[FIXED] CrowdStrike Driver C-00000291*.sys BSOD (Bluescreen of Death)

Summary:

The CrowdStrike team has made a workaround available to fix crash reports on Windows hosts linked to the Falcon Sensor.

Details:

  • Symptoms: Hosts experiencing a bugcheck/blue screen error related to the Falcon Sensor.
  • Unaffected Windows hosts require no action as the problematic channel file has been reverted.
  • Windows hosts brought online after 0527 UTC are not impacted.
  • This issue does not affect Mac or Linux hosts.
  • Channel file "C-00000291*.sys" with a timestamp of 0527 UTC or later is the corrected version.
  • Channel file "C-00000291*.sys" with a timestamp of 0409 UTC is the problematic version.
    • Note: Multiple "C-00000291*.sys" files in the CrowdStrike directory are normal; as long as one has a timestamp of 0527 UTC or later, it will be the active content.

Current Action:

  • CrowdStrike Engineering has identified and reverted the content deployment causing this issue.
  • If hosts continue to crash and cannot stay online to receive the channel file changes, the workaround steps below can be used.
  • CrowdStrike assures customers that their Falcon platform systems are operating normally. There is no impact on protection if the Falcon Sensor is installed. Falcon Complete and Overwatch services are not disrupted by this incident.

Query to Identify Impacted Hosts via Advanced Event Search:

Refer to the KB article: "How to Identify Hosts Possibly Impacted by Windows Crashes" (pdf).

Workaround Steps for Individual Hosts:

  1. Reboot the host to allow it to download the reverted channel file. A wired network connection (as opposed to WiFi) is recommended for faster internet connectivity.
  2. If the host crashes again:
    • Boot Windows into Safe Mode or the Windows Recovery Environment.
      • Note: A wired network connection and using Safe Mode with Networking can aid remediation.
    • Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory.
      • On WinRE/WinPE, navigate to the Windows\System32\drivers\CrowdStrike directory of the OS volume.
    • Locate and delete the file matching “C-00000291*.sys”.
    • Boot the host normally.
      • Note: BitLocker-encrypted hosts may require a recovery key.

Workaround Steps for Public Cloud or Similar Environments Including Virtual:

Option 1:

  1. Detach the operating system disk volume from the impacted virtual server.
  2. Create a snapshot or backup of the disk volume before proceeding to prevent unintended changes.
  3. Attach/mount the volume to a new virtual server.
  4. Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory.
  5. Locate and delete the file matching “C-00000291*.sys”.
  6. Detach the volume from the new virtual server.
  7. Reattach the fixed volume to the impacted virtual server.

Option 2:

Roll back to a snapshot before 0409 UTC.