How to fix CrowdStrike BSoD (Blue Screen of Death) error in Windows 10/11

What is CrowdStrike BSoD error

Blue Screen of Death (BSOD) error caused by CrowdStrike software is linked to a recent update of the CrowdStrike Falcon Sensor. The error manifests as critical system failures, leading to sudden shutdowns or continuous reboot cycles (boot loops) on affected systems. Specific error messages reported include PAGE_FAULT_IN_NON_PAGED_AREA, CRITICAL_PROCESS_DIED, DRIVER_OVERRAN_STACK_BUFFER and SYSTEM_THREAD_EXCEPTION_NOT_HANDLED. The BSOD error is primarily caused by a faulty file named csagent.sys associated with the CrowdStrike Falcon Sensor. This file leads to critical system failures, resulting in sudden shutdowns or continuous reboot cycles (boot loops) on affected systems. The BSOD error predominantly affects Windows operating systems, including Windows 10 and Windows 11. The issue has had a global impact, affecting numerous industries such as banking, airlines, retail, and broadcasting. Reports of affected systems have come from various regions, including the United States, European Union, Australia, New Zealand, India, and the Czech Republic.

Temporary Workarounds

To mitigate the issue temporarily, users can follow these steps:

Boot into Safe Mode or Windows Recovery Environment (WRE):

1. Restart your computer and press F8 (or Shift + F8) before Windows loads to access the Advanced Boot Options menu.
2. Select Safe Mode or Safe Mode with Networking.

Delete the Faulty File:

1. Navigate to C:\Windows\System32\drivers\CrowdStrike.
2. Locate and delete the file matching C-00000291*.sys.
3. Restart your system normally.

Alternatively, users can modify the Windows registry setting for the CrowdStrike service:

• Change the parameter value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSAgent from 1 (start automatically) to 4 (disable)

Steps for Azure to get into Safe Mode via Serial Console

1. Log in to the Azure console.
2. Navigate to Virtual Machines and select the desired VM.
3. In the upper left corner of the console, click on Connect.
4. Choose “Connect” again, then select More ways to Connect.
5. Click on Serial Console.
6. Once the Serial Access Console (SAC) has loaded, type cmd and press Enter.
7. Enter the command: ch -si 1.
8. Press any key (such as the space bar) to continue, then enter the Administrator credentials.
9. Execute the following commands:
   bcdedit /set {current} safeboot minimal
bcdedit /set {current} safeboot network

10. Restart the VM.

Optional: To confirm the boot state, run the command:
wmic COMPUTERSYSTEM GET BootupState

Permanent Resolution

CrowdStrike has acknowledged the issue and has been actively working on a fix. They have identified, isolated, and deployed a solution to address the problem. Users are advised to keep their systems updated with the latest patches from CrowdStrike and Microsoft to ensure the issue is resolved.