Daily Scoop 🍨: Remediation of the Crash of CrowdStrike Microsoft

daz888888888
07-20
$Microsoft(MSFT)$  

$CrowdStrike Holdings, Inc.(CRWD)$ 

CrowdStrike Microsoft Remediation

Symptoms of the Windows crash include hosts experiencing a bugcheck message or the Blue Screen of Death error, both of which are related to CrowdStrike Falcon Sensor update. CrowdStrike has indicated that channel file C-00000291*.sys with timestamp of 0409 UTC is the problematic version, and that channel file C-00000291*.sys with timestamp of 0527 UTC (July 19) or later is the reverted (good) version.

CrowdStrike has also indicated that Windows hosts that are brought online after 0527 UTC, Hosts running Windows 7/2008 R2, and Mac- or Linux-based hosts will not be impacted.

Current Actions for Remediation

Workaround Steps for individual hosts:

Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then:

Boot Windows into Safe Mode or the Windows Recovery Environment

NOTE: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.

Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory

Locate the file matching C-00000291*.sys and delete it.

Boot the host normally.

Note: Bitlocker-encrypted hosts may require a recovery key.

Workaround Steps for public cloud or similar environment including virtual:

Option 1:

​​​​​​​Detach the operating system disk volume from the impacted virtual server

Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes

Attach/mount the volume to to a new virtual server

Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory

Locate the file matching C-00000291*.sys and delete it.

Detach the volume from the new virtual server

Reattach the fixed volume to the impacted virtual server

Option 2:

​​​​​​​Roll back to a snapshot before 0409 UTC.

Get Assistance If Still Affected

As many are affected worldwide, we understand that you might be impacted by the recent CrowdStrike agent issue and are working to fix it. I have posted the remediation here to help you.

Time For CrowdStrike to Rebound After 25% Decline?
Microsoft has experienced a global outage, causing disruptions to services for LME, banks, and multiple airlines. Crowdstrike has lost 25% in the past 5 days. --------------------- Is it enough for CrowdStrike's plunge? Time for rebound or further decline? Will you short or long CrowdStrike?
Disclaimer: Investing carries risk. This is not financial advice. The above content should not be regarded as an offer, recommendation, or solicitation on acquiring or disposing of any financial products, any associated discussions, comments, or posts by author or other users should not be considered as such either. It is solely for general information purpose only, which does not consider your own investment objectives, financial situations or needs. TTM assumes no responsibility or warranty for the accuracy and completeness of the information, investors should do their own research and may seek professional advice before investing.

Comments

Leave a comment
1