Last Friday, July 19, the popular U.S. software company CrowdStrike caused a worldwide crash of Windows-based computers, impacting critical systems in banks, hospitals, transportation..resulting in a temporary disruption of daily operations.
The cause? An incorrect update of the Falcon Sensor AV/EDR platform, released as a configuration update at 04:09 UTC, which resulted in triggering a logical error on the OS resulting in a BSOD:
The content is a channel file located in the %WINDIR%\System32\drivers\CrowdStrike directory.
Channel file “C-00000291*.sys” with timestamp of 2024-07-19 0527 UTC or later is the reverted (good) version.
Channel file “C-00000291*.sys” with timestamp of 2024-07-19 0409 UTC is the problematic version.
The company subsequently released a procedure for identifying affected Windows clients, as well as a remediation plan, advising to perform a reboot and acquire the correct version of the file, on alternatively follow Microsoft’s procedure to enter safe mode and delete the affected file, or alternatively restore the system (beware of any Bitlocker Key present).
EDIT: an official recovery tool has also been released by Microsoft to automate the remediation process.
The problem has impacted not only physical PCs, but also Windows instances in the cloud. Below are some official links for remediation, such as Azure and AWS.
In any case, if the problem instances are protected with backup software, it is always possible to restore to the latest valid version.
This event reminds us of how today’s world is extremely technology-driven, and of the possible human errors that, if not limited, can lead to disastrous consequences.