Yesterday morning, a lot of us woke up to news about one large-scale digital disruption: that an innocuous update from CrowdStrike had gone off the rails and created a chain reaction of failures across thousands of important systems worldwide. This incident brings sharply to mind exactly how fragile our connected digital world can sometimes be.
Even though it is obvious that this incident has stemmed from a misstep rather than malice, Botched updates are not an uncommon occurrence—who hasn't been met by a new bug following an overnight update? What sets this CrowdStrike incident apart is in terms of the scale and severity of impact.
The flawed update sent Windows PCs into a BSOD loop—making them useless. And to make matters worse, the update was installed on its own on millions of machines overnight. Once a PC has entered this loop, there is no other cure other than technicians applying the fix on each machine individually. Channel file “C-00000291*.sys” with timestamp of 0409 UTC is the problematic version to cause this havoc
So far, the incident has crippled thousands of companies worldwide, and there's no doubt the path to recovery will be long and challenging.
Who are not affected
However, Windows hosts which are brought online after 0527 UTC will not be impacted.
Hosts running Windows 7/2008 R2 are not affected
Mac and Linux based hosts are not affected
Remediation Steps
The CrowdStrike debacle underlines the fragile nature of our digital infrastructure and puts forward a case for robust contingency planning to avoid such large-scale failures.
To address issues with a host crashing, follow these steps to allow it to download the reverted channel file:
Reboot the Host: This gives the host a chance to download the necessary channel file.
If the Host Crashes Again: Boot into Safe Mode or the Windows Recovery Environment. Tip: Connecting the host to a wired network instead of WiFi and selecting Safe Mode with Networking can improve your chances of successful remediation.
Access the CrowdStrike Directory: Navigate to `%WINDIR%\System32\drivers\CrowdStrike`.
Delete the Problematic File: Look for a file named “C-00000291*.sys” and delete it
Reboot Normally: Start the host as you normally would.
Note: If BitLocker is enabled on the host, you may need a recovery key to proceed.
By following these steps, you can resolve the crash issue and get your host back to normal operation
For bitlocker recovery related Kbs, refer to the following KB’s
Comentarios