Temporary Workaround for CrowdStrike-Induced Windows Outages

As you might be aware, there has been a major outage affecting Windows systems globally due to a recent update from CrowdStrike. This issue has caused significant disruptions across various industries, including essential services such as 911 in the USA, media, flights, markets, and stock exchanges.

CrowdStrike has acknowledged the problem, specifically related to their Falcon sensor, which has caused Windows systems to experience blue screen errors (BSOD) or enter boot loops. The root cause has been identified as an update rolled out by CrowdStrike on Friday.

CrowdStrike Blue Screen Fix

CrowdStrike’s engineers are actively working to resolve the issue. In the meantime, we have developed a temporary workaround to help bring your production servers back online. This involves disabling the CrowdStrike agent, allowing your systems to reboot and function properly. Please note, this is a temporary fix and leaves your servers unprotected.

Temporary Workaround for CrowdStrike:

If you are experiencing issues, follow these high-level steps to disable the CrowdStrike agent:

• For AWS (Amazon Web Services)
• For Azure

For AWS (Amazon Web Services)

Step 1: Connect to Your EC2 Instance

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, select Instances.
3. Select the instance you want to troubleshoot.
4. Click on Actions > Instance State > Stop to stop the instance.

Step 2: Enable Safe Mode

1. Create an AMI from your existing instance to ensure you have a backup before making any changes.
2. Detach the root EBS volume from the stopped instance:
   • Select the instance.
   • Click on Actions > Instance Settings > Attach/Replace Root Volume > Detach Root Volume.
3. Attach the detached root EBS volume to another running Windows instance:
   • Select a running Windows instance.
   • Click on Actions > Instance Settings > Attach Volume and attach the detached volume.
4. Remote Desktop into the running Windows instance.
5. Open Disk Management (diskmgmt.msc) and assign a drive letter to the attached volume.
6. Open Command Prompt as an administrator and navigate to the attached volume (e.g., D:).

Step 3: Modify Boot Configuration

1. Execute the following command to enable Safe Mode:

cmd: bcdedit /store D:\boot\bcd /set {default} safeboot minimal

Step 4: Detach and Reattach the Volume

1. Detach the volume from the running instance.
2. Reattach the volume to the original instance as the root volume.
3. Start the original instance from the EC2 console.

Step 5: Connect and Execute the Command

1. Connect to the instance using Remote Desktop.
2. Open Command Prompt as an administrator.
3. Run the following command:

cmd: del "C:\Windows\System32\drivers\CrowdStrike\C-00000291*.Sys"

Step 6: Disable Safe Mode

1. Reopen Command Prompt as an administrator.
2. Run the following command to disable Safe Mode: cmd: bcdedit /deletevalue safeboot
3. Restart the instance to boot into normal mode.

For Azure

Step 1: Connect to Your VM

1. Open the Azure portal at https://portal.azure.com/.
2. Navigate to Virtual Machines.
3. Select the VM you want to troubleshoot.
4. Click on Stop to deallocate the VM.

Step 2: Enable Safe Mode

1. Create a snapshot of the OS disk to ensure you have a backup.
2. Detach the OS disk from the stopped VM:
   • Navigate to Disks under the VM.
   • Select the OS disk and click on Detach.
3. Attach the detached OS disk to another running Windows VM:
   • Navigate to the running VM.
   • Click on Disks > Attach existing disks and select the detached OS disk.
4. Remote Desktop into the running Windows VM.
5. Open Disk Management (diskmgmt.msc) and assign a drive letter to the attached disk.
6. Open Command Prompt as an administrator and navigate to the attached disk (e.g., D:).

Step 3: Modify Boot Configuration

1. Execute the following command to enable Safe Mode:

cmd: bcdedit /store D:\boot\bcd /set {default} safeboot minimal

Step 4: Detach and Reattach the Disk

1. Detach the disk from the running VM.
2. Reattach the disk to the original VM as the OS disk.
3. Start the original VM from the Azure portal.

Step 5: Connect and Execute the Command

1. Connect to the VM using Remote Desktop.
2. Open Command Prompt as an administrator.
3. Run the following command:

cmd: del "C:\Windows\System32\drivers\CrowdStrike\C-00000291*.Sys"

Step 6: Disable Safe Mode

1. Reopen Command Prompt as an administrator.
2. Run the following command to disable Safe Mode: cmd: bcdedit /deletevalue safeboot
3. Restart the VM to boot into normal mode.

Conclusion:

This workaround provides a temporary solution to the critical issue caused by the CrowdStrike agent, allowing you to bring back your production servers and systems. We strongly advise monitoring CrowdStrike’s updates for a permanent fix and re-enabling the agent as soon as possible to ensure the security of your systems.

For further assistance, please contact our support team.