Summary
Microsoft has identified an issue impacting Windows endpoints that are running the CrowdStrike Falcon agent. These endpoints might encounter error messages 0x50 or 0x7E on a blue screen and experience a continual restarting state.
We have received reports of successful recovery from some customers attempting multiple restart operations on affected Windows endpoints.
We are working with CrowdStrike to provide the most up-to-date information available on this issue. Please check back for updates on this ongoing issue.
Resolution
To resolve this issue, follow these instructions for your version of Windows.
Hold the power button for 10 seconds to turn off your device and then press the power button again to turn on your device.
On the Windows sign-in screen, press and hold the Shift key while you select Power > Restart.
After your device restarts to the Choose an option screen, select Troubleshoot.
On the Troubleshoot screen, select Advanced options > Startup Settings > Enable safe mode.
Restart your device.
Note You may be asked to enter your BitLocker recovery key. When the device restarts, continue pressing F4 and then it will log you in to safe mode. Please note, for some devices, you need to press F11 to log in through safe mode.Once in safe mode, right-click Start, click Run, type cmd in the Open box, and then click OK.
If your system drive is different than C:\, type C: and then press Enter. This will switch you to the C:\ drive.
-
Type the following command and then press Enter:
CD C:\Windows\System32\drivers\CrowdStrike
Note In this example, C is your system drive. This will change to the CrowdStrike directory.
-
Once in the CrowdStrike directory, locate the file matching “C-00000291*.sys”. To do this, type the following command and then press Enter:
dir C-00000291*.sys
-
Permanently delete the file(s) found. To do this, type the following command and then press Enter.
del C-00000291*.sys
Manually search for any files that match “C-00000291*.sys” and delete them.
Restart your device
Hold the power button for 10 seconds to turn off your device and then press the power button again to turn on your device.
On the Windows sign-in screen, press and hold the Shift key while you select Power > Restart.
After your device restarts to the Choose an option screen, select Troubleshoot.
On the Troubleshoot screen, select Advanced options > Startup Settings > Enable safe mode.
Restart your device.
Note You may be asked to enter your BitLocker recovery key.When the device restarts, continue pressing F4 and then it will log you in to safe mode.
Once in safe mode, right-click Start, click Run, type cmd in the Open box, and then click OK.
If your system drive is different than C:\, type C: and then press Enter. This will switch you to the C:\ drive.
-
Type in the following command and then press Enter:
CD C:\Windows\System32\drivers\CrowdStrike
Note In this example C is your system drive. This will change to the CrowdStrike directory.
-
Once in the CrowdStrike directory, locate the file matching “C-00000291*.sys”. To do this, type the following command and then press Enter:
dir C-00000291*.sys
-
Permanently delete the file(s) found. To do this, type the following command and then press Enter.
del C-00000291*.sys
Manually search for any files that match “C-00000291*.sys” and delete them.
Restart your device.
References
Start your PC in safe mode in Windows
CrowdStrike issue impacting Windows endpoints causing an 0x50 or 0x7E error message on a blue screen