Help Desk, NOC, Ded Tech Service

  • 1.  CrowdStrike Outage

    Posted 07-19-2024 08:50 AM
    Edited by Grant Greenawalt 07-19-2024 08:50 AM

    For Devices protected with CrowdStrike they might be stuck in a Blue Screen loop after a reboot. Below are steps you can take to remove that specific update, after booting back up the machine should be operational. 

    1. Boot Windows into Safe Mode or WinRE (Windows Recovery Environment) with Networking
    2. Locate and rename the file matching " C:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys" to end in .old
    3. Boot normally.

     

    For your convenience we also created a script that will .old the offending file that was identified. You can run this as a custom PowerShell script from the devices page:

    #Get all files that match the specified pattern
    $files = Get-ChildItem -Path "C:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys"

    #Loop through each file and rename it with the .old extension
    foreach ($file in $files) {
        $newName = $file.Name + ".old"
        Rename-Item -Path $file.FullName -NewName $newName -Force
    }

    If you have Help Desk Services, feel free to have your end clients contact us and we will assist them with the steps above.



    ------------------------------
    Grant Greenawalt
    Manager, Automation Engineer
    ConnectWise
    ------------------------------



  • 2.  RE: CrowdStrike Outage

    Posted 07-19-2024 08:53 AM

    We don't use CS, but out of curiosity, will the RMM script work even if the machine is in the boot loop you mentioned?

    Also, is it fair to really call this an "outage"? 😬 At least we're not still calling it a "Microsoft Outage". :)




  • 3.  RE: CrowdStrike Outage

    Posted 07-19-2024 11:16 AM

    Unfortunately, the Agent is unable to check in before the blue screen event, so tasking/scripting from Asio is not possible. In WinRE with networking you could use ScreenConnect backstage access to run the script previously provided.

    For more details, CrowdStrike did release an announcement that the fix has been applied (resource: Statement on Falcon Content Update for Windows Hosts - crowdstrike.com). Due to what I described above though, they cannot receive the fix without Internet, where manual intervention is likely needed.



    ------------------------------
    Grant Greenawalt
    Manager, Automation Engineer
    ConnectWise
    ------------------------------

    Original Message


Related Content