Crowdstrike Falcon Agent causing Blue Screen of Death (BSOD) Errors

Published: 19 July 2024

Prepared by: Triskele Labs Technical Team

Crowdstrike Falcon Agent Causing Blue Screen of Death (BSOD) Errors on Windows 

Purpose 

The purpose of this bulletin is to address the potential issue affecting the CrowdStrike Falcon Sensor for Windows. CrowdStrike has released an internal advisory regarding this issue and has issued temporary workarounds to recover from this loop. Symptoms of this issue include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor. 

CrowdStrike Engineering has advised that they have identified a content deployment related to this issue and reverted those changes. However, the affected devices would need to complete the boot process to receive the updated files. 

Impact  

Users are unable to boot into Windows and experience the Blue Screen of Death Error. The error codes typically reflect the Crowdstrike Agent file: csagent.sys

Crowdstrike Engineering has advised that the following releases are affected:

• Channel file "C-00000291*.sys" with timestamp of 0409 UTC is affected,
• Channel file "C-00000291*.sys" with timestamp of 0527 UTC or later is the reverted (good) version.
• Windows hosts which are brought online after 0527 UTC will not be impacted by this issue.
• This issue is not impacting Mac- or Linux-based hosts.

Mitigation Actions 

If your endpoints are crashing and unable to stay online to receive the Channel File Changes, the following steps provided by CrowdStrike support can be used to mitigate this issue: 

Workaround Steps for Individual Hosts: 

1. Boot Windows into Safe Mode or the Windows Recovery Environment 
2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory 
3. Locate the file matching “C-00000291*.sys”, and delete it.  
4. Reboot the host normally. 

An alternative method can be used if you are unable to access Safe Mode:

1. Boot Windows into Advanced Startup Mode (CMD Prompt)
2. Run this command: cd /d C:\
   
3. Then run this command: del "C:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys"
4. Reboot the host normally.

Workaround Steps for public cloud or similar environment including virtual:

Option 1:

1. Detach the operating system disk volume from the impacted virtual server
2. Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes
3. Attach/mount the volume to a new virtual server
4. Navigate to the %WINDIR%\\System32\drivers\CrowdStrike directory
5. Locate the file matching “C-00000291*.sys”, and delete it.
6. Detach the volume from the new virtual server
7. Reattach the fixed volume to the impacted virtual server

1. Roll back to a snapshot before 0409 UTC. 

1. Login to Azure console --> Go to Virtual Machines --> Select the VM
2. Upper left on console --> Click : "Connect" --> Click --> Connect --> Click "More ways to Connect"  --> Click : "Serial Console"
3. Step 3 : Once SAC has loaded, type in 'cmd' and press enter.
4. type in 'cmd' command
5. type in : ch -si 1
6. Press any key (space bar). Enter Administrator credentials
7. Type the following:
   bcdedit /set {current} safeboot minimal
   bcdedit /set {current} safeboot network
8. Restart VM
9. Optional: If you would like to confirm the boot state please run command: wmic COMPUTERSYSTEM GET BootupState

For additional information please see this Microsoft article.

Triskele Labs will be updating this article with additional information as it is released from CrowdStrike, and with potential avenues for deployment of this fix. Our engineers are actively working on this issue.

Notes

It is important to note that, if you are running Bitlocker for encryption, you will require the Bitlocker key for the individual impacted machine. In addition, you may require the Crowdstrike Tamper Protection key.

References 

References used for the generation of this release: 

https://supportportal.crowdstrike.com/s/article/Tech-Alert-Windows-crashes-related-to-Falcon-Sensor-2024-07-19