CrowdStrike issue: Workarounds

Physical Machines

If you have physical machines:

– After 3 failed boots, windows will go into “Automatic Repair” mode. (You might need your bitlocker pin)

– In the automatic repair page click “Advanced Options” > “Troubleshoot” > “Advanced Options” > “Command Prompt”

– In this command prompt you can cd to the OS drive and rename the Crowdstrike driver:

***************************************************************************************

C:

cd C:\Windows\System32\Drivers\CrowdStrike

dir C-00000291*.sys

ren <filename> <filename_old>

***************************************************************************************

Locate the file matching “C-00000291*.sys”, and rename it.

Then exit the command prompt and reboot the machine. Your machine should boot up now.

Physical Servers

If you have physical servers where you can detach the hard disk:

– Setup a new windows machine to use for troubleshooting

– Detach the hard disk from your broken server and attach it to the new windows machine you’ve setup.

– Go to diskmgmt.msc and look for the hard disk, Right click and bring it online. If the volume is bitlocker encrypted you will need a recovery key to access the file system (contact your AD admin)  

– Once you can see the file system

– Go to  <drive letter>\Windows\System32\Drivers\CrowdStrike – Locate the file matching “C-00000291*.sys”, and rename it.

– Then go back to diskmgmt.msc to detach the drive. Attach it back to the server and the machine should boot up now.

VMs on Hyper-V

If you have Virtual machines on Hyper-V:

– Attach a Windows 8/10 installation iso to the VM. Go to the VM’s settings > Under Hardware > Firmware, Change the boot option to make the iso / DVD drive boot first.

– Now reboot the VM and wait till it gets to the “Install” page. Press “Shift + F10” and this launches a command prompt for you.

– In the command prompt, run:

diskpart

list volume

exit

– Locate the drive letter of your windows volume. (The volume label should say “Windows”, you can also check the size to figure it out). Then switch to that drive.

In the example below, I’ve assumed that it showed Ltr F as the drive with Windows, you should replace F with whatever drive letter you have:

********************************************************

F:

cd F:\Windows\System32\Drivers\CrowdStrike

dir C-00000291*.sys

ren <filename> <filename_old>

********************************************************

Locate the file matching “C-00000291*.sys”, and rename it.

Then exit the command prompt and detach the iso. Reboot the virtual machine. Your machine should boot up now.

VMs on AWS

If you have VMs on AWS:

You have options to detach the disk from your VM, download it. Modify it. upload it back and swap the OS drive to this.

or

You have options to detach the disk from your VM, create a new VM, attach the disk to this new VM as a “data” drive. Modify it. Then detach the data drive and attack it back to the original VM

The “Modify it” portion remains the same:

– Go to diskmgmt.msc and look for the hard disk, Right click and bring it online. If the volume is bitlocker encrypted – you will need a recovery key to access the file system (contact your AD admin)

– Once you can see the file system – Go to

<drive letter>\Windows\System32\Drivers\CrowdStrike

– Locate the file matching “C-00000291*.sys”, and rename it.

– Then go back to diskmgmt.msc to detach the drive. Attach it back to the original VM and boot up.

VMs on Azure

If you have Azure VMs:

– Create a very basic Windows VM and upload the image to azure to the same resource group as your broken VM. Click here for more info.

– Stop the VM from the portal. Go to Settings > Disks > Swap OS disk. Point it to the disk you just uploaded and boot up the machine.

– Attach your original OS disk as a data disk. Now you should be able to go to diskmgmt.msc and look for the hard disk, Right click and bring it online.

– Once you can see the file system – Go to

<drive letter>\Windows\System32\Drivers\CrowdStrike

– Locate the file matching “C-00000291*.sys”, and rename it.

– Then go back to diskmgmt.msc to detach the drive.

– Stop the VM from the portal. Go to Settings > Disks > Detach the data disk. Then click “Swap OS disk”. Point it back to the original OS disk and boot up the machine.

Windows 365

On Windows365 you can do a rollback to a time before the incident using the Office Deployment Tool (ODT). For more info, please click here.

FEEL FREE TO DROP US A LINE.

Your email address will not be published. Required fields are marked *

type your search

Reach out to us anytime and lets create a better future for all technology users together, forever. We are open to all types of collab offers and tons more.