tencent cloud

Feedback

Temporary Solution for the Windows Blue Screen Issue Caused by CrowdStrike Security Software on July 19, 2024

Last updated: 2024-07-19 21:19:11

    Background

    On July 19, 2024, Beijing Time (UTC+8), Tencent Cloud monitor derected an abnormal restart issue in CVM. The community disclosed a Windows operating system blue screen issue, initially traced to an update issue with third-party security company CrowdStrike's Falcon Sensor software, causing csagent.sys errors in user hosts.
    Note
    If your host uses CrowdStrike security software, it may be affected.
    
    
    

    Impact Range Explanation

    The affected services include SharePoint Online, OneDrive for Business, Microsoft Defender, and Microsoft 365 Admin Center.

    Temporary Solution

    Note
    Please note that this temporary solution may cause the CrowdStrike security software to become ineffective. It is recommended that you assess the risks before proceeding.
    Rename or delete the CrowdStrike-related files that are causing the blue screen via WinPE or rescue mode.
    If it is a Tencent Cloud machine, you can repair it via rescue mode.
    1. Log in to the CVM Console, find your Windows server, and click More > OPS and Check > Enter Rescue Mode. For detailed guidance, see Rescue Mode.
    2. Rename the CrowdStrike files via resource mode.
    2.1 Install the NTFS software package.
    yum -y install ntfs*
    2.2 For directory mounting, please confirm which partition the c:\\windows of the Windows file system belongs to. If unsure, you can try mounting each partition to locate the windows/system32 directory. Use the lsblk command to view the current partitions.
    mount -t ntfs /dev/vda2 /mnt/
    2.3 Navigate to the location of the target file.
    cd /mnt/Windows/System32/drivers/
    2.4 Rename the CrowdStrike folder (CrowdStrike_newname as the new name defined by yourself).
    mv CrowdStrike CrowdStrike_newname
    2.5 After renaming, uninstall the file system to release resources.
    umount /mnt
    3. Exit Rescue Mode. The entry location is the same as entering rescue mode. Click Exit to exit the rescue mode.
    4. Reboot the machine after exiting rescue mode to resume operations.

    More Help

    For your local Windows host and others, refer to the following handling methods:
    1. Boot Windows into the security mode or the Windows recovery environment.
    2. Navigate to the C:\\WindowsSystem32\\drivers directory.
    3. Find the file that matches Crowdstrike, and rename or delete it.
    4. Restart the host.
    If you need assistance from an engineer, please consult by submitting a ticket.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support