Daily Scoop 🍨: Remediation of the Crash of CrowdStrike Microsoft
$CrowdStrike Holdings, Inc.(CRWD)$
CrowdStrike Microsoft Remediation
Symptoms of the Windows crash include hosts experiencing a bugcheck message or the Blue Screen of Death error, both of which are related to CrowdStrike Falcon Sensor update. CrowdStrike has indicated that channel file C-00000291*.sys with timestamp of 0409 UTC is the problematic version, and that channel file C-00000291*.sys with timestamp of 0527 UTC (July 19) or later is the reverted (good) version.
CrowdStrike has also indicated that Windows hosts that are brought online after 0527 UTC, Hosts running Windows 7/2008 R2, and Mac- or Linux-based hosts will not be impacted.
Current Actions for Remediation
Workaround Steps for individual hosts:
Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then:
Boot Windows into Safe Mode or the Windows Recovery Environment
NOTE: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.
Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
Locate the file matching C-00000291*.sys and delete it.
Boot the host normally.
Note: Bitlocker-encrypted hosts may require a recovery key.
Workaround Steps for public cloud or similar environment including virtual:
Option 1:
Detach the operating system disk volume from the impacted virtual server
Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes
Attach/mount the volume to to a new virtual server
Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
Locate the file matching C-00000291*.sys and delete it.
Detach the volume from the new virtual server
Reattach the fixed volume to the impacted virtual server
Option 2:
Roll back to a snapshot before 0409 UTC.
Get Assistance If Still Affected
As many are affected worldwide, we understand that you might be impacted by the recent CrowdStrike agent issue and are working to fix it. I have posted the remediation here to help you.
Disclaimer: Investing carries risk. This is not financial advice. The above content should not be regarded as an offer, recommendation, or solicitation on acquiring or disposing of any financial products, any associated discussions, comments, or posts by author or other users should not be considered as such either. It is solely for general information purpose only, which does not consider your own investment objectives, financial situations or needs. TTM assumes no responsibility or warranty for the accuracy and completeness of the information, investors should do their own research and may seek professional advice before investing.
- CaseyLKC·07-21Ok1Report