Knowledge base
July 19, 2024
Global Computer Failure After CrowdStrike Update: What You Need to Know
There are several media reports of a global computer outage following an update from cyber security firm CrowdStrike. Windows computers in particular show a “Blue Screen of Death” (BSOD), which prevents them from booting. What is going on and what can you do? Let’s explore this further. 🕵️♂️
What’s going on?
- Update Problems: The most recent update to CrowdStrike Agent is causing a Blue Screen of Death (BSOD).
- CrowdStrike’s Response:CrowdStrike acknowledges the problems and is currently conducting research to resolve them.
- No Patch Available: No official patch is available at this time, but a workaround has been shared by CrowdStrike.
Research and Workaround
- Research: The National Cyber Security Center (NCSC) has confirmed that the workaround provided by CrowdStrike works.
- Labor-intensive: The workaround is very labor intensive and must be performed on a system-by-system basis.
- No Malicious Actions: The NCSC currently has no indication that the outage resulted from malicious actions.
Background information
On Thursday, July 18, 2024, CrowdStrike reported widespread BSODs (Blue Screen of Death) on Windows hosts due to a faulty Falcon Sensor update. You can find CrowdStrike’s official statement and steps for recovery here.
“The faulty update began spreading at 04:09 UTC. We can confirm that the affected update has been withdrawn by CrowdStrike and that Windows hosts booted after 05:27 UTC should not be affected.”
Machines with an available backup before 04:09 UTC can be restored by returning to that backup.
The recovery process involves booting the affected machine into Windows recovery mode and then deleting the affected file, “C:WindowsSystem32CrowdStrikeC-00000291.sys.” In addition, some machines can recover through a series of (up to 15) restarts.
What can you do? 💡
If you haven’t already done the most recent update to CrowdStrike Agent:
- Update Do Not Run: Do not run the update until a verified solution is available.
If your systems “loop crashes,” follow these steps for manual intervention:
- Boot Windows to Safe Mode: Boot your computer in safe mode.
- Navigate to CrowdStrike Directory: Go to
C:WindowsSystem32driversCrowdStrike
in Explorer. - Rename the Problem file:
- Locate the file “C-00000291-00000000-00000032.sys”.
- Right-click the file and rename it to “C-00000291-00000000-00000032.renamed” (the version may vary by host).
- Boot the Host: Restart the computer.
Need help? Contact us or ask your IT service provider for help implementing this workaround. The Digital Trust Center (DTC) recommends following NCSC’s coverage for the latest news.
Follow the Latest News
For updates on the outage and further instructions, stay tuned via the NCSC update CrowdStrike.
Stay safe and make sure your systems remain up-to-date and protected. 🚀🔒