Recovering from CrowdStrike Blue Screen

Summary

On July 19, 2024, a global Crowdstrike update was pushed that caused Windows devices to go to blue screen. These instructions can help restore access to your computer.

Body

Overview

On July 19th, 2024, at midnight, CrowdStrike pushed an update to its client that caused some Windows machines with the CrowdStrike software to crash. CrowdStrike updated this within a short window of time, but any machines that accepted the update may require administrative help to be resolved.

If your computer is at a blue screen caused by this issue, please follow the below instructions and contact your local IT team if you have any questions or need assistance.

Recovery Steps

If you've been affected by the CrowdStrike blue screen issue, you can follow the following steps to resolve the issue.

  1. Reboot your machine to give it an opportunity to download the CrowdStrike fix
    Note: connecting the machine to the wired network and using Safe Mode with Networking may help remediation
  2. Follow one of the below instruction sets:
    1. Boot into Safe Mode
    2. Alternate to Safe Mode

Note: On boot, you may be asked for a Bitlocker Recovery key. If so, you may be able to retrieve your own key, or you may have to contact your local IT team. See the instructions for Unlocking a computer with a Bitlocker Recovery Key below.

Booting into Safe Mode

  1. Hold down the power button for 10 seconds to turn off your device.
  2. Press the power button again to turn on your device.
  3. On the first sign that Windows has started (for example, some devices show the manufacturer’s logo when restarting) hold down the power button for 10 seconds to turn off your device.
  4. Press the power button again to turn on your device.
  5. When Windows restarts, hold down the power button for 10 seconds to turn off your device.
  6. Press the power button again to turn on your device.
  7. Choose Troubleshoot
  8. Choose Advanced options
  9. Choose Startup Settings
  10. Click Restart
  11. Select Safe Mode from the options that appear when you restart.
  12. Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
  13. Locate the file that starts with "C-00000291" and ends in ".sys" and delete it
  14. Boot the device normally

Alternate to Safe Mode

If you're unable to boot directly into Safe Mode, you can try the following to attempt to delete the required file:

  1. Hold down the power button for 10 seconds to turn off your device.
  2. Press the power button again to turn on your device.
  3. On the first sign that Windows has started (for example, some devices show the manufacturer’s logo when restarting) hold down the power button for 10 seconds to turn off your device.
  4. Press the power button again to turn on your device.
  5. Again, on the first sign that Windows has started (for example, some devices show the manufacturer’s logo when restarting) hold down the power button for 10 seconds to turn off your device.
  6. Press the power button again to turn on your device.
  7. Choose Troubleshoot
  8. Choose Advanced options
  9. Choose Command Prompt
  10. In the command prompt window, type each line below, and press the return key after each line:
    1. c:
    2. cd windows
    3. cd system32
    4. cd drivers
    5. cd crowdstrike
    6. del C-00000291*
    7. exit
  11. Click Continue to Windows

Unlocking a computer with a Bitlocker Recovery Key

You may be able to recover your Bitlocker Recovery Key if your computer is managed by a unit that uses the ADS domain to log in. This includes many units like Weinberg College, NUIT, and others. Everyone can try the instructions below, but if you are not able to retrieve a recovery key, contact your local IT team.

  1. You will be presented with the following 2 screens if the machine needs to be unlocked.

    Windows 10 and 11

  2. If you typically log in to the ADS domain at Northwestern, which includes many schools and units like Weinberg College, you can use the Northwestern MBAM End User Self-Service Web Portal from a secondary device to request a BitLocker Recovery Key. Contact your local IT teams if you have any questions.

    Note: You will need to be connected to VPN to log in to the Bitlocker Recovery Portal
    https://mecmcas.tss.northwestern.edu/SelfService/Recovery/Index
     
  3. When prompted, log-in to the Northwestern MBAM portal using your NetID & password.
  4. Input the first 8-characters of the BitLocker Key ID found on the computer console and select a reason for the recovery key to generate a one time BitLocker Recovery Key.
  5. Click the Get Key button to generate the 48-digit BitLocker Recovery Key for that specific computer.
  6. Type in the 48-digit BitLocker Recovery Key provided back into your computer, if successful the machine should proceed to the normal Windows log-in screen.

Details

Details

Article ID: 2642
Created
Fri 7/19/24 5:02 AM
Modified
Fri 7/19/24 12:24 PM