CrowdStrike Falcon BSOD Issue: Troubleshooting and Resolution Guide 

Symptoms include Windows hosts experiencing a blue screen (BSOD) related to the Falcon Sensor.  

CrowdStrike Engineering identified a content deployment update related to this issue, pushed at 4:09 AM UTC. The changes have since been reverted. 

As a result, hosts that booted up after 5:27 AM UTC should not experience any issues. This issue does not impact Mac or Linux-based hosts. 

Reminder

Only uninstall CrowdStrike or follow the steps below if your systems are experiencing issues. 

If your systems have booted up and are back online, there is no need to uninstall CrowdStrike. 

After following the steps below, CrowdStrike will resume normal operations, and your systems will remain protected. 

If you are stuck at a reboot loop with a BSOD: 

CrowdStrike recommended booting into Safe Mode, but many customers reported problems with booting into Safe Mode.  

The following steps should work universally, even if the system does not have a local Admin account and does not have an internet connection. 

1. Allow the system to boot and crash three times to access the menu. 

2. Select Troubleshoot > Advanced Options > Command Prompt 

3. Enter your BitLocker Recovery Key if prompted. 

// If BitLocker is managed via Intune, this can be found at https://myaccount.microsoft.com, under "devices." Make sure to match the Hostname of the device and the Key ID  

// Otherwise, ask your local IT administrator for your BitLocker Recovery Key 

4. Type the commands in the command prompt window, followed by an Enter key. 

• Warning: The Command prompt starts at the X:\ drive. Please do not forget to switch to c:\ by typing these commands exactly  

• c:  

• cd windows  

• cd system32  

• cd drivers  

• cd crowdstrike  

• del C-00000291*  

• exit 

// If the file is still on the system  
-- Channel file "C-00000291*.sys" with a timestamp of 05:27 UTC or later is the reverted (good) version.  

-- Channel file "C-00000291*.sys" with a a timestamp of 04:09 UTC is the problematic version. The file's presence on a system does not necessarily mean the workaround needs to be applied. 

5. Click Continue to Windows 

Public cloud or similar environment, including VMs

Option 1

1. Detach the OS disk volume from the affected virtual server. 

2. Create a snapshot or backup of the disk volume. 

3. Attach/mount the volume to a new virtual server. 

4. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory. 

5. Locate and delete the file matching “C-00000291*.sys”. 

6. Detach the volume from the new virtual server. 

7. Reattach the fixed volume to the affected virtual server. 

Option 2

• Roll back to a snapshot before 04:09 UTC. 

Azure via serial to get into Safe Mode 

1. Login to Azure console --> Go to Virtual Machines  --> Select the VM  

2. Upper left on console --> Click : "Connect" --> Click --> Connect --> Click "More ways to Connect"  --> Click : "Serial Console"  

3. Once SAC has loaded, type 'cmd' and enter. 

• type in the 'cmd' command  

• type in : ch -si 1 

4. Press any key (space bar).   

5. Enter Administrator credentials. Type the following: 

• bcdedit /set {current} safeboot minimal  

• bcdedit /set {current} safeboot network 

6. Restart VM Optional: How to confirm the boot state? Run command: 

• wmic COMPUTERSYSTEM GET BootupState