Windows recovery tool to remove CrowdStrike driver

Microsoft has released a custom WinPE recovery tool to find and remove the faulty CrowdStrike update that crashed an estimated 8.5 million Windows devices on Friday, 20 2024

To resolve the fix, admins needed to reboot impacted Windows devices into Safe More or the Recovery Environment and manually remove the buggy kernel driver from the C:\Windows\System32\drivers\CrowdStrike folder.

However, as organizations face hundreds, if not thousands, of impacted Windows devices, manually performing these fixes can be problematic, time consuming, and difficult. To help IT admins and support staff, Microsoft has released a custom recovery tool that automates the removal of the buggy CrowdStrike update from Windows devices so that they can once again boot normally. Microsoft Recovery Tool can be found in the Microsoft Download Center.

To use Microsoft's recovery tool, IT staff need a Windows 64-bit client with at least 8 GB of space, administrative privileges on this device, a USB drive with at least 1 GB of storage, and a Bitlocker recovery key if required. It should be noted that you will need a USB flash drive that is 32GB or smaller, as otherwise you will not be able to format it with FAT32, which is required to boot the drive. The recovery tool is created through a PowerShell script downloaded from Microsoft, which needs to run with Administrative privileges. When run, it will format a USB drive and then create a custom WinPE image, which is copied to the drive and made bootable.

The script will then search for the buggy CrowdStrike kernel driver in the C:\Windows\system32\drivers\CrowdStrike folder, and if it's detected, automatically delete it.

Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-repair-tool-to-remove-crowdstrike-driver/

Comments

  • I mean, good on them for helping out, but this still requires physical access to the affected systems, right? Isn't that the biggest hurdle to clear?

    It's pronounced hacker.

  • AuroraZeroAuroraZero ModeratorHosting Provider

    @jqr said:
    I mean, good on them for helping out, but this still requires physical access to the affected systems, right? Isn't that the biggest hurdle to clear?

    Nah, the biggest hurdle to clear is testing your shit before deploying and causing half the world to blink out.

    Thanked by (3)jqr yoursunny Otus9051

    Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?

  • @AuroraZero said:
    Nah, the biggest hurdle to clear is testing your shit before deploying and causing half the world to blink out.

    😂 True, true. Although I read somewhere that the crash was not due to a software update, but rather a definition update (think new antivirus signatures). The file in question was filled with 0s and that caused the parser to crash.

    It doesn't excuse the bug, but it does make a little more sense to me: it was a preexisting bug that was dormant until a routine channel update brought it to light. It's still sloppy, it means these guys didn't have a complete test suite.

    Thanked by (1)AuroraZero

    It's pronounced hacker.

  • edited July 22

    @AuroraZero said:

    @jqr said:
    I mean, good on them for helping out, but this still requires physical access to the affected systems, right? Isn't that the biggest hurdle to clear?

    Nah, the biggest hurdle to clear is testing your shit before deploying and causing half the world to blink out.

    Indeed!

    Thanked by (2)jqr AuroraZero
  • Trying patch production on friday night, and sleep well.

  • @orangevps said:
    Trying patch production on friday night, and sleep well.

    I always do that on Friday, after everyone logs off. What about you? When do you patch your nodes?

  • AuroraZeroAuroraZero ModeratorHosting Provider

    @localhost said:

    @orangevps said:
    Trying patch production on friday night, and sleep well.

    I always do that on Friday, after everyone logs off. What about you? When do you patch your nodes?

    Monday morning right after everyone logs on and the nodes are pumping

    Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?

  • @AuroraZero said:

    @localhost said:

    @orangevps said:
    Trying patch production on friday night, and sleep well.

    I always do that on Friday, after everyone logs off. What about you? When do you patch your nodes?

    Monday morning right after everyone logs on and the nodes are pumping

    i am planning to change it to Friday morning.
    I am sure folks would appreciate a long weekend.

  • AuroraZeroAuroraZero ModeratorHosting Provider

    @localhost said:

    @AuroraZero said:

    @localhost said:

    @orangevps said:
    Trying patch production on friday night, and sleep well.

    I always do that on Friday, after everyone logs off. What about you? When do you patch your nodes?

    Monday morning right after everyone logs on and the nodes are pumping

    i am planning to change it to Friday morning.
    I am sure folks would appreciate a long weekend.

    yer no fun should do it so they have to work the weekend

    Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?

  • @AuroraZero said:

    @localhost said:

    @AuroraZero said:

    @localhost said:

    @orangevps said:
    Trying patch production on friday night, and sleep well.

    I always do that on Friday, after everyone logs off. What about you? When do you patch your nodes?

    Monday morning right after everyone logs on and the nodes are pumping

    i am planning to change it to Friday morning.
    I am sure folks would appreciate a long weekend.

    yer no fun should do it so they have to work the weekend

    In yeti world, it is norm for making ppl work on weekends?

  • AuroraZeroAuroraZero ModeratorHosting Provider

    @localhost said:

    @AuroraZero said:

    @localhost said:

    @AuroraZero said:

    @localhost said:

    @orangevps said:
    Trying patch production on friday night, and sleep well.

    I always do that on Friday, after everyone logs off. What about you? When do you patch your nodes?

    Monday morning right after everyone logs on and the nodes are pumping

    i am planning to change it to Friday morning.
    I am sure folks would appreciate a long weekend.

    yer no fun should do it so they have to work the weekend

    In yeti world, it is norm for making ppl work on weekends?

    Corporate America gots to loves it

    Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?

  • @AuroraZero said:

    @localhost said:

    @AuroraZero said:

    @localhost said:

    @AuroraZero said:

    @localhost said:

    @orangevps said:
    Trying patch production on friday night, and sleep well.

    I always do that on Friday, after everyone logs off. What about you? When do you patch your nodes?

    Monday morning right after everyone logs on and the nodes are pumping

    i am planning to change it to Friday morning.
    I am sure folks would appreciate a long weekend.

    yer no fun should do it so they have to work the weekend

    In yeti world, it is norm for making ppl work on weekends?

    Corporate America gots to loves it

    So yeti world = corporate America eh.

    Just somewhere within the 50 states Yeti world is

Sign In or Register to comment.