Crowdstrike Bug Resolution Instructions

How To Resolve The Issue

These instructions were first published by Superuser.com from advice given by Brody N. - Director of Overwatch at CrowdStrike Inc. The Reveald team is actively researching other options and other workflows and will update this blog periodically.

1. Boot to Safe Mode or the Command Prompt from the WinRE blue screen:
   • Safe Mode:
     See advanced repair options → Troubleshoot → Advanced options → Startup Settings → Restart → Options menu: F4 / 4
     
     
   • WinRE: Command Prompt
     See advanced repair options → Troubleshoot → Advanced options → Command Prompt
     • If a machine is stuck on a BSOD and not auto-booted to WinRE:
       1. Reboot machine by holding down power button for ~10s
       2. Once Windows' bootloader begins loading Windows, repeat 2x
          • Windows will auto-boot to WinRE upon two failed attempts by the Windows bootloader to load Windows
            
            
2. Delete file matching C-00000291*.sys within:
   
   

   %WinDir%\System32\drivers\CrowdStrike

   1. Safe Mode:
      1. Open an Admin terminal:
         
         +R → Open: powershell → Ctrl+Shift+OK
      
      
      2. Delete file:
         
         

         Remove-Item -Path "$env:WinDir\System32\drivers\CrowdStrike\C-00000291*.sys" -Force

         
         
      3. Reboot:
         
         

         Shutdown /f /r /t 0

         
         
   2. WinRE Command Prompt:
      
      (C: is usually not the OS partition mount point in WinRE)
      
      
      1. Obtain mount point of the OS partition:
         
         

         ::# Launch DiskPart:
         
         DiskPart
         
         ::# List all volumes [partitions]:
         
         Lis Vol
         
         ::# Close DiskPart:
         
         Exit 
         
         

      2. Delete file:
         
         

         Del /f /q "<OSdriveLetter>:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys"

      3. Reboot:
         
         Close Command Prompt → Continue to Windows <#>
         
         
3. Normally boot to Windows
   
   

CrowdStrike Official Summary Description of the issue as of June 19 2024 12:00 EST:

• Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor.
• Windows hosts which have not been impacted do not require any action as the problematic channel file has been reverted.
• Windows hosts which are brought online after 0527 UTC will also not be impacted
• Hosts running Windows7/2008 R2 are not impacted.
• This issue is not impacting Mac- or Linux-based hosts
• Channel file "C-00000291*.sys" with timestamp of 0527 UTC or later is the reverted (good) version.
• Channel file "C-00000291*.sys" with timestamp of 0409 UTC is the problematic version.

How do identify impacted systems using Advanced Event Search within Next-Gen SIEM:

// Get ConfigStateUpdate and SensorHeartbeat events
#event_simpleName=/^(ConfigStateUpdate|SensorHeartbeat)$/ event_platform=Win
// Narrow search to Channel File 291 and extract version number; accept all SensorHeartbeat events within impact window
| case {
    #event_simpleName=ConfigStateUpdate | regex("\|1,123,(?<CFVersion>.*?)\|", field=ConfigStateData, strict=false) | parseInt(CFVersion, radix=16);
   #event_simpleName=SensorHeartbeat | rename([[@timestamp, LastSeen]]);
  }


| case{
    #event_simpleName=ConfigStateUpdate | @timestamp>1721362140000 AND @timestamp < 1721366820000 | CSUcounter:=1;
    #event_simpleName=SensorHeartbeat | LastSeen>1721362140000 AND LastSeen<1721366820000 | SHBcounter:=1;
    *;
   }
| default(value="0", field=[CSUcounter, SHBcounter])
// Make sure both ConfigState update and SensorHeartbeat have happened
| selfJoinFilter(field=[cid, aid, ComputerName], where=[{ConfigStateUpdate}, {SensorHeartbeat}])
// Aggregate results
| groupBy([cid, aid], function=([{selectFromMax(field="@timestamp", include=[CFVersion])}, {selectFromMax(field="@timestamp", include=[@timestamp]) | rename(field="@timestamp", as="LastSeen")}, max(CSUcounter, as=CSUcounter), max(SHBcounter, as=SHBcounter)]), limit=max)
// Perform check on selfJoinFilter
| CFVersion=* LastSeen=*
// Calculate time between last seen and now
| LastSeenDelta:=now()-LastSeen
// Optional threshold; 3600000 is one hour
| LastSeenDelta>3600000
// Calculate duration between last seen and now
| LastSeenDelta:=formatDuration("LastSeenDelta", precision=2)
// Convert LastSeen time to human-readable format
| LastSeen:=formatTime(format="%F %T", field="LastSeen")
// Enrich aggregation with aid_master details
| aid=~match(file="aid_master_main.csv", column=[aid])
| aid=~match(file="aid_master_details.csv", column=[aid], include=[FalconGroupingTags, SensorGroupingTags])
// Convert FirstSeen time to human-readable format
| FirstSeen:=formatTime(format="%F %T", field="FirstSeen")


// Move ProductType to human-readable format and add formatting
| $falcon/helper:enrich(field=ProductType)
| drop([Time])
| default(value="-", field=[MachineDomain, OU, SiteName, FalconGroupingTags, SensorGroupingTags], replaceEmpty=true)
| case{
    CSUcounter=0 AND SHBcounter=0 | Details:="OK: Endpoint did not receive channel file during impacted window. Endpoint was offline.";
    CSUcounter=0 AND SHBcounter=1 | Details:="OK: Endpoint did not receive channel file during impacted window. Endpoint was online.";
    CSUcounter=1 AND SHBcounter=1 | Details:="CHECK: Endpoint received channel file during impacted window. Endpoint was online. Endpoint has not been seen online in past hour.";
   }