Work around steps for anyone that needs them

 

1. Boot Windows into Safe Mode or the Windows Recovery Environment
2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
3. Locate the file matching “C-00000291*.sys”, and delete it.
4. Boot the host normally. 

Technical Details
On Windows systems, Channel Files reside in the following directory:

C:\Windows\System32\drivers\CrowdStrike\

and have a file name that starts with “C-”. Each channel file is assigned a number as a unique identifier. The impacted Channel File in this event is 291 and will have a filename that starts with “C-00000291-” and ends with a .sys extension. Although Channel Files end with the SYS extension, they are not kernel drivers.

Channel File 291 controls how Falcon evaluates named pipe1 execution on Windows systems. Named pipes are used for normal, interprocess or intersystem communication in Windows.

The update that occurred at 04:09 UTC was designed to target newly observed, malicious named pipes being used by common C2 frameworks in cyberattacks. The configuration update triggered a logic error that resulted in an operating system crash

Some resources:

Helping our customers through the CrowdStrike outage - The Official Microsoft Blog

Recovery options for Azure Virtual Machines (VM) affected by CrowdStrike Falcon agent - Microsoft Community Hub

New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints - Microsoft Community Hub

KB5042421: CrowdStrike issue impacting Windows endpoints causing an 0x50 or 0x7E error message on a blue screen - Microsoft Support

Tech-Alert-Windows-crashes-related-to-Falcon-Sensor-2024-07-19.pdf (crowdstrike.com)

Recover AWS resources affected by the CrowdStrike Falcon agent | AWS re:Post (repost.aws)

Technical Details: Falcon Update for Windows Hosts | CrowdStrike