This browser is no longer supported.

For a better viewing experience, please consider using one of our supported browsers below.

Outage from CrowdStrike update impacts Microsoft Windows users. What you need to know.

On July 19, 2024, a CrowdStrike update caused unexpected issues for Microsoft Windows users due to a stop code related to the csagent.sys file. Key symptoms included hosts experiencing a bug check or blue screen error related to the Falcon Sensor.

Details of the Impact 

The problematic version of the channel file, identified as "C-00000291*.sys" with a timestamp of 0409 UTC, caused these issues. However, certain environments remained unaffected: 

  • Windows hosts brought online after 0527 UTC. 
  • Hosts running Windows 7/2008 R2. 
  • Channel file "C-00000291*.sys" with a timestamp of 0527 UTC or later. 
  • Mac- or Linux-based hosts were not impacted.

Resolution Steps 

For Individual hosts: 

Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then: 

1. Boot Windows into Safe Mode or the Windows Recovery Environment 
  • NOTE: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation

2.  Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory 

3.  Locate the file matching “C-00000291*.sys” and delete it.

4. Boot the host normally. 

  • Note: BitLocker-encrypted hosts may require a recovery key. 

For Public Cloud or Virtual Hosts: 

To address the issue, organizations can follow one of the two remediation options: 

Option 1: Manual Fix

1. Detach the operating system disk volume from the impacted virtual server. 
2. Create a snapshot or backup of the disk volume as a precaution. 
3. Attach the volume to a new virtual server. 
4. Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory. 
5. Locate and delete the matching “C-00000291*.sys” file. 
6. Reattach the fixed volume to the impacted virtual server. 

Option 2: Snapshot Rollback

  • Roll back to a snapshot taken before 0409 UTC

For organizations with BitLocker, the security key will be required during the remediation process. Additionally, an automated CrowdStrike workaround in Safe Mode using Group Policy Object (GPO) is available. 

Impact on C1 Customers 

Given C1’s close ties with our technology partners, we receive early notification regarding potential issues and remediation efforts. This enables C1 OnGuard Managed Services to maintain active monitoring, provide early support and minimize potential downtime. Customer impact for this recent outage was minimal. Intermittent issues were easily addressed due to our tailored Managed Services design deployed for each customer. 

Stay tuned for further learnings based on this and other recent incidents.  

 

CrowdStrike Support

Here’s the official statement from CrowdStrike to answer questions you may have. Learn More
About the author:
C1 is transforming the industry by creating connected experiences that make a lasting impact on customers, our teams and our communities. More than 10,000 customers use C1 every day to help them build meaningful connections through innovative and secure experiences.