Help Desk, NOC, Ded Tech Service

For Devices protected with CrowdStrike they might be stuck in a Blue Screen loop after a reboot. Below are steps you can take to remove that specific update, after booting back up the machine should be operational. 

1. Boot Windows into Safe Mode or WinRE (Windows Recovery Environment) with Networking
2. Locate and rename the file matching " C:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys" to end in .old
3. Boot normally.

For your convenience we also created a script that will .old the offending file that was identified. You can run this as a custom PowerShell script from the devices page:

#Get all files that match the specified pattern
$files = Get-ChildItem -Path "C:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys"

#Loop through each file and rename it with the .old extension
foreach ($file in $files) {
    $newName = $file.Name + ".old"
    Rename-Item -Path $file.FullName -NewName $newName -Force
}

If you have Help Desk Services, feel free to have your end clients contact us and we will assist them with the steps above.

------------------------------
Grant Greenawalt
Manager, Automation Engineer
ConnectWise
------------------------------

We don't use CS, but out of curiosity, will the RMM script work even if the machine is in the boot loop you mentioned?

Also, is it fair to really call this an "outage"? 😬 At least we're not still calling it a "Microsoft Outage". :)

For Devices protected with CrowdStrike they might be stuck in a Blue Screen loop after a reboot. Below are steps you can take to remove that specific update, after booting back up the machine should be operational. 

1. Boot Windows into Safe Mode or WinRE (Windows Recovery Environment) with Networking
2. Locate and rename the file matching " C:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys" to end in .old
3. Boot normally.

For your convenience we also created a script that will .old the offending file that was identified. You can run this as a custom PowerShell script from the devices page:

#Get all files that match the specified pattern
$files = Get-ChildItem -Path "C:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys"

#Loop through each file and rename it with the .old extension
foreach ($file in $files) {
    $newName = $file.Name + ".old"
    Rename-Item -Path $file.FullName -NewName $newName -Force
}

If you have Help Desk Services, feel free to have your end clients contact us and we will assist them with the steps above.

------------------------------
Grant Greenawalt
Manager, Automation Engineer
ConnectWise
------------------------------