from Hacker News

Crowdstrike Falcon sensor issue crashes Windows hosts worldwide

by withinrafael on 7/19/24, 5:47 AM with 26 comments

  • by gnabgib on 7/19/24, 5:49 AM

    Related live HN discussion Windows Bluescreen and Boot Loops (update: caused by a Crowdstrike update) (41 points, 22 minutes ago) https://news.ycombinator.com/item?id=41002195

  • by withinrafael on 7/19/24, 5:52 AM

    At time of submission, the official Tech Alert (TA) [1] states:

    > CrowdStrike is aware of reports of crashes on Windows hosts related to the Falcon Sensor. Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor. Our Engineering teams are actively working to resolve this issue and there is no need to open a support ticket. Status updates will be posted below as we have more information to share, including when the issue is resolved.

    [1] https://supportportal.crowdstrike.com/s/article/Tech-Alert-W...

  • by acheong08 on 7/19/24, 7:03 AM

    If this causes a blue screen on login/boot, it’s hard for me to see a way to deploy a fix organization-wide since it doesn’t really give time for remediation to run before the crash. I’ve never been part of a large org before; is this common & how far down does management software go? (As in can it be run before crowdstrike starts)

    P.s. There is a surprisingly high number of newly created accounts posting unhelpful/repetitive comments here. Wonder what’s going on

  • by LancePereira on 7/19/24, 7:36 AM

    Temp workaround

    Can confirm the below stops the BSOD Loop

    Go into CMD from recovery options

    change to C:\Windows\System32\Drivers

    Rename Crowdstrike to Crowdstrike_Fucked

    Start windows

    Its not great but at least that means we can get some windows back..

  • by mozaka on 7/19/24, 6:43 AM

    This is the fix: Current fix is to boot into safe mode and change the name of the CrowdStrike folder in c:\windows\system32\drivers\Crowdstrike

    Workaround Steps: 1. Boot Windows into Safe Mode or the Windows Recovery Environment 2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory 3. Locate the file matching “C-00000291*.sys”, and delete it. 4. Boot the host normally.

  • by Shaney02005 on 7/19/24, 7:43 AM

    lol am i glad that i never have such a system as that on my pc directely .

    i dont use cloudstrike i know how stupid bluescreen caused by security systems are .

    i use a firewall in a different and security in a different way nowadays due to blue screen problems of older firewalls/virus programs .

    if in ur home u have more then one pc/tablet/laptop etc , use a small pc(for pro,s just use a server pc) as ur main Firewall carrier , and let urself or someone else with the knowledge instal that pc and make sure its connected to only ur own devices it can scan ur pcs internet traffic via ur own local network , on ur own laptoptablet , usea simpler virus scanner just in case ur not at home to scan when on vacation etc(just free one) then its better , cause if the pc carrying the firewall crashes non pc in the network is actually affected by it , only security is down , and btw Windows software is not really good in seeying such a firewall system

  • by taltay123 on 7/19/24, 10:54 AM

  • by ybarragan on 7/19/24, 7:56 PM

    Can't get passed the blue screen I have tried rebooting then turning back on holding windows key and R at the same time and still nothing. any recommendations

  • by anonim333eu on 7/19/24, 3:22 PM

    someone has already found the cause of this problem :) https://www.instagram.com/reel/C9mkHPktdKO/

  • by AnnaW213 on 7/19/24, 3:21 PM

    someone has already found the cause of this problem :) https://www.instagram.com/reel/C9mkHPktdKO/

  • by ramjane01 on 7/19/24, 12:36 PM

    How to delete this file in cloud servers in azure and aws

  • by ramjane01 on 7/19/24, 12:36 PM

    How to delete this file in cloud servers in azure and aws

  • by atulhadke007 on 7/19/24, 7:41 AM

    Can anyone share which version is impacted crowdstrike?

  • by ramjane01 on 7/19/24, 7:02 AM

    Does renaming the file C-00000291*.sys also works

  • by atulhadke007 on 7/19/24, 6:49 AM

    Mozaka ,by said steps ,Is this worked?pls confirm

  • by ramjane01 on 7/19/24, 6:57 AM

    This is a manual method how to do in in one go

  • by dreamlvr1989 on 7/19/24, 6:34 AM

    is this due to a product update ? this cant be due to a signature update

  • by jdleel on 7/19/24, 6:09 AM

    This is very serious.

  • by vijuvijustar on 7/19/24, 6:23 AM

    is there a fix ? servers , hosts everthing is down

  • by dreamlvr1989 on 7/19/24, 6:33 AM

    is this due to a crowdstrike version change?

  • by vijuvijustar on 7/19/24, 6:24 AM

    is there a fix , more than 12000 pcs are affected