//google adblock // galaksion
Menu







Windows BSOD CrowdStrike Fix

July 19, 2024 - CyberMania
Windows BSOD CrowdStrike Fix

CrowdStrike update for its CrowdStrike Falcon threat checker, which is currently causing systems to crash and fail.

How to fix Blue Screen of Death and “Recovery”, “It looks like Windows didn’t load correctly” loop caused by CrowdStrike

Method 1: Use Safe Mode and delete the affected file

  1. You’ll need to boot to the Safe mode to follow the process. If you’re on the Recovery screen, click on “See advanced repair options” on the Recovery screen. In the Advanced Repair Options menu, select “Troubleshoot,” then choose “Advanced options.” Select “Startup Settings” and click “Restart.” After your PC restarts, press 4 or F4 to start your PC in Safe Mode. Alternatively, you can also shut down the PC, turn it on, and repeatedly press F8 until the Advanced Boot Options menu. From there, select Safe mode.
  2. In Safe mode, open Command Prompt (admin) or Windows PowerShell (Admin).
  3. In the Command Prompt, type the following command to navigate to the CrowdStrike directory: cd C:\Windows\System32\drivers\CrowdStrike
  4. To delete the affected file, you need to locate the file that matches the pattern C-00000291*.sys.
  5. First, run the following command to find the file matching the pattern: dir C-00000291*.sys.
  6. For example, it might be named something like C-00000291abc.sys.
  7. Once you’ve identified the file, delete it using del C-00000291.sys

In the above case, del C-00000291.sys is the name of the file that showed up on our system, and it could be something else for you. To correctly identify the file, make sure you follow the steps and use dir command.

Method 2: Use Safe Mode and rename the CrowdStrike folder

If you’re stuck at the above screen, try these steps:

  1. Click on See advanced repair options on the Recovery screen.
  2. In the Advanced Repair Options menu, select Troubleshoot.
  3. Next, choose Advanced options.
  4. Select Startup Settings.
  5. Click on Restart.
  6. After your PC restarts, you will see a list of options. Press 4 or F4 to start your PC in Safe Mode.
  7. Open Command Prompt in Safe Mode.
  8. In the Command Prompt, navigate to the drivers directory: cd \windows\system32\drivers
  9. To rename the CrowdStrike folder, use ren CrowdStrike CrowdStrike_old

You can also boot to the Safe mode by shutting down your computer and pressing the F8 key repeatedly until the Advanced Boot Options menu appears. From there, you can select Safe Mode and press Enter. Finally, follow the steps from number seven.

The above guide renames the crowdstrike folder in c:\windows\system32\drivers\crowstrike to CrowdStrike_old, which fixes the problem and allows your PC to boot to the desktop.

Method 3: Use Registry Editor to block CSAgent service

Windows Latest understands that there’s a second workaround that modifies your Registry to block the CSAgent (csagent.sys, responsible for BSODs):

  1. Restart Windows 10. Keep hitting F8 key until the Advanced Boot Options menu appears.
  2. Boot to the Safe mode and open Windows Registry Editor (Use Win+R to find Registry Editor).
  3. In the Registry Editor, navigate to the following path:
  4. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSAgent
  5. In the CSAgent key, find the Start entry on the right pane.
  6. Double-click on Start to edit its value.
  7. Change the value data from 1 (which means the service is set to start automatically) to 4 (which disables the service).
  8. Click OK to save the changes.
  9. Close the Registry Editor and Restart:

I understand that some of you may not want to make dramatic changes to your PC by reading an article on the internet, but I can explain the changes we’re making here:

Next up is the Start Value, which determines how and when the service starts. In this case, the csagent.sys is causing the reboot loop on Windows 10. We need to turn off the service from starting when you boot your PC. That’s why we’re changing it to “4”. This turns off the service.

The possible values are 0, which stands for Boot start (loaded by the boot loader, rarely used). The value “1” refers to system start (loaded by the I/O subsystem). We also have 2, which refers to Automatic start (loaded automatically by the Service Control Manager during system startup).

Then we have “3” Manual start (which requires manual start). The “4” value switches the service to a disabled state (the service is not started). We need to set the value to “4” to turn off the service, and allow Windows to boot normally.

 

Credit Windows Latest

Leave a Reply