Quick Fix for the BSOD Error in the latest Crowdstrike Windows Update

Introduction

On July 19, 2024, a faulty update for Crowdstrike Falcon Sensor caused a Blue Screen of Death (BSOD) error on affected Windows devices. This widespread issue impacted numerous organizations, including those operating critical infrastructure. The error was caused by a specific ChannelDate file with a timestamp of 04:09 UTC 19.07.2024.

Affected Systems

  • Windows devices with Crowdstrike Falcon Sensor installed
  • Devices that have the ChannelDate file “C-00000291*.sys” with a timestamp of 04:09 UTC 19.07.2024

Impact

  • Systems may experience a BSOD error and restart repeatedly
  • Users may be unable to access their devices
  • Businesses may experience disruptions to critical operations

Workarounds

Individual Systems

  1. Boot into Safe Mode or the Windows Recovery Environment
  2. Navigate to C:\Windows\System32\drivers\CrowdStrike
  3. Locate the file matching “C-00000291*.sys” and delete it
  4. Restart the system

Cloud Systems and Virtualized Systems

  1. Detach the operating system disk volume from the impacted virtual server
  2. Create a snapshot or backup of the disk volume
  3. Attach/mount the volume to a new virtual server
  4. Follow steps 3 and 4 from the “Individual Systems” workaround
  5. Detach the volume from the new virtual server
  6. Reattach the fixed volume to the impacted virtual server
  7. Roll back to a snapshot before 04:09 UTC

Microsoft Azure Systems

  1. Log in to the Azure console
  2. Select the affected VM
  3. Click “Connect” > “Serial Console”
  4. Once SAC has loaded, type in “cmd” and press enter
  5. Type in “ch -si 1” and press any key
  6. Enter Administrator credentials
  7. Type the following:
bcdedit /set {current} safeboot minimal
bcdedit /set {current} safeboot network

8. Restart the VM

Additional Notes

  • For Bitlocker-encrypted systems, disable Bitlocker and ensure the recovery key is backed up before restarting.
  • Some users have reported that booting into “Windows Safe Mode with Network” and waiting for the faulty file to be automatically replaced by an update may resolve the issue.
  • It is recommended to follow the manufacturer’s workaround instructions provided above.

Prevention

To prevent similar incidents in the future, organizations should implement the following measures:

  • Regularly apply security patches and updates from reputable vendors
  • Have a robust backup and recovery plan in place
  • Implement proper change management procedures
  • Test updates in a staging environment before deploying them to production systems

Conclusion

The recent Crowdstrike Falcon Sensor update issue highlights the importance of having a comprehensive cybersecurity strategy in place. By implementing the recommended measures, organizations can minimize their risk of being impacted by such incidents.

Source: https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-257485-10F1.pdf?__blob=publicationFile&v=3

Leave a Reply