CrowdStrike Blue Screen of Death Mitigation for Windows (2024-07-19)

[antonym]

If you were impacted by the CrowdStrike fun today and getting a Blue Screen of Death and are having issues with Windows Recovery, you can use netboot.xyz to help you recover.

Their full article is listed here Statement on Falcon content update for Windows Hosts. These instructions are for quick access to the Windows Filesystem to remove the content needed to fix the BSOD issues.

Load up netboot.xyz as usual, and load the System Rescue CD from the Utility menu. Once it's loaded up, determine where your Windows partition is:

fdisk -l

Look for the larger Microsoft basic data partition. In the example above, the drive is /dev/sda3/

If you have a Bit Locker key, you'll need to unlock the parition with your key and mount the volume, replacing your location of data, key, and mount point from the example. If you don't have Bit Locker, you can skip this step (untested):

dislocker -r -V /dev/sda1 -p315442-000000-000000-000000-000000-000000-000000-000000 -- /mnt/windows

Create a mount point and mount the Windows partition to a Linux mount:

mkdir /mnt/windows
mount -t ntfs /dev/sda3 /mnt/windows

From there you should have access to remove the faulty Crowd Strike File as detailed in their instructions.

cd /mnt/windows/Windows/System32/drivers/CrowdStrike
rm C-00000291*.sys
cd /
umount /mnt/windows

Once the file is removed, you should be able to reboot the machine and the BSODs should be fixed.

These instructions are for educational purposes only. Procedure tested on a Windows 11 VM in Proxmox.