Introduction:
Imagine waking up to find that every PC around the world, especially those in businesses, is suddenly unusable. Business meetings are falling apart, news networks are in disarray, and flights are grounded. The chaos is beyond anything imaginable. What happened? Letโs break down the CrowdStrike blue screen chaos.
The Issue:
The issue began with a bad update from CrowdStrike Falcon. This update, intended to enhance security, accidentally turned a critical driver file into a series of zeros. As a result, computers running Falcon couldnโt boot up, leading to blue screens across the globe.
You might wonder why only Windows was affected. Itโs because Windows, despite being popular, has more security vulnerabilities compared to other operating systems like macOS or Linux. Falconโs deep integration with Windows, designed to bolster security, ironically made it a single point of failure when things went wrong.
The Fix:
Fixing this issue isnโt simple. Users need to boot in safe mode, use command prompts, and manually delete the corrupted driver file. For systems with BitLocker encryption, the process is even more complicated, requiring additional steps to decrypt the hard drive.
The various information received detail the fix below ๐
๐ฃ๐ต๐๐๐ถ๐ฐ๐ฎ๐น ๐๐ผ๐บ๐ฝ๐๐๐ฒ๐ฟ๐:
-
Boot Windows into Safe Mode or the Windows Recovery Environment
-
Navigate to the ๐:\๐ช๐ถ๐ป๐ฑ๐ผ๐๐\๐ฆ๐๐๐๐ฒ๐บ๐ฏ๐ฎ\๐ฑ๐ฟ๐ถ๐๐ฒ๐ฟ๐\๐๐ฟ๐ผ๐๐ฑ๐ฆ๐๐ฟ๐ถ๐ธ๐ฒ ๐ฑ๐ถ๐ฟ๐ฒ๐ฐ๐๐ผ๐ฟ๐
-
Locate the file matching โ๐-๐ฌ๐ฌ๐ฌ๐ฌ๐ฌ๐ฎ๐ต๐ญ*.๐๐๐โ ๐ฎ๐ป๐ฑ ๐ฑ๐ฒ๐น๐ฒ๐๐ฒ ๐ถ๐ (I would rename it to be safe).
-
Boot the host
๐๐ผ๐ฟ ๐๐ช๐ฆ (๐๐บ๐ฎ๐๐ผ๐ป ๐ช๐ฒ๐ฏ ๐ฆ๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ๐), ๐ณ๐ผ๐น๐น๐ผ๐ ๐๐ต๐ฒ๐๐ฒ ๐๐๐ฒ๐ฝ๐:
-
Detach the EBS volume from the impacted EC2 instance.
-
Attach the EBS volume to a new EC2 instance.
-
Fix the CrowdStrike driver folder.
-
Detach the EBS volume from the new EC2 instance.
-
Attach the EBS volume back to the impacted EC2 instance.
๐๐ผ๐ฟ ๐๐๐๐ฟ๐ฒ, ๐ณ๐ผ๐น๐น๐ผ๐ ๐๐ต๐ฒ๐๐ฒ ๐๐๐ฒ๐ฝ๐:
- Log in to the Azure console.
- Go to Virtual Machines and select the affected VM.
- In the upper left of the console, click โConnectโ.
- Click โMore ways to Connectโ and then select โSerial Consoleโ.
- Once SAC has loaded, type in โcmdโ and press Enter.
- Type โch -si 1โ and press the space bar.
- Enter Administrator credentials.
- Type the following commands:
- โbcdedit /set {current} safeboot minimalโ
- โbcdedit /set {current} safeboot networkโ
- Restart the VM.
- To confirm the boot state, run the command: โwmic COMPUTERSYSTEM GET BootupStateโ.
Checkout this video for a more detailed explanation ๐
https://youtu.be/GgP0EyuN8GA?si=F7WBzG8rvOld4qdh&embedable=true
Conclusion:
This incident underscores the importance of robust cybersecurity practices and the potential risks of deep system integrations.
Thanks for reading; please give a like as a sort of encouragement and also share this post on socials to show your extended support.
Follow for more โฌ