Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor. Windows hosts which have not been impacted do not require any action as the problematic channel file has been reverted. Windows hosts which are brought online after 0527 UTC will also not be impacted Hosts running Windows7/2008 R2 are not impacted. This issue is not impacting Mac- or Linux-based hosts Channel file "C-00000291*.sys" with timestamp of 0527 UTC or later is the reverted (good) version. Channel file "C-00000291*.sys" with timestamp of 0409 UTC is the problematic version. Crowdstrike is currently pushing out the fix, a manual fix incase the push is pending. Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then: Boot Windows into Safe Mode or the Windows Recovery Environment Note: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation. Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory Note: On WinRE/WinPE, navigate to the Windows\System32\drivers\CrowdStrike directory of the OS volume Locate the file matching “C-00000291*.sys”, and delete it. Boot the host normally.
baidukaohe333 发表于 2024-07-19 10:24 Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor. Windows hosts which have not been impacted do not require any action as the problematic channel file has been reverted. Windows hosts which are brought online after 0527 UTC will also not be impacted Hosts running Windows7/2008 R2 are not impacted. This issue is not impacting Mac- or Linux-based hosts Channel file "C-00000291*.sys" with timestamp of 0527 UTC or later is the reverted (good) version. Channel file "C-00000291*.sys" with timestamp of 0409 UTC is the problematic version. Crowdstrike is currently pushing out the fix, a manual fix incase the push is pending. Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then: Boot Windows into Safe Mode or the Windows Recovery Environment Note: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation. Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory Note: On WinRE/WinPE, navigate to the Windows\System32\drivers\CrowdStrike directory of the OS volume Locate the file matching “C-00000291*.sys”, and delete it. Boot the host normally.
回复 13楼 crystalhuang 的帖子 Customers can delete a specific file called “C00000291*.sys, which is seemingly tied to the bug, Microsoft said in a status update published Friday. But in some cases, people can’t even get to a spot where they can delete that file. In an update posted Friday morning, Microsoft told users that they should simply reboot Virtual Machines (VMs) experiencing a BSoD over and over again until they can fix the issue. This is perhaps one of the best “turn it off and turn it back on” suggestions ever. “We have received reports of successful recovery from some customers attempting multiple Virtual Machine restart operations on affected Virtual Machines,” Microsoft told users. “We have received feedback from customers that several reboots (as many as 15 have been reported) may be required, but overall feedback is that reboots are an effective troubleshooting step at this stage.”
baidukaohe333 发表于 2024-07-19 10:24 Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor. Windows hosts which have not been impacted do not require any action as the problematic channel file has been reverted. Windows hosts which are brought online after 0527 UTC will also not be impacted Hosts running Windows7/2008 R2 are not impacted. This issue is not impacting Mac- or Linux-based hosts Channel file "C-00000291*.sys" with timestamp of 0527 UTC or later is the reverted (good) version. Channel file "C-00000291*.sys" with timestamp of 0409 UTC is the problematic version. Crowdstrike is currently pushing out the fix, a manual fix incase the push is pending. Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then: Boot Windows into Safe Mode or the Windows Recovery Environment Note: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation. Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory Note: On WinRE/WinPE, navigate to the Windows\System32\drivers\CrowdStrike directory of the OS volume Locate the file matching “C-00000291*.sys”, and delete it. Boot the host normally.
ss4me 发表于 2024-07-19 12:01 回复 13楼 crystalhuang 的帖子 Customers can delete a specific file called “C00000291*.sys, which is seemingly tied to the bug, Microsoft said in a status update published Friday. But in some cases, people can’t even get to a spot where they can delete that file. In an update posted Friday morning, Microsoft told users that they should simply reboot Virtual Machines (VMs) experiencing a BSoD over and over again until they can fix the issue. This is perhaps one of the best “turn it off and turn it back on” suggestions ever. “We have received reports of successful recovery from some customers attempting multiple Virtual Machine restart operations on affected Virtual Machines,” Microsoft told users. “We have received feedback from customers that several reboots (as many as 15 have been reported) may be required, but overall feedback is that reboots are an effective troubleshooting step at this stage.”
本来4天半工作制周五关门,结果一群人在那等laptop, IT好忙啊。
Crowdstrike is currently pushing out the fix, a manual fix incase the push is pending.
Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then: Boot Windows into Safe Mode or the Windows Recovery Environment Note: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation. Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory Note: On WinRE/WinPE, navigate to the Windows\System32\drivers\CrowdStrike directory of the OS volume Locate the file matching “C-00000291*.sys”, and delete it. Boot the host normally.
当然也可以重启试试,有些重启就行了
你可以重启一下
连小本科生的Final Project, 都被要求在各个环境反复测试. 这种全球直接push update的项目, 没测过??? Solarwind security breach 还没几年呢. 现在这些IT management/security 的软件是大祸害. 如果每个公司的IT自己小范围测试后, 再push update, 就不会有这些问题了. 可惜现在的IT department 就是个customer service, 一切问题找vendor, 他们不用担责也不用管.
怎么个连续重启法?我应该已经重启超过十次了,不知道有没有15次
Customers can delete a specific file called “C00000291*.sys, which is seemingly tied to the bug, Microsoft said in a status update published Friday. But in some cases, people can’t even get to a spot where they can delete that file. In an update posted Friday morning, Microsoft told users that they should simply reboot Virtual Machines (VMs) experiencing a BSoD over and over again until they can fix the issue. This is perhaps one of the best “turn it off and turn it back on” suggestions ever. “We have received reports of successful recovery from some customers attempting multiple Virtual Machine restart operations on affected Virtual Machines,” Microsoft told users. “We have received feedback from customers that several reboots (as many as 15 have been reported) may be required, but overall feedback is that reboots are an effective troubleshooting step at this stage.”
不如吿诉我重启人生算了😐
我没有关机,但是我断开了 VPN,今天没事情
刚从公司回家路上……唉,折腾人啊
不行,我在家重启无数次,放弃,还是去公司找IT了
太难了,我们一般365天都不关机…
没用啊。reboot一上午了,还那个德行
估计100%是印度测试,全球发行
麻烦哦😐
实际微软也有很大责任,vendor的update他们也应该测试的
+1
Instructions 能不能分享下啊?我们公司IT 今天很干脆地针对蓝屏问题设置了留言,也不知要等到何时才能等来他们的回复,我很抓狂,因为有很重要的工作急着要做啊 。。。
delete C-00000291*.sys in the Windows\System32\drivers\CrowdStrike directory of the OS volume
实测有效
我们也没蓝 其他文件系统也好好的
哇原来是这个… 我十一点半log off的
没有crowdstrike的也没事。
Haha this is a good one!
Windows\System32\drivers 里没看到 CrowdStrike directory 这个目录呀。
这个directory 怎么进去?
你不用着急。因为资本家比你更急啊!
靠。locked by bitlock encryption. 还是没用。你家的IT security不过关啊。我家的倒是过关了,毛用没有
是啊,今天我老公本来在家,一早开会还夸娃儿懂得给他递水了。这消息一爆,好几个同事登陆有问题,赶忙着去公司了。
我重启了20次+了吧 还是不行🤣
不是 一log in 立刻就蓝屏了啊 哪有时间删程序啊?
蓝屏有个trouble shoot 选项。从这个选项进去后,我们是要先去公司系统找到自己的security key, 然后run and delete.
所以微软又叫蓝翔
爱替问我明天去公司吗?我回,可能
问题是这种公司推出这些update的时候自己内部不先测试一下的吗?
可怜
我司也有 Bitlocker 啊,输入recovery key 即可。
非admin
这个谁都懂。问题是还得爱替人工处理啊。这个删文件的恢复方式就是个笨方法。每个device都这样做,那还要IT干嘛?