor.

Details

Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor.

Windows hosts which have not been impacted do not require any action as the problematic channel file has been reverted.

Windows hosts which are brought online after 0527 UTC will also not be impacted

Hosts running Windows 7/2008 R2 are not impacted

This issue is not impacting Mac- or Linux-based hosts

Channel file "C-00000291*.sys" with timestamp of 0527 UTC or later is the reverted (good) version.

Channel file "C-00000291*.sys" with timestamp of 0409 UTC is the problematic version.

Current Action:

CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes.

If hosts are still crashing and unable to stay online to receive the Channel File Changes, the following steps can be used to workaround this issue:

Workaround Steps for individual hosts:

Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then:

Note: Bitlocker-encrypted hosts may require a recovery key.

Boot Windows into Safe Mode or the Windows Recovery Environment

NOTE: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.

Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory

Locate the file matching “C-00000291*.sys”, and delete it.

Boot the host normally.

Workaround Steps for public cloud or similar environment including virtual:

Option 1:

Detach the operating system disk volume from the impacted virtual server

Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes

Attach/mount the volume to to a new virtual server

Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory

Locate the file matching “C-00000291*.sys”, and delete it.

Detach the volume from the new virtual server

Reattach the fixed volume to the impacted virtual server

Option 2:

Roll back to a snapshot before 0409 UTC.

AWS-specific documentation:

To attach an EBS volume to an instance

Detach an Amazon EBS volume from an instance

Azure environments:

Please see this Microsoft article

Bitlocker recovery-related KBs:

BitLocker recovery in Microsoft Azure

BitLocker recovery in Microsoft environments using SCCM

BitLocker recovery in Microsoft environments using Active Directory and GPOs

BitLocker recovery in Microsoft environments using Ivanti Endpoint Manager

Source: CrowdStrike

Report a problem with article
Next Article

Microsoft Copilot can now summarize much longer Word documents

Previous Article

Microsoft guides on how to restore BSODing Windows PCs struck down by Crowdstrike Falcon