CrowdStrike issue: Workarounds
Physical Machines
If you have physical machines:
– After 3 failed boots, windows will go into “Automatic Repair” mode. (You might need your bitlocker pin)
– In the automatic repair page click “Advanced Options” > “Troubleshoot” > “Advanced Options” > “Command Prompt”
– In this command prompt you can cd to the OS drive and rename the Crowdstrike driver:
***************************************************************************************
C:
cd C:\Windows\System32\Drivers\CrowdStrike
dir C-00000291*.sys
ren <filename> <filename_old>
***************************************************************************************
Locate the file matching “C-00000291*.sys”, and rename it.
Then exit the command prompt and reboot the machine. Your machine should boot up now.
Physical Servers
If you have physical servers where you can detach the hard disk:
– Setup a new windows machine to use for troubleshooting
– Detach the hard disk from your broken server and attach it to the new windows machine you’ve setup.
– Go to diskmgmt.msc and look for the hard disk, Right click and bring it online. If the volume is bitlocker encrypted you will need a recovery key to access the file system (contact your AD admin)
– Once you can see the file system
– Go to <drive letter>\Windows\System32\Drivers\CrowdStrike – Locate the file matching “C-00000291*.sys”, and rename it.
– Then go back to diskmgmt.msc to detach the drive. Attach it back to the server and the machine should boot up now.
VMs on Hyper-V
If you have Virtual machines on Hyper-V:
– Attach a Windows 8/10 installation iso to the VM. Go to the VM’s settings > Under Hardware > Firmware, Change the boot option to make the iso / DVD drive boot first.
– Now reboot the VM and wait till it gets to the “Install” page. Press “Shift + F10” and this launches a command prompt for you.
– In the command prompt, run:
diskpart
list volume
exit
– Locate the drive letter of your windows volume. (The volume label should say “Windows”, you can also check the size to figure it out). Then switch to that drive.
In the example below, I’ve assumed that it showed Ltr F as the drive with Windows, you should replace F with whatever drive letter you have:
********************************************************
F:
cd F:\Windows\System32\Drivers\CrowdStrike
dir C-00000291*.sys
ren <filename> <filename_old>
********************************************************
Locate the file matching “C-00000291*.sys”, and rename it.
Then exit the command prompt and detach the iso. Reboot the virtual machine. Your machine should boot up now.
VMs on AWS
If you have VMs on AWS:
You have options to detach the disk from your VM, download it. Modify it. upload it back and swap the OS drive to this.
or
You have options to detach the disk from your VM, create a new VM, attach the disk to this new VM as a “data” drive. Modify it. Then detach the data drive and attack it back to the original VM
The “Modify it” portion remains the same:
– Go to diskmgmt.msc and look for the hard disk, Right click and bring it online. If the volume is bitlocker encrypted – you will need a recovery key to access the file system (contact your AD admin)
– Once you can see the file system – Go to
<drive letter>\Windows\System32\Drivers\CrowdStrike
– Locate the file matching “C-00000291*.sys”, and rename it.
– Then go back to diskmgmt.msc to detach the drive. Attach it back to the original VM and boot up.
VMs on Azure
If you have Azure VMs:
– Create a very basic Windows VM and upload the image to azure to the same resource group as your broken VM. Click here for more info.
– Stop the VM from the portal. Go to Settings > Disks > Swap OS disk. Point it to the disk you just uploaded and boot up the machine.
– Attach your original OS disk as a data disk. Now you should be able to go to diskmgmt.msc and look for the hard disk, Right click and bring it online.
– Once you can see the file system – Go to
<drive letter>\Windows\System32\Drivers\CrowdStrike
– Locate the file matching “C-00000291*.sys”, and rename it.
– Then go back to diskmgmt.msc to detach the drive.
– Stop the VM from the portal. Go to Settings > Disks > Detach the data disk. Then click “Swap OS disk”. Point it back to the original OS disk and boot up the machine.
Windows 365
On Windows365 you can do a rollback to a time before the incident using the Office Deployment Tool (ODT). For more info, please click here.
FEEL FREE TO DROP US A LINE.