Table of Contents

Official CrowdStrike post | https://www.crowdstrike.com/blog/technical-details-on-todays-outage/
Source | https://blog.qualys.com/

• Steps For Regaining Access to Windows PCs, AWS & Azure
• Qualys Assurance No Impact on Our Services

On Friday, July 19, 2024, morning, reports surfaced globally of Microsoft Windows operating system users encountering the infamous Blue Screen of Death (BSOD) following the latest update from CrowdStrike. This widespread issue has severely impacted critical services, including telecommunications, banking, airline and railway operations, supermarkets, hospitals, and major news networks.

Steps For Regaining Access to Windows PCs, AWS & Azure 

CrowdStrike has outlined a four-step process for regaining access to Windows PCs affected by the update:

1. Boot Windows into Safe Mode or the Windows Recovery Environment.
2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory.
3. Locate and delete the file matching “C-00000291*.sys”.
4. Boot the host normally.

For cloud environments, customers can revert to a snapshot taken before 4:09 am UTC.

For AWS (Amazon Web Services), follow these steps:

1. Detach the EBS volume from the impacted EC2 instance.
2. Attach the EBS volume to a new EC2 instance.
3. Fix the CrowdStrike driver folder.
4. Detach the EBS volume from the new EC2 instance.
5. Attach the EBS volume back to the impacted EC2 instance.

For Azure, follow these steps:

1. Log in to the Azure console. 
2. Go to Virtual Machines and select the affected VM. 
3. In the upper left of the console, click “Connect”. 
4. Click “More ways to Connect” and then select “Serial Console”. 
5. Once SAC has loaded, type in ‘cmd’ and press Enter. 
6. Type ‘ch -si 1’ and press the space bar. 
7. Enter Administrator credentials. 
8. Type the following commands:
   • ‘bcdedit /set {current} safeboot minimal’ 
   • ‘bcdedit /set {current} safeboot network’ 
9. Restart the VM. 
10. To confirm the boot state, run the command: ‘wmic COMPUTERSYSTEM GET BootupState’. 

The manual nature of this fix poses a significant challenge for companies, especially those without backups for all VDIs, potentially slowing down the recovery process. Customers will also need a recovery key to access Safe Mode if Bitlocker is enabled on the system disk. 

CrowdStrike Engineering has reversed the changes causing this issue, with the error code displayed on affected systems: “Tech-Alert-Windows-crashes-related-to-Falcon-Sensor-2024-07-19.“

Source | https://blog.qualys.com/vulnerabilities-threat-research/2024/07/19/global-outage-alert-windows-bsod-crisis-following-crowdstrike-update-recovery-steps-qualys-assurance