Info from Microsoft:
We've received feedback from customers that several reboots (as many as 15 have been reported) may be required, but overall feedback is that reboots are an effective troubleshooting step at this stage.
https://azure.status.microsoft/en-us/statusFrom X/Twitter. Thx to @r3srch3r for summarization.
Physical machine
physical server
VM on Hyper-V
VM on AWS
VM on Azure
Windows 365
Bitlocker Protected drives
Posting for the folks affected by the CrowdStrike BSOD
Physical machine
If you got a physical machine —
– After 3 failed boots, windows will go into “Automatic Repair” mode. (You might need your bitlocker pin)
– In the automatic repair page click “Advanced Options” > “Troubleshoot” > “Advanced Options” > “Command Prompt”
– In this command prompt you can cd to the OS drive and rename the Crowdstrike driver
““““““““““““““““
C:
cd C:\Windows\System32\Drivers\CrowdStrike
dir C-00000291*.sys
ren <filename> <filename_old>
““““““““““““““““
Locate the file matching “C-00000291*.sys”, and rename it.
Then exit the command prompt and reboot the machine. Your machine should boot up now
———————
Posting for CrowdStrike BSOD
Physical server
If you got a physical server where you can detach the hard disk —
– Setup a new windows machine to use for troubleshooting
– Detach the hard disk from your broken server and attach it to the new windows machine you’ve setup.
– Go to diskmgmt.msc and look for the hard disk, Right click and bring it online. If the volume is bitlocker encrypted
– you will need a recovery key to access the file system (contact your AD admin)
– Once you can see the file system
– Go to <drive letter>\Windows\System32\Drivers\CrowdStrike – Locate the file matching “C-00000291*.sys”, and rename it.
– Then go back to diskmgmt.msc to detach the drive. Attach it back to the server and the machine should boot up now
—————
Posting for CrowdStrike BSOD
VM on Hyper-v
If you got a Virtual machine on Hyper-V —
– Attach a Windows 8/10 installation iso to the VM. Go to the VM’s settings > Under Hardware > Firmware, Change the boot option to make the iso / DVD drive boot first.
– Now reboot the VM and wait till it gets to the “Install” page. Press “Shift + F10” and this launches a command prompt for you.
– In the command prompt, run:
diskpart
list volume
exit
– Locate the drive letter of your windows volume. (The volume label should say “Windows”, you can also check the size to figure it out). Then switch to that drive.
In the example below, I’ve assumed that it showed Ltr F as the drive with Windows, you should replace F with whatever drive letter you have
““““““““““““““““
F:
cd F:\Windows\System32\Drivers\CrowdStrike
dir C-00000291*.sys
ren <filename> <filename_old>
““““““““““““““““
Locate the file matching “C-00000291*.sys”, and rename it.
Then exit the command prompt and detach the iso. Reboot the virtual machine. Your machine should boot up now
——————————
Posting for CrowdStrike BSOD
VM on AWS
If you got a VM on AWS —
You have options to detach the disk from your VM, download it. Modify it. upload it back and swap the OS drive to this.
or
You have options to detach the disk from your VM, create a new VM, attach the disk to this new VM as a “data” drive. Modify it. Then detach the data drive and attack it back to the original VM
The “Modify it” portion remains the same:
– Go to diskmgmt.msc and look for the hard disk, Right click and bring it online. If the volume is bitlocker encrypted – you will need a recovery key to access the file system (contact your AD admin)
– Once you can see the file system – Go to
<drive letter>\Windows\System32\Drivers\CrowdStrike
– Locate the file matching “C-00000291*.sys”, and rename it.
– Then go back to diskmgmt.msc to detach the drive. Attach it back to the original VM and boot up
—————————————
Posting for the folks affected by the CrowdStrike BSOD
VM on Azure
If you got an Azure VM:
– Create a very basic Windows VM and upload the image to azure to the same resource group as your broken VM. See:
lnkd.in/guCedQk7
– Stop the VM from the portal. Go to Settings > Disks > Swap OS disk. Point it to the disk you just uploaded and boot up the machine.
– Attach your original OS disk as a data disk. Now you should be able to go to diskmgmt.msc and look for the hard disk, Right click and bring it online.
– Once you can see the file system – Go to
<drive letter>\Windows\System32\Drivers\CrowdStrike
– Locate the file matching “C-00000291*.sys”, and rename it.
– Then go back to diskmgmt.msc to detach the drive.
– Stop the VM from the portal. Go to Settings > Disks > Detach the data disk. Then click “Swap OS disk”. Point it back to the original OS disk and boot up the machine.
Windows 365
On Windows365 you can do a rollback to a time before the incident. I saw a Microsoft person post about this, but can’t find it now.
Bitlocker protected drives (thx to @AttilaBubby)
Any advice for Azure virtual desktop VM’s
and at scale ?
I’d be worried if a Bitlocker encrypted drive could be accessed without a recovery key like that.
You cannot bypass the bitlocker method at all. It totally defeats the purpose of its encryption. You need the BL key to unlock the drive to then delete the files
What do you if you don’t have Admin rights to the file to delete the trouble file? I’m remote and our admins are working on in house computers. I need to get running.
Furthermore to the Crowdstrike (Falcon Sensor) related BSOD, if you have BitLocker enabled
1️⃣ Cycle through BSODs until you get the recovery screen.
2️⃣ Navigate to Troubleshoot > Advanced Options > Startup Settings.
3️⃣ Press “Restart”.
4️⃣ Skip the first BitLocker recovery key prompt by pressing Esc.
5️⃣ Skip the second BitLocker recovery key prompt by selecting Skip This Drive in the bottom right.
6️⃣ Navigate to Troubleshoot > Advanced Options > Command Prompt.
7️⃣ Type bcdedit /set {default} safeboot minimal, then press Enter.
8️⃣ Go back to the WinRE main menu and select Continue.
9️⃣ It may cycle 2-3 times.
🔟 If you booted into safe mode, log in as normal.
1️⃣1️⃣ Open Windows Explorer, navigate to C:\Windows\System32\drivers\Crowdstrike.
1️⃣2️⃣ Delete the offending file (starts with C-00000291* and has a .sys file extension).
1️⃣3️⃣ Open Command Prompt (as administrator).
1️⃣4️⃣ Type bcdedit /deletevalue {default} safeboot, then press Enter.
1️⃣5️⃣ Restart as normal and confirm normal behavior.