Last Updated: 07/22/2024 - 7:22am EDT
On Friday, July 19th a content update was sent to some CrowdStrike Falcon clients on Windows devices which resulted in “Blue Screen” errors for those devices. If you have a Duke-owned Windows device stuck on a blue screen at boot, this issue is almost certainly the cause.
The fix for this issue requires booting the Windows device into Safe Mode or Recovery Mode and deleting a file. Instructions for doing this are below. This post and these instructions may be updated as the situation develops.
=========
Fixing THE Windows Device Problem (UPDATED)
The following documentation is for Duke University employees. Duke Health employees should call the DHTS Service Desk for assistance at 919-684-2243.
Last night, we worked with CrowdStrike to enable a new remediation fix in our CrowdStrike instance. It should now be much more likely that 1 or 2 reboots of a broken Windows device will automatically resolve the issue without further intervention. While it is not guaranteed, CrowdStrike is reporting high success rates with this new fix.
Three important factors:
- The device must have network connectivity, either wired or wireless, for this to have a chance to work.
- Wired devices have the highest chance of success with this fix. If at all possible, CrowdStrike recommends plugging the device into a wired connection before rebooting.
- After the problematic channel file is quarantined, the host may still BSOD once or twice. There’s a race between the bad content being quarantined and the bad content being processed and activated in the sensor. This is why a couple of reboots may be needed.
- If your device still crashes after several reboot attempts, move on to one of the options below.
Option 1: Using Safe Mode
Note: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.
1. Boot into Safe Mode
- Restart your computer by holding down the power button until the device powers off. Press the power button again to start the device.
- As it starts up, repeatedly press the F8 key (or Shift + F8) until you see the Advanced Boot Options menu.
- Select Safe Mode from the list.
Note: If your device uses BitLocker encryption, you might be asked for your BitLocker recovery key after selecting Safe Mode. If prompted and you don’t have it, please contact the your local IT support staff or the OIT Service Desk at (919) 684-2200 for assistance.
2. Navigate to the CrowdStrike Directory
- Once you're in Safe Mode, open File Explorer (the folder icon on your taskbar).
- Go to This PC or My Computer.
- Open the C: drive (or your main drive).
- Navigate to Windows > System32 > drivers > CrowdStrike.
4. Delete the Problematic File
- In the CrowdStrike folder, look for a file that starts with “C-00000291” and ends with “.sys”. It might look like “C-00000291xyz.sys”.
- Right-click on the file and select Delete.
5. Boot Normally
- Close any open windows and restart your computer normally.
Option 2: Using the Windows Recovery Environment
1. Reboot Your Device into the Recovery Environment
- Restart your computer by holding down the power button until the device powers off. Press the power button again to start the device.
- As it starts up, immediately hold down the power button to force a shutdown. Repeat this process three times.
- On the fourth startup, your computer should enter the Windows Recovery Environment.
Note: If your device uses BitLocker encryption, you might be asked for your BitLocker recovery key when entering the Windows Recovery Environment. If prompted and you don’t have it, please contact the your local IT support staff or the OIT Service Desk at (919) 684-2200 for assistance.
2. Open Command Prompt
- In the Windows Recovery Environment, select Troubleshoot.
- Then select Advanced options.
- Choose Command Prompt. This will open a command line window, usually starting with a temporary drive letter like X:.
3. Navigate to the Correct Drive and Folder
- Type `C:` and press Enter to switch to the C: drive.
- Next, type `cd \Windows\System32\drivers\CrowdStrike` and press Enter to navigate to the CrowdStrike folder.
4. Delete the Problematic File
- In the command prompt, type `del C-00000291*.sys` and press Enter. This command will delete the file that starts with “C-00000291” and ends with “.sys”.
5. Boot Normally
- Close the Command Prompt window.
- Restart your computer normally.