Windows recovery tool to remove CrowdStrike driver
Microsoft has released a custom WinPE recovery tool to find and remove the faulty CrowdStrike update that crashed an estimated 8.5 million Windows devices on Friday, 20 2024
To resolve the fix, admins needed to reboot impacted Windows devices into Safe More or the Recovery Environment and manually remove the buggy kernel driver from the C:\Windows\System32\drivers\CrowdStrike folder.
However, as organizations face hundreds, if not thousands, of impacted Windows devices, manually performing these fixes can be problematic, time consuming, and difficult. To help IT admins and support staff, Microsoft has released a custom recovery tool that automates the removal of the buggy CrowdStrike update from Windows devices so that they can once again boot normally. Microsoft Recovery Tool can be found in the Microsoft Download Center.
To use Microsoft's recovery tool, IT staff need a Windows 64-bit client with at least 8 GB of space, administrative privileges on this device, a USB drive with at least 1 GB of storage, and a Bitlocker recovery key if required. It should be noted that you will need a USB flash drive that is 32GB or smaller, as otherwise you will not be able to format it with FAT32, which is required to boot the drive. The recovery tool is created through a PowerShell script downloaded from Microsoft, which needs to run with Administrative privileges. When run, it will format a USB drive and then create a custom WinPE image, which is copied to the drive and made bootable.
The script will then search for the buggy CrowdStrike kernel driver in the C:\Windows\system32\drivers\CrowdStrike folder, and if it's detected, automatically delete it.
 
                             
                            
Comments
I mean, good on them for helping out, but this still requires physical access to the affected systems, right? Isn't that the biggest hurdle to clear?
It's pronounced hacker.
Nah, the biggest hurdle to clear is testing your shit before deploying and causing half the world to blink out.
Free Hosting at YetiNode | MicroNode| Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?
😂 True, true. Although I read somewhere that the crash was not due to a software update, but rather a definition update (think new antivirus signatures). The file in question was filled with 0s and that caused the parser to crash.
It doesn't excuse the bug, but it does make a little more sense to me: it was a preexisting bug that was dormant until a routine channel update brought it to light. It's still sloppy, it means these guys didn't have a complete test suite.
It's pronounced hacker.
Indeed!

Trying patch production on friday night, and sleep well.
I always do that on Friday, after everyone logs off. What about you? When do you patch your nodes?
Monday morning right after everyone logs on and the nodes are pumping
Free Hosting at YetiNode | MicroNode| Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?
i am planning to change it to Friday morning.
I am sure folks would appreciate a long weekend.
yer no fun should do it so they have to work the weekend
Free Hosting at YetiNode | MicroNode| Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?
In yeti world, it is norm for making ppl work on weekends?
Corporate America gots to loves it
Free Hosting at YetiNode | MicroNode| Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?
So yeti world = corporate America eh.
Just somewhere within the 50 states Yeti world is