CrowdStrike’s latest product update has caused a Blue Screen of Death error on Windows computers. In this guide, we show you how to recover from CrowdStrike Blue Screen of Death error on Windows systems.
CrowdStrike is a cybersecurity firm that equips organizations via Falcon and other platforms, prevents breaches, attacks, and fixes vulnerabilities. With the latest updates to its CrowdStrike Falcon Sensor software on Windows devices, users worldwide have been experiencing Blue Screen of Death errors. It led to many issues from airport management to general consumers. Microsoft and CrowdStrike have acknowledged the issue and are taking steps to fix the error. Meanwhile, some ways are using which you can fix the error and use your Windows computer normally without impacting your business. Let’s see what they are.
CrowdStrike Blue Screen solution
CrowdStrike blue screen of death error occurred after an update. The CrowdStrike team recommends that you follow these methods to fix the error and restore your Windows computer to normal usage.
- Rename the CrowdStrike folder
- Delete the “C-00000291*.sys” file in the CrowdStrike directory
- Disable CSAgent service using the Registry Editor
- Resolve in Safe Mode using Group Policy
- Use Microsoft Recovery Tool for CrowdStrike.
If you have Bitlocker enabled, the key may be required.
1] Rename the CrowdStrike folder
Since the issue is caused by the CrowdStrike platform on your Windows, renaming the folder will fix the issue. To rename the CrowdStrike folder, you need to boot into Safe Mode.
On the Recovery screen, you see after the BSOD error,
Click on See advanced repair options.
Then, click on Troubleshoot.
Go to Advanced options and then Startup Settings.
Now, click on Restart.
Once the computer restarts press 4 or F4 keys on your keyboard to boot into safe mode.
Open the elevated Command Prompt and enter the following command.
cd \Windows\System32\drivers
Then, rename the CrowdStrike folder using the following command.
ren CrowdStrike CrowdStrike_del
It will fix the issue. CrowdStrike platforms are installed on Windows computers to secure them. Renaming the CrowdStrike folder makes the platform invalid on your device and it opens the vulnerabilities and may not be secure.
2] Delete the “C-00000291*.sys” file in the CrowdStrike directory
The CrowdStrike team has detected the blue screen of death issue as a deployment-related one and recommended deleting the “C-00000291*.sys” file in the CrowdStrike directory on a Windows PC.
To delete C-00000239*.sys on your Windows PC, boot into the Safe mode from the recovery options. Then, navigate to C:\Windows\System32\drivers\CrowdStrike. Find the file that says C-00000291*.sys and delete it. Then, restart your PC to get rid of the issue.
CrowdStrike’s Director of Overwatch tweeted:
I believe CS stopped these changes from being pushed out so machines late to the party wont get the faulty driver.
You can use this command in Safe Mode to delete the file:
del "C:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys"
3] Disable CSAgent service using the Registry Editor
CSAgent.sys is believed to be another cause of the CrowdStrike Blue Screen of death issue as it is taking down critical services. You need to disable it to get rid of the CrowdStrike BSOD error. Boot into the Safe mode and open the Registry Editor. In the Registry Editor, navigate to the following path.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSAgent
In the CSAgent folder in the Registry editor, find the Start entry and open it. You will see the value set to 1.
Change it to 4 and save it. It will automatically disable the CSAgent service on your Windows computer.
Restart your PC to get rid of the issue.
4] Resolve in Safe Mode using Group Policy
You can also automate the workaround for the CrowdStrike blue screen of death error with a PowerShell script. The script deletes the problematic files in the CrowdStrike directory on your Windows computer and fixes the issue. You can follow the script, updates and workarounds on GitHub.
5] Use Microsoft Recovery Tool for CrowdStrike
You can use the Microsoft Recovery Tool for CrowdStrike, which has been released for this purpose, to fix this issue on Windows.
The two repair options in the tool are as follows:
- Recover from WinPE – This option produces boot media that will help facilitate the device repair.
- Recover from safe mode – This option produces boot media so impacted devices can boot into safe mode. The user can then login using an account with local admin privileges and run the remediation steps.
The updated version of this CrowdStrike recovery tool can save you from the BSOD, even without BitLocker recovery keys.
Microsoft has estimated that CrowdStrike’s update affected 8.5 million Windows devices or less than 1% of all Windows machines. While the percentage was small, the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services.
The CrowdStrike team is working to release an update to fix this issue.
TIP: Windows 365 Cloud PC users can restore their systems to a known good state prior to the release of the update.
Also read: Windows Blue Screen on Startup
How to fix the CrowdStrike issue?
There are three ways to fix the CrowdStrike issue on Windows computers. One is to delete the C-00000291*.sys file in the CrowdStrike directory on your Windows PC. The second is to rename the CrowdStrike directory itself. The third is to disable the CSAgent service, which is believed to be one of the causes of the CrowdStrike issue on Windows computers.
Does CrowdStrike slow down your computer?
No, CrowdStrike does not slow down your computer. Unlike others, it is a cloud-based cybersecurity product. It actively monitors your devices over the cloud, protects your Windows computer from vulnerabilities, and fixes bugs promptly.
Related read: Troubleshoot common Windows Blue Screen or Stop Errors.
