Overnight, CrowdStrike pushed a bugged content update for their Falcon EDR on Windows hosts. The affected hosts crash with a bugcheck/bluescreen error relating to the Falcon Sensor or csagent.sys file.

Current status updates can be found on the CrowdStrike statement page here.

Remediation recommendations are to reboot the host a number of times and hope it catches the update before bluescreening, reboot to safe mode and delete the C-00000291*.sys file, or mount the system drive on another machine to delete the file. When I tried these on my crashed machines, I couldn’t take permission of the C-00000291*.sys file when booted into safe mode with networking, and deleting the file from another VM corrupted the Windows installation. I found an easier way below to restore a machine crashing from the CrowdStrike outage and detailed it below.

Repair Procedure

Either press F8 to get into startup options, or let Windows reboot three times to get to the Recovery screen. Click “See advanced repair options” > Troubleshoot > Startup Settings > Restart. Windows will boot into the “Advanced Boot Options” screen and select “Safe Mode with Command Prompt.”

Login to Windows when it boots up and it launch a command prompt window. Run the following commands to navigate into the CrowdStrike directory, confirm the affected file is present, delete the file, and reboot the server.

cd %WINDIR%\\system32\\drivers\\CrowdStrikedir C-00000291* /ON
del C-00000291-00000000-00000039.sysshutdown -r -t 0

Windows should now reboot and come back up normally.

Happy Friday!