Background
On July 19, 2024, Beijing Time (UTC+8), Tencent Cloud monitor derected an abnormal restart issue in CVM. The community disclosed a Windows operating system blue screen issue, initially traced to an update issue with third-party security company CrowdStrike's Falcon Sensor software, causing csagent.sys errors in user hosts.
Note
If your host uses CrowdStrike security software, it may be affected.
Impact Range Explanation
The affected services include SharePoint Online, OneDrive for Business, Microsoft Defender, and Microsoft 365 Admin Center.
Temporary Solution
Note
Please note that this temporary solution may cause the CrowdStrike security software to become ineffective. It is recommended that you assess the risks before proceeding.
Rename or delete the CrowdStrike-related files that are causing the blue screen via WinPE or rescue mode.
If it is a Tencent Cloud machine, you can repair it via rescue mode.
1. Log in to the CVM Console, find your Windows server, and click More > OPS and Check > Enter Rescue Mode. For detailed guidance, see Rescue Mode. 2. Rename the CrowdStrike files via resource mode.
2.1 Install the NTFS software package.
2.2 For directory mounting, please confirm which partition the c:\\windows
of the Windows file system belongs to. If unsure, you can try mounting each partition to locate the windows/system32 directory. Use the lsblk command to view the current partitions.
mount
-t ntfs /dev/vda2 /mnt/
2.3 Navigate to the location of the target file.
cd
/mnt/Windows/System32/drivers/
2.4 Rename the CrowdStrike folder (CrowdStrike_newname as the new name defined by yourself).
mv
CrowdStrike CrowdStrike_newname
2.5 After renaming, uninstall the file system to release resources.
3. Exit Rescue Mode. The entry location is the same as entering rescue mode. Click Exit to exit the rescue mode.
4. Reboot the machine after exiting rescue mode to resume operations.
More Help
For your local Windows host and others, refer to the following handling methods:
1. Boot Windows into the security mode or the Windows recovery environment.
2. Navigate to the C:\\WindowsSystem32\\drivers
directory.
3. Find the file that matches Crowdstrike, and rename or delete it.
4. Restart the host.
If you need assistance from an engineer, please consult by submitting a ticket.
Was this page helpful?