Windows Blue Screen Errors Caused by CrowdStrike Falcon Clients Fix

Recently, many users have encountered “Blue Screen” errors on their Windows devices due to issues with CrowdStrike Falcon clients. If your Windows device is stuck on a blue screen at boot, this is likely the cause.

What’s Happening:

1. Exception Code 0xc0000005:

• This code indicates an “Access Violation” error. It means that the system tried to read or write to a memory location that it shouldn’t have.

2. Crash Location:

• The crash occurred in a component named csagent.sys, which is related to CrowdStrike Falcon, a cybersecurity software.
• The exact memory address where the error occurred is fffff8021df35a1.

3. Memory Error:

• The system tried to access memory at location 0x000000000000009c, which it couldn’t. This is likely an invalid or protected memory address.

4. Process Information:

• The crash happened in the System process, which is critical for the operation of Windows.

To resolve this issue, follow the steps below to boot your device into Safe Mode or Recovery Mode and delete the problematic file. We will update this post and instructions as new information becomes available.

Fixing the Windows Device Problem (Remediation)

If your Windows device is experiencing issues, follow these steps to fix the problem:

Reboot Your Device

1. Restart Your Computer

• Try restarting your computer 3–5 times. This might automatically fix the issue by downloading the necessary file updates.
• If your device crashes after several reboot attempts, proceed to the next steps.

Option 1: Using Safe Mode

1. Boot into Safe Mode

• Restart your computer by holding down the power button until the device powers off. Press the power button again to start the device.
• As it starts up, repeatedly press the F8 key (or Shift + F8) until you see the Advanced Boot Options menu.
• Select Safe Mode from the list.

Note: If your device uses BitLocker encryption, you might be asked for your BitLocker recovery key after selecting Safe Mode. If prompted and you don’t have it, please contact your local IT support staff or the OIT Service Desk.

2. Navigate to the CrowdStrike Directory

• Once in Safe Mode, open File Explorer (the folder icon on your taskbar).
• Go to This PC or My Computer.
• Open the C: drive (or your main drive).
• Navigate to Windows > System32 > drivers > CrowdStrike.

3. Delete the Problematic File

• In the CrowdStrike folder, look for a file that starts with “C-00000291” and ends with “.sys”. It might look like “C-00000291xyz.sys”.
• Right-click on the file and select Delete.

4. Boot Normally

• Close any open windows and restart your computer normally.

Option 2: Using the Windows Recovery Environment

1. Reboot Your Device into the Recovery Environment

• Restart your computer by holding down the power button until the device powers off. Press the power button again to start the device.
• As it starts up, immediately hold down the power button to force a shutdown. Repeat this process three times.
• On the fourth startup, your computer should enter the Windows Recovery Environment.

Note: If your device uses BitLocker encryption, you might be asked for your BitLocker recovery key when entering the Windows Recovery Environment. If prompted and you don’t have it, please contact your local IT support staff or the OIT Service Desk for assistance.

1. Open Command Prompt

• In the Windows Recovery Environment, select Troubleshoot.
• Then select Advanced options.
• Choose Command Prompt. This will open a command line window, usually starting with a temporary drive letter like X:.

2. Navigate to the Correct Drive and Folder

• Type C: and press Enter to switch to the C: drive.
• Next, type cd \Windows\System32\drivers\CrowdStrike and press Enter to navigate to the CrowdStrike folder.

3. Delete the Problematic File

• In the command prompt, type del C-00000291*.sys and press Enter. This command will delete the file that starts with “C-00000291” and ends with “.sys”.

4. Boot Normally

• Close the Command Prompt window.
• Restart your computer normally.

Steps for Regaining Access to AWS & Azure

For Cloud Environments:

AWS (Amazon Web Services):

1. Detach the EBS volume from the impacted EC2 instance.
2. Attach the EBS volume to a new EC2 instance.
3. Fix the CrowdStrike driver folder.
4. Detach the EBS volume from the new EC2 instance.
5. Attach the EBS volume back to the impacted EC2 instance.

Azure:

1. Log in to the Azure console.
2. Go to Virtual Machines and select the affected VM.
3. In the upper left of the console, click “Connect”.
4. Click “More ways to Connect” and then select “Serial Console”.
5. Once SAC has loaded, type in ‘cmd’ and press Enter.
6. Type ‘ch -si 1’ and press the space bar.
7. Enter Administrator credentials.
8. Type the following commands:

• bcdedit /set {current} safeboot minimal
• bcdedit /set {current} safeboot network

Restart the VM.

To confirm the boot state, run the command: wmic COMPUTERSYSTEM GET BootupState.

Conclusion

This guide provides a comprehensive approach to resolving Windows blue screen errors caused by CrowdStrike Falcon clients. The manual nature of this fix poses a significant challenge, especially for companies without backups for all VDIs, potentially slowing down the recovery process. Customers will also need a recovery key to access Safe Mode if BitLocker is enabled on the system disk.

CrowdStrike Engineering has reversed the changes causing this issue, with the error code displayed on affected systems: “Tech-Alert-Windows-crashes-related-to-Falcon-Sensor-2024–07–19.”