CloudStrike Microsoft BSOD Workaround

If you are impacted by the current Blue Screen of Death outage affecting Windows users who have implemented CloudStrike Services, here is a workaround to get your systems working quickly.

Quick Guide – Follow these Steps

  1. Boot Windows into Safe Mode or the Windows Recovery Environment
  2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory.
  3. Locate the file matching “C-00000291*.sys” and delete it.
  4. Boot the host normally.

Full Detailed Guide

The steps below expand upon the quick guide above.

Step 1 – Boot into Safe Mode or WRE

SAFE MODE

Safe Mode starts Windows in a basic state, using a limited set of files and drivers. This can help troubleshoot problems caused by software or drivers.

Here are a three ways to get into Safe Mode:

From Settings (Windows 10/11/Server):

  • Press Windows key + I to open Settings.
  • Click “Update & Security” (or “System” in Windows 11).
  • Click “Recovery”.
  • Under “Advanced startup”, click “Restart now”.
  • After restarting, choose “Troubleshoot” > “Advanced options” > “Startup Settings” > “Restart.”
  • After another restart, choose “Safe Mode” (option 4) or “Safe Mode with Networking” (option 5).

From the Sign-in Screen (All Versions):

  • Restart your computer.
  • At the sign-in screen, hold down the Shift key while clicking the “Power” button > “Restart.”
  • Follow the steps above from “Troubleshoot” onwards.

Using the F8 Key (Older Systems):

  • Restart your computer.
  • Repeatedly press F8 before the Windows logo appears.
  • Choose “Safe Mode” from the Advanced Boot Options menu.

WRE

Booting into the Windows Recovery Environment (WinRE):

WinRE is a recovery environment that can help fix serious system problems. You can access it using similar methods as for Safe Mode:

From Settings or the Sign-in Screen:

  • Follow the same steps as for Safe Mode, but choose “Troubleshoot” instead of “Startup Settings.”
  • From there, you can access various recovery options, such as “System Restore,” “Startup Repair,” or “Command Prompt.”

From a Recovery Drive:

  • If you’ve created a recovery drive, insert it and boot from it.
  • Choose your keyboard layout and language.
  • Select “Troubleshoot” to access WinRE.

Note: The exact steps might vary slightly depending on your Windows version. If you encounter any difficulties, you can search for more detailed instructions on the Microsoft support website or your computer manufacturer’s website.

Important: If your drive is protected by BitLocker, you will need your recovery key.


Step 2 – Navigate to Windows CloudStrike System Folder

This directory is the default installation location for the CrowdStrike Falcon sensor drivers. These drivers are essential for the operation of the CrowdStrike security software, but sometimes, specific files (like C-00000291*.sys) can cause issues like Windows’s Blue Screen of Death (BSOD).

 C:\Windows\System32\drivers\CrowdStrike

Using File Explorer (Safe Mode/WinRE):

  • Open File Explorer.
  • In the address bar, type (or copy and paste): C:\Windows\System32\drivers\CrowdStrike
  • Press Enter.
  • This should directly open the CrowdStrike directory, where you can locate and manage files as needed.

Using Command Prompt (Safe Mode/WinRE):

  • Open Command Prompt (as administrator if possible).
  • Type: cd C:\Windows\System32\drivers\CrowdStrike
  • Press Enter.
  • You will now be in the correct directory within Command Prompt, and you can use commands like dir to list files or del to delete them.

Step 3 – Delete C-00000291*.sys

  • C-00000291: This is the base name of the file, representing a specific CrowdStrike driver component.
  • *.sys: This indicates that it’s a system file (driver) used by Windows.
  • * (asterisk): This is a wildcard character, meaning the file name can have any characters after “C-00000291”. For example, you might see C-00000291.sys, C-00000291_1.sys, etc

Once you’re in the CrowdStrike directory, look for files that start with “C-00000291” and end with “.sys”. You might need to scroll or sort files by name to find them easily.

Deleting the File:

In File Explorer:

  • Right-click on the matching file(s) and select “Delete”.
  • Confirm the deletion when prompted.

In Command Prompt:

  • Type the following command, replacing <filename> with the actual name of the file you want to delete:
    del <filename>
  • For example, if the file is named C-00000291.sys, you would type:del C-00000291.sys
  • Press Enter to delete the file.

Step 4 – Reboot

Now simply reboot the computer and let it boot into Windows

Good Luck – I know a lot of sysadmins are tired and have been up all night fixing this clusterf**k

Elsewhere On TurboGeek:  How to SSH to GCP Linux Instance

Richard.Bailey

Richard Bailey, a seasoned tech enthusiast, combines a passion for innovation with a knack for simplifying complex concepts. With over a decade in the industry, he's pioneered transformative solutions, blending creativity with technical prowess. An avid writer, Richard's articles resonate with readers, offering insightful perspectives that bridge the gap between technology and everyday life. His commitment to excellence and tireless pursuit of knowledge continues to inspire and shape the tech landscape.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

Translate »