Cyber Security News

CrowdStrike Releases Fix for Updates Causing Windows to Enter BSOD Loop

CrowdStrike has issued a fix for a problematic update that caused numerous Windows systems to experience the Blue Screen of Death (BSOD), rendering them inoperable.

This issue, which did not affect Mac or Linux hosts, was not a result of a security incident or cyberattack but stemmed from a defect in a single content update for Windows hosts.

Fixes Released for CrowdStrike Update Error

The problem was traced to the Falcon Sensor update, specifically the channel file “C-00000291*.sys,” with a timestamp of 0409 UTC, which caused systems to crash with a BSOD error.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

CrowdStrike’s engineering team quickly identified and isolated the issue, reverting the changes and deploying a fix. The updated channel file, now with “C-00000291*.sys” with the timestamp of 0527 UTC or later, should prevent further occurrences of the error.

Systems that have not been impacted do not require any action, and those brought online after 0527 UTC will also not be affected.

Impact and Mitigation Steps

The faulty update significantly impacted various sectors, including banks, airlines, supermarkets, and television broadcasters, causing widespread disruption.

IT administrators were advised to manually boot affected systems into Safe Mode or the Windows Recovery Environment to delete the problematic driver file. This workaround, while effective, often required physical access to the machines and could be complicated by disk encryption tools like BitLocker.

For Individual hosts, CrowdStrike provided the following steps:

  1. Boot Windows into Safe Mode or the Windows Recovery Environment.
  2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory.
  3. Locate and delete the file matching “C-00000291*.sys”.
  4. Boot the host normally.

Workaround for Public Cloud Environments

Option 1:

  • ​​​​​​​Detach the operating system disk volume from the impacted virtual server
  • Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes
  • Attach/mount the volume to to a new virtual server
  • Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
  • Locate the file matching “C-00000291*.sys”, and delete it.
  • Detach the volume from the new virtual server
  • Reattach the fixed volume to the impacted virtual server

Option 2:

  • ​​​​​​​Roll back to a snapshot before 0409 UTC.

CrowdStrike has also provided solutions for addressing AWS, Azure, and Bitlocker recovery issues.

The incident underscores the risks associated with automatic updates for security software and highlights the need for rigorous testing and staged rollout policies.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

US Department Of Homeland Security Terminates Entire Advisory Committees

In a sweeping directive aimed at streamlining the Department of Homeland Security (DHS) operations, Acting…

11 minutes ago

Hackers Exploited 16 0-days & Earned $382,750 – Pwn2Own Automotive 2025

The much-anticipated Pwn2Own Automotive 2025 kicked off today at Tokyo Big Sight, showcasing the cutting…

6 hours ago

Windows File Explorer Elevation Of Privilege Vulnerability(CVE-2024-38100) Exploited

A critical security flaw in Windows File Explorer, identified as CVE-2024-38100, has been actively exploited,…

7 hours ago

1,000+ Malicious Domains Mimic Reddit & WeTransfer To Deliver Malware

Over 1,000 malicious domains have been identified that impersonate popular platforms like Reddit and WeTransfer…

7 hours ago

Helldown Ransomware Exploiting Zyxel Devices Using Zero-Day Vulnerability

A new ransomware threat dubbed "Helldown" has emerged, actively exploiting vulnerabilities in Zyxel firewall devices…

7 hours ago

Ex-CIA Analyst Pleads Guilty To Leaking National Defense Information

A former CIA analyst, Asif William Rahman, 34, pleaded guilty today to unlawfully retaining and…

10 hours ago