If you manage servers, you may need to cancel your weekend plans as a CrowdStrike update has caused servers to experience a BSOD or boot loop.
The incident does not appear to be a security incident or cyberattack, and only affects Windows hosts, while CrowdStrike says Linux and Mac are not affected.
The issue was first reported at 19:00 UTC on July 18 and was acknowledged by CrowdStrike in the early hours of July 19.
“CrowdStrike is actively working with customers affected by a flaw found in a single content update for Windows hosts,” CrowdStrike CEO George Kurtz wrote on Twitter/X.
“This is not a security incident or cyber attack,” he added. “The issue has been identified, isolated and a fix has been implemented. We refer customers to the support portal for the latest updates and will continue to provide ongoing, comprehensive updates on our website.”
The good news is that a fix has now been found. The bad news is that since the servers are not starting, many of them will likely require manual intervention. CrowdStrike has provided the following instructions on how to fix the issue.
- Boot Windows in Safe Mode or Windows Recovery Environment
- Go to the directory C:WindowsSystem32driversCrowdStrike
- Locate the file that matches C-00000291*.sys* and delete it
- Boot the host normally
Microsoft subsequently issued further advice:
- We recommend that customers who are able to do so restore from a backup taken before 19:00 UTC on July 18.
- Alternatively, try to repair the operating system disk offline.
- Attach a disk to the virtual machine for offline repair (encrypted disks may require further instructions)
- Once the disk is connected, delete the file Windows/System/System32/Drivers/CrowdStrike/C00000291*.sys
- We can confirm that CrowdStrike has pulled the affected update. Customers who continue to experience issues should contact CrowdStrike for further assistance.
Who is affected by the CloudStrike update?
The CrowdStrike update has affected Windows devices and virtual machines running Windows Client and Windows servers running the CrowdStrike Falcon agent. Personal PCs running Windows are not affected.
It is not yet known exactly how many machines have been affected, but it has already had a major impact around the world, especially in Europe where Visa, Amazon and Microsoft have all reported problems. There have also been reports of airlines and hospitals having issues. We won't know the full extent of the impact until later.
How to fix CrowdStrike issue?
Basically, you need to delete the file that matches C-00000291*.sys
You can do it by
1. Boot Windows into Safe Mode or Windows Recovery Environment
2. Navigate to the C:WindowsSystem32driversCrowdStrike directory
3. Locate the file that matches C-00000291*.sys and delete it
either
You may need to manually remove/update the operating system disk
What is CrowdStrike?
CrowdStrike is a cybersecurity company behind the software used by some of the world's largest businesses and institutions, including hospitals, airports, banks, and many Fortune 500 companies.
