CrowdStrike released an official statement on the evening of  July 19, 2024, following the outage that affected Windows hosts. According to them, they are actively collaborating with clients impacted by an anomaly detected in a content update specifically designated for Windows workstations. The faulty update caused disruptions, but Mac and Linux hosts remained unaffected. Importantly, CrowdStrike clarified that this event did not result from a cyberattack. 

“The issue has been meticulously pinpointed and contained, and a solution has been successfully implemented. Clients are directed to the support portal for updates, and thorough notifications will be provided on the company’s blog platform. Organizations are advised to verify correspondence with CrowdStrike representatives through official channels. The dedicated team is diligently working to reinstate systems to full functionality, ensuring the services upon which clients rely,” CrowdStrike said.

In response to the recent CrowdStrike outage affecting Windows systems, here are the essential details and steps for affected hosts:

Symptoms and Impact

• Symptoms: Hosts experiencing a blue screen error related to the Falcon sensor.
• Windows Hosts Not Impacted: No action is required if your Windows hosts have not been affected. The problematic channel file has been reverted.
• Newly Brought Online Hosts: Windows hosts brought online after 0527 UTC will also remain unaffected.
• Mac and Linux Hosts: This issue does not impact Mac or Linux-based hosts.

Workaround Steps for Individual Hosts

Reboot and Wired Network:

• Reboot the affected host to allow it to download the reverted channel file.
• Use a wired network (Ethernet) before rebooting for faster internet connectivity.

If the Host Crashes Again:

• Boot Windows into Safe Mode or the Windows Recovery Environment.
• Note: Safe Mode with Networking can aid in remediation.
• Navigate to %WINDIR%\System32\drivers\CrowdStrike (or the equivalent directory on WinRE/WinPE).

Locate and Delete the Problematic File:

• Find the file matching “C-00000291*.sys.”
• Delete it from the CrowdStrike directory.

Boot Normally:

• Boot the host normally.
• Note: BitLocker-encrypted hosts may require a recovery key.