Amid a significant IT issue caused by a faulty update from CrowdStrike, Windows PCs worldwide continue to experience disruptions. The problem first emerged on Friday morning, affecting companies, banks, and airports.
Despite an initial fix, the impact persists. Earlier this week, Microsoft reported that 8.5 million Windows devices were affected and released a recovery tool for Windows endpoints.
CrowdStrike has now shared technical details and the Falcon Content Update for Windows Hosts.
Root Cause Analysis
CrowdStrike identified that on July 19, 2024, at 04:09 UTC, a sensor configuration update caused a logic error not related to a cyberattack, leading to system crashes and blue screens (BSOD). This update was corrected by 05:27 UTC the same day.
Key Technical Details
Impact: Customers with Falcon sensor for Windows version 7.11 and above, online between 04:09 UTC and 05:27 UTC on July 19, 2024, were impacted.
Configuration Files: Known as “Channel Files,” these are part of the behavioral protection mechanisms in Falcon sensors. The affected file, Channel File 291, controlled how Falcon evaluated named pipe execution on Windows systems. The logic error in the update targeted malicious named pipes used in cyberattacks.
Non-Impacted Hosts: Windows hosts online after 05:27 UTC on July 19, 2024, or provisioned after this time, and all Mac and Linux hosts.
Remediation Steps
CrowdStrike has released several guides to help remediate affected hosts. These include:
- Identify Impacted Hosts via Dashboard
- Remediate Individual Hosts
- Recover BitLocker Keys
- Recover Cloud-Based Environment Resources
Additional resources are available on CrowdStrike’s Falcon Content Update Remediation and Guidance Hub.
Additional Support
CrowdStrike has also released a YouTube video to help remote users with local administrator privileges self-remediate Windows laptops experiencing BSOD. Customers can contact CrowdStrike directly for specific support needs.
CrowdStrike communicated via X (formerly Twitter) about testing a new technique to expedite system remediation. They reported significant progress, with many of the affected 8.5 million Windows devices back online.
Announcing an update, CrowdStrike posted:
We understand the profound impact this has had on everyone. We know our customers, partners, and their IT teams are working tirelessly, and we’re profoundly grateful. We apologize for the disruption this has created. Our focus is clear: to restore every system as soon as possible. We will continue to provide updates as information becomes available and new fixes are deployed.