Quick Fix for the BSOD Error in the latest Crowdstrike Windows Update

Introduction

On July 19, 2024, a faulty update for Crowdstrike Falcon Sensor caused a Blue Screen of Death (BSOD) error on affected Windows devices. This widespread issue impacted numerous organizations, including those operating critical infrastructure. The error was caused by a specific ChannelDate file with a timestamp of 04:09 UTC 19.07.2024.

Affected Systems

• Windows devices with Crowdstrike Falcon Sensor installed
• Devices that have the ChannelDate file “C-00000291*.sys” with a timestamp of 04:09 UTC 19.07.2024

Impact

• Systems may experience a BSOD error and restart repeatedly
• Users may be unable to access their devices
• Businesses may experience disruptions to critical operations

Workarounds

Individual Systems

1. Boot into Safe Mode or the Windows Recovery Environment
2. Navigate to C:\Windows\System32\drivers\CrowdStrike
3. Locate the file matching “C-00000291*.sys” and delete it
4. Restart the system

Cloud Systems and Virtualized Systems

1. Detach the operating system disk volume from the impacted virtual server
2. Create a snapshot or backup of the disk volume
3. Attach/mount the volume to a new virtual server
4. Follow steps 3 and 4 from the “Individual Systems” workaround
5. Detach the volume from the new virtual server
6. Reattach the fixed volume to the impacted virtual server
7. Roll back to a snapshot before 04:09 UTC

Microsoft Azure Systems

1. Log in to the Azure console
2. Select the affected VM
3. Click “Connect” > “Serial Console”
4. Once SAC has loaded, type in “cmd” and press enter
5. Type in “ch -si 1” and press any key
6. Enter Administrator credentials
7. Type the following:

bcdedit /set {current} safeboot minimal
bcdedit /set {current} safeboot network

8. Restart the VM

Additional Notes

• For Bitlocker-encrypted systems, disable Bitlocker and ensure the recovery key is backed up before restarting.
• Some users have reported that booting into “Windows Safe Mode with Network” and waiting for the faulty file to be automatically replaced by an update may resolve the issue.
• It is recommended to follow the manufacturer’s workaround instructions provided above.

Prevention

To prevent similar incidents in the future, organizations should implement the following measures:

• Regularly apply security patches and updates from reputable vendors
• Have a robust backup and recovery plan in place
• Implement proper change management procedures
• Test updates in a staging environment before deploying them to production systems

Conclusion

The recent Crowdstrike Falcon Sensor update issue highlights the importance of having a comprehensive cybersecurity strategy in place. By implementing the recommended measures, organizations can minimize their risk of being impacted by such incidents.

Source: https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-257485-10F1.pdf?__blob=publicationFile&v=3