Understanding the Recent Microsoft Outage Triggered by CrowdStrike

Introduction

On July 18, 2024, a significant outage impacted Windows systems globally due to an update by CrowdStrike. This outage led to widespread disruptions in various sectors, including airlines, banks, and retailers. This blog post aims to provide a detailed account of what transpired, the timeline of events, and the steps recommended to restore affected Windows operating systems.

Timeline of Events

July 18, 2024

• 10:20 PM PT: CrowdStrike reported widespread Blue Screen of Death (BSOD) errors on Windows hosts across multiple sensor versions. This issue affected customers in the EU-1, US-1, US-2, and US-GOV-1 regions​ (ComputerBase)​​ (WFTV)​.
• 10:36 PM PT: CrowdStrike published a Technical Alert detailing the issue. The alert confirmed that the problem originated from a recent content deployment​ (ComputerBase)​.
• 11:27 PM PT: CrowdStrike Engineering identified and reverted the changes that caused the BSODs. The team provided a workaround to help users mitigate the impact until a permanent fix could be fully deployed​ (WFTV)​.

July 19, 2024

• 6:34 AM EDT: The impact of the outage became evident, with significant disruptions reported globally. Airlines such as American Airlines and Southwest Airlines faced operational challenges, leading to canceled flights and long lines at airports​ (WFTV)​.
• 11:51 AM UTC: CrowdStrike continued to experience issues, with some businesses reporting ongoing disruptions. Certain non-critical surgeries were postponed, and manual processing was required at various airports and clinics​ (ComputerBase)​.
• 12:59 PM UTC: CrowdStrike’s CEO issued a statement assuring customers that the issue was isolated and a fix was being rolled out. The company emphasized that this was not a cyberattack but a defect in a content update​ (ComputerBase)​.

Recommended Steps to Restore Windows Operating Systems

For users affected by the BSOD issue, CrowdStrike provided the following workaround:

1. Boot into Safe Mode or Windows Recovery Environment:
   • Restart your computer and press F8 (or the relevant key for your system) to access Safe Mode or Recovery Environment.
2. Navigate to the CrowdStrike Directory:
   • Open File Explorer and go to C:\Windows\System32\drivers\CrowdStrike.
3. Delete the Problematic File:
   • Locate the file named C-00000291*.sys and delete it.
4. Reboot Normally:
   • Restart your computer normally.

Additional Considerations

For systems with BitLocker enabled, ensure you have the recovery key available, as booting into Safe Mode or the Recovery Environment might require it. Businesses may need to coordinate with their IT departments to retrieve these keys if they are not readily accessible to users.

Conclusion

The recent CrowdStrike-induced outage underscores the importance of robust update and recovery procedures. While the immediate issue has been addressed, users and businesses should remain vigilant and prepared for potential disruptions. Following the recommended workaround steps can help mitigate the impact and restore normal operations.

For ongoing updates and detailed instructions, visit the CrowdStrike support site: CrowdStrike Support.

Stay informed and ensure your systems are protected against future incidents.