Microsoft releases tool to fix Crowdstrike outage

Microsoft releases tool to fix Crowdstrike outage

The massive outage on Friday, July 19, caused by a CrowdStrike bug, affected millions of computers and will take time to fully resolve. Fortunately, Microsoft is providing a recovery tool to speed up the process.

Last weekend must have been particularly eventful for IT professionals. Indeed, on Friday, July 19, 2024, a massive outage paralyzed many companies all over the planet, in sectors as critical as air and rail transport, banking, health and even the media.

The problem was caused by a faulty update of a security software widely used in the professional world, the Falcon platform developed by the company CrowdStrike. To put it simply, it is a Endpoint Detection and Response (EDR), a kind of super antivirus ensuring real-time monitoring of corporate IT systems.

As part of an update to the antivirus agent, the small program installed on each machine that continuously sends monitoring data to the cybersecurity platform located on remote servers, a poorly formatted configuration file was mistakenly distributed… leading to a complete crash of some machines that received it.

The affected devices then become unable to boot and display a looping error message, the famous “blue screen of death” (blue screen of death or BSOD) well known to Windows. The problem only affects Windows machines, PCs and servers running macOS and Linux do not seem to be impacted.

According to Microsoft, at least 8.5 million devices worldwide were affected, with very diverse profiles: corporate desktops and laptops, supermarket checkouts, ATMs, ticket counters in train stations and airports. All essential devices in the functioning of the modern economy, the shutdown of which has led to paralysis of many sectors of activity.

Very quickly, a repair solution was proposed by CrowdStrike, but its large-scale implementation is particularly cumbersome and tedious. It requires physically and individually accessing each affected machine, starting it in safe mode and then going to delete the defective file manually. A real ordeal for computer parks with several thousand devices.

CrowdStrike Outage: Microsoft Offers Script to Make Repair (A Little) Easier

At the moment, there is no fully automatic method to resolve the problem caused by CrowdStrike. The bug almost exclusively concerns professional computers, but if your own PC is affected, you must restart it in safe mode, pressing the F4 key during startup (see our practical sheet) and then open the folder C:WindowsSystem32driversCrowdStrikelocate the file csagent.sys Or C-00000291*.sys (the star symbolizes a long list of numbers), and finally delete this item before restarting your machine.

© BleepingComputer

While the manipulation is fairly quick and easy to perform on one or a few devices, it quickly becomes time-consuming as the number of devices to restore increases. To make life a little easier for system administrators who have to repair the damage, Microsoft has just released a tool to make the process of restoring affected devices more reliable and faster. It comes in the form of a PowerShell script to create a patch on removable bootable media, such as a USB stick and/or DVD.

Microsoft provides very detailed information and instructions on how to use this tool on a dedicated page of its technical support forumwhich is also enriched as and when users provide feedback. Its tool offers several repair options and methods, depending on the nature of the system concerned (computer, virtual machine server), its environment (connected to the network, isolated, with or without a USB port) and its security configuration (disk encryption by BitLocket or by a third-party solution).

This recovery tool is obviously more complex to implement than “simply” starting a computer in safe mode and manually deleting a file. It is therefore primarily aimed at administrators of professional computer systems faced with a large number of blocked machines, rather than individuals, who have in any case been relatively unaffected by the faulty CrowdStrike update. It is nevertheless a welcome aid that should help to speed up the gradual return to normal, even if this process will necessarily take time.

ccn1