Skip to main content

CrowdStrike Falcon BSOD Issue: Troubleshooting and Resolution Guide 

In light of the current cybersecurity issue, our experts decrypt how to troubleshoot and resolve this issue if you are facing it.

Incident

Symptoms include Windows hosts experiencing a blue screen (BSOD) related to the Falcon Sensor.  

CrowdStrike Engineering identified a content deployment update related to this issue, pushed at 4:09 AM UTC. The changes have since been reverted. 

As a result, hosts that booted up after 5:27 AM UTC should not experience any issues. This issue does not impact Mac or Linux-based hosts. 

Reminder

Only uninstall CrowdStrike or follow the steps below if your systems are experiencing issues. 

If your systems have booted up and are back online, there is no need to uninstall CrowdStrike. 

After following the steps below, CrowdStrike will resume normal operations, and your systems will remain protected. 

Troubleshooting

If you are stuck at a reboot loop with a BSOD: 

CrowdStrike recommended booting into Safe Mode, but many customers reported problems with booting into Safe Mode.  

The following steps should work universally, even if the system does not have a local Admin account and does not have an internet connection. 

  1. Allow the system to boot and crash three times to access the menu. 

  1. Select Troubleshoot > Advanced Options > Command Prompt 

  1. Enter your BitLocker Recovery Key if prompted. 

// If BitLocker is managed via Intune, this can be found at https://myaccount.microsoft.com, under "devices." Make sure to match the Hostname of the device and the Key ID  

// Otherwise, ask your local IT administrator for your BitLocker Recovery Key 

 

  1. Type the commands in the command prompt window, followed by an Enter key. 

  • Warning: The Command prompt starts at the X:\ drive. Please do not forget to switch to c:\ by typing these commands exactly  

  • c:  

  • cd windows  

  • cd system32  

  • cd drivers  

  • cd crowdstrike  

  • del C-00000291*  

  • exit 

 

// If the file is still on the system  
-- Channel file "C-00000291*.sys" with a timestamp of 05:27 UTC or later is the reverted (good) version.  

-- Channel file "C-00000291*.sys" with a a timestamp of 04:09 UTC is the problematic version. The file's presence on a system does not necessarily mean the workaround needs to be applied. 

 

  1. Click Continue to Windows 

 

Public cloud or similar environment, including VMs

Option 1

  1. Detach the OS disk volume from the affected virtual server. 

  1. Create a snapshot or backup of the disk volume. 

  1. Attach/mount the volume to a new virtual server. 

  1. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory. 

  1. Locate and delete the file matching “C-00000291*.sys”. 

  1. Detach the volume from the new virtual server. 

  1. Reattach the fixed volume to the affected virtual server. 

 

Option 2

  • Roll back to a snapshot before 04:09 UTC. 

 

Azure via serial to get into Safe Mode 

  1. Login to Azure console --> Go to Virtual Machines  --> Select the VM  

  1. Upper left on console --> Click : "Connect" --> Click --> Connect --> Click "More ways to Connect"  --> Click : "Serial Console"  

  1. Once SAC has loaded, type 'cmd' and enter. 

  • type in the 'cmd' command  

  • type in : ch -si 1 

  1. Press any key (space bar).   

  1. Enter Administrator credentials. Type the following: 

  • bcdedit /set {current} safeboot minimal  

  • bcdedit /set {current} safeboot network 

  1. Restart VM Optional: How to confirm the boot state? Run command: 

  • wmic COMPUTERSYSTEM GET BootupState 

Contact us to learn more about our Cybersecurity services

Sia Partners integrates this data in its client database to send you marketing communications (invitations to events, newsletters and new commercial offers).
This data will be kept for 3 years before being deleted and you can withdraw your consent to the processing of your data at any time.
To learn more about the management of your personal data and to exercise your rights, please consult our Data Protection Policy.

CAPTCHA

Your data are used by Sia Partners to process your contact request. Please note that you have rights regarding your personal data. For more information, we invite you to read our data protection policy