An update to CrowdStrike’s Falcon endpoint protection has caused Windows systems worldwide to go in an endless loop of the dreaded BSOD.
Several workarounds have been provided by Crowdstrike and Microsoft including:
Booting into SafeMode to delete the C-00000291*.sys file:
- Boot Windows into Safe Mode or the Windows Recovery Environment
- Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
- Locate the file matching “C-00000291*.sys”, and delete it.
- Boot the host normally.
If it is a VM then detaching the disk to delete the C-00000291*.sys file:
- Detach the operating system disk volume from the impacted virtual server
- Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes
- Attach/mount the volume to to a new virtual server
- Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
- Locate the file matching “C-00000291*.sys”, and delete it.
- Detach the volume from the new virtual server
- Reattach the fixed volume to the impacted virtual server
Note though if your drives are encrypted with BitLocker, things get a bit more complicated as you will first need the Bitlocker key to boot into safe mode or to mount the virtual disk.
Microsoft have also suggested rebooting your Azure VM several times fixes this issue
0 Comments