KB5042429: New recovery tool to help with CrowdStrike issue impacting Windows devices (2024)

Table of Contents
Summary Determine which option to use Additional considerations Create the boot media Prerequisites to create the boot media Instructions to create the boot media Instructions to use the recovery option Prerequisites to use the boot media for Windows PE recovery Instructions to use the boot media for Windows PE recovery Prerequisites to use the boot media for safe mode recovery Instructions to use the boot media for safe mode recovery Use recovery media on Hyper-V virtual machines Instructions to recovery Hyper-V virtual machines Use PXE for recovery Prerequisites for PXE recovery Configure the PXE server Use PXE to recover an affected device Contact CrowdStrike Additional information References FAQs

Summary

As a follow-up to the CrowdStrike Falcon agent issue impacting Windows clients and servers, we have released an updated recovery tool with two repair options to help IT administrators expedite the repair process. The tool automates the manual steps inKB5042421 (client) and KB5042426 (server). Download the signed Microsoft Recovery Tool from the Microsoft Download Center. You can use the tool to recover Windows clients, servers, and Hyper-V virtual machines (VM).

There are two repair options:

  • Recoverfrom Windows PE: this option uses boot media that automates the device repair.

  • Recover from safe mode: this option uses boot media for affected devices to boot into safe mode. An administrator can then sign in using an account with local administrativeprivileges and run the remediation steps.

Determine which option to use

Windows PESafe Mode

This option to recover from Windows PE quickly and directly recovers systems and doesn't require local administrative privileges. If the device uses BitLocker, you may need to manually enter the BitLocker recovery key before you can repair an affected system.

If you use a non-Microsoft disk encryption solution, refer to guidance from that vendor. They should provide options to recover the drive so that you can run the remediation script from Windows PE.

This option to recover from safe mode may enable recovery on BitLocker-enabled devices without requiring the entry of BitLocker recovery keys. You need access to an account with local administrator rights on the device.

Use this option for devices in the following situations:

  • It uses TPM-only protectors.

  • The disk isn't encrypted.

  • The BitLocker recovery key is unknown.

If the device uses TPM+PIN BitLocker protectors, the user will either need to enter the PIN or you need to use the BitLocker recovery key.

If BitLocker isn't enabled, then the user only needs to sign in with an account with local administrator rights.

If you use a non-Microsoft disk encryption solution, refer to guidance from that vendor. They should provide options to recover the drive so that you can run the remediation script from safe mode.

Additional considerations

Although the USB option is preferred, some devices may not support USB connections. For these situations, see the section on how to Use Preboot Execution Environment (PXE) for recovery.

If the device can't connect to a PXE network, and USB isn't an option,try the manual steps in the following articles:

  • KB5042421: CrowdStrike issue impacting Windows endpoints causing an 0x50 or 0x7E error message on a blue screen

  • KB5042426: CrowdStrike issue impacting Windows servers causing an 0x50 or 0x7E error message on a blue screen

Otherwise, reimaging the device might be a solution.

With any recovery option, first test it on multiple devices before you use it broadly in your environment.

Create the boot media

Prerequisites to create the boot media

  1. A Windows 64-bit client with at least 8 GB of free space on which you can run the tool to create the bootable USB drive.

  2. Administrative privileges on the Windows client from prerequisite #1.

  3. A USB drive with a minimum size of 1 GB and no larger than 32 GB. The tool deletes all existing data on this drive and automatically formats it to FAT32.

Instructions to create the boot media

To create recovery media, from the 64-bit Windows client in prerequisite #1, use the following steps:

  1. Download the signed Microsoft Recovery Tool from the Microsoft Download Center.

  2. Extract the PowerShell script from the downloaded file.

  3. OpenWindows PowerShell as an administrator and runthe following script: MsftRecoveryToolForCS.ps1

  4. The tool downloads and installs the Windows Assessment and Deployment Kit (Windows ADK). This process might take several minutes to complete.

  5. Choose one of the two options for recovering affected devices: Windows PE or safe mode.

  6. Optionally select a directorythat contains driver files to import into the recovery image.We recommend you select Nto skip this step. ​​​​​​​

    1. The tool imports any SYS and INI files recursively under the specified directory.

    2. Certain devices, such as Surface devices, might need additional drivers for keyboard input.

      See Also
      How To Pair Xfinity Remote To Box?Xfinity Remote Programming.Pdf - eBook and Manual Free download

  7. Select the option to either generate an ISO file or USB drive.

  8. If you choose the USB option:

    1. Insert the USB drive when prompted and provide the drive letter.

    2. Once the tool completes creating the USB drive, remove itfrom the Windows client.

Instructions to use the recovery option

Windows PESafe Mode

If you created media in the previous steps for Windows PE, use these instructions on affected devices.

Prerequisites to use the boot media for Windows PE recovery

  • You may need the BitLocker recovery key for each BitLocker-enabled and affected device.

    • If the affected device usesTPM+PIN protectors, and you don't know the PIN for the device, then you may need the recovery key.

Instructions to use the boot media for Windows PE recovery

  1. Insert the USB key into an affected device.

  2. Restart the device.

  3. During restart, press F12to access the BIOS boot menu.

    Note:Some devices may use a different key combination to access the BIOS boot menu. Follow manufacturer-specific instructions for the device.

  4. From the BIOS boot menu, choose Boot from USB and continue. The tool runs.

  5. If BitLocker is enabled, the user will be prompted for the BitLocker recovery key. Include the dashes (-) when you enter the BitLocker recovery key. For more information on recovery key options, see Where to look for your BitLocker recovery key.

    Note:For non-Microsoft device encryption solutions, follow any steps provided by the vendor to gain access to the drive.

    1. If BitLocker isn't enabled on the device, you may still be prompted for the BitLocker recovery key.Press Enter to skip and continue.

  6. The tool runs the remediation steps as recommended by CrowdStrike.

  7. Once complete, remove the USB drive andrestart the device normally.

If you created media in the previous steps for safe mode, use these instructions on affected devices.

Prerequisites to use the boot media for safe mode recovery

  • Access to the local Administrator account.

  • If the affected device uses BitLocker TPM+PIN protectors, and you don't know the PIN for the device, then you may need the BitLocker recovery key.

Instructions to use the boot media for safe mode recovery

  1. Insert the USB key into an affected device.

  2. Restart the device.

  3. During restart, press F12to access the BIOS boot menu.

    Note:Some devices may use a different key combination to access the BIOS boot menu. Follow manufacturer-specific instructions for the device.

  4. From the BIOS boot menu, choose Boot from USB and continue.

  5. The tool runs and the following message appears:
    This tool will configure this machine to boot in safe mode. WARNING: In some cases you may need to enter a BitLocker recovery key after running.

  6. Press any key to continue. The following message appears:
    Your PC is configured to boot to Safe Mode now.

  7. Press any key to continue. The device restarts into safe mode.

  8. Runrepair.cmd from the root of the mediadrive. The script runs the remediation steps as recommended by CrowdStrike.

  9. The following message appears:
    This tool will remove impacted files and restore normal boot configuration. WARNING: You may need BitLocker recovery key in some cases. WARNING: This script must be run in an elevated command prompt.

  10. Press any key to continue. The script runs and restores the normal boot mode.

  11. Once the tool completes successfully, the following message appears:
    Success. System will now reboot.

  12. Press any key to continue. The device restarts normally.

Use recovery media on Hyper-V virtual machines

You can use the recovery media to remediate affected Hyper-V virtual machines (VM). When you create the boot media, select the option to generate an ISO file.

Note:For non-Hyper-V VMs, follow instructions provided by your hypervisor vendor to use the recovery media.

Instructions to recovery Hyper-V virtual machines

  1. On an affected VM, add a DVD Drive under Hyper-V settings > SCSI Controller.

    KB5042429: New recovery tool to help with CrowdStrike issue impacting Windows devices (1)

  2. Browse to the recovery ISO and add it as an Image file under Hyper-V Settings > SCSI Controller > DVD Drive.

    ​​​​​​​

    KB5042429: New recovery tool to help with CrowdStrike issue impacting Windows devices (2)

    ​​​​​​​

  3. Note the current Boot order so that you can manually restore it later. The following image is an example of a boot order, which may be different than the configuration of your VM.

    KB5042429: New recovery tool to help with CrowdStrike issue impacting Windows devices (3)

  4. Change the Boot order to move up the DVD Driveas the first boot entry.

    ​​​​​​​

    KB5042429: New recovery tool to help with CrowdStrike issue impacting Windows devices (4)

  5. Start the VM and press any key to continue booting to the ISO image.

  6. Depending on how you created the recovery media, follow the additional steps to use the Windows PE or safe mode recovery options.

  7. Set the boot order back to the original boot settings from the VM’s Hyper-V settings.

  8. Restart the VM normally.

Use PXE for recovery

For most customers, the other recovery options will help restore your devices. However, if devices are unable to use the option to recover from USB, for example, because of security policies or port availability, IT admins can use PXE to remediate.

To use this solution, you can use the Windows Imaging Format (WIM) image that the Microsoft recovery tool creates in an existing PXE environment. The affected devices need to be on the same network subnet as the existing PXE server.

Alternatively, you can use the PXE server approach outlined below. This option works best when you can easily move the PXE server from subnet to subnet for remediation purposes.

Prerequisites for PXE recovery

  1. A64-bit Windows device thathosts the boot image. This device is referred to as the“PXE server.”

    1. The PXE server can run on any supported Windows client 64-bit OS.

    2. The PXE server should have internet access to download the Microsoft PXE toolfrom the Microsoft Download Center. You can also copy it to the PXE server from another system on your network.

    3. The PXE server should have inbound firewall rules created for UDP ports 67, 68, 69, 547, and 4011. The downloaded PXE tool (MSFTPXEToolForCS.exe) updates the Windows Firewall settings on the PXE server. If the PXE server usesa non-Microsoft firewall solution, create rules following their recommendations.

      Note:This script doesn't clean up the firewall rules. You should remove these firewall rules after remediation is complete. To remove these rules from the Windows Firewall, open Windows PowerShell as an administrator and run the following command: MSFTPXEInitToolForCS.ps1 clean

    4. Administrative privileges to run the PXE tool.

    5. The PXE server requires the Microsoft Visual C++ Redistributable. Downloadand install the latest version.

  2. The affected Windows devices should be on the same subnet as the PXE server. They should be hard-wired instead of using a Wi-Fi network.

Configure the PXE server

  1. Download the Microsoft PXE toolfrom the Microsoft Download Center. Extract the contents of the zip archive to any directory.It contains all of the necessary files.

  2. Open Windows PowerShell as an administrator. Change to the directory where you extracted the files and run the following command: MSFTPXEInitToolForCS.ps1

    1. The script scans for the Windows ADK and Windows PE Add-On installation on the PXE server. If they're not installed, the script installs them. To proceed with installation, review and accept the license terms.

    2. The script generates the remediation scripts and creates a valid boot image.

    3. If required, accept the prompt and provide a path containing the driver files. Driver files may be required for keyboard or mass storage devices. Generally, you won't need to adddrivers. If you don't need any additional driver files, select N.

    4. You can configure the PXE server to deliver a default remediation image or a safe mode image. You'll see the following prompts:
      1. Boot to WinPE to remediate the issue. It requires entering BitLocker recovery key if system disk is BitLocker encrypted.
      2. Boot to WinPE configure safe mode and run repair command after entering safe mode. This option is less likely to require BitLocker recovery key if system disk is BitLocker encrypted.

    5. The script generates the required distribution files and provides the path where it copies the PXE server tool.

  3. Double-check the prerequisites for PXE recovery, especially theMicrosoft Visual C++ Redistributable.

  4. From the PowerShell console as an administrator, change to the directory where the PXE server tool is copied, and run the following command to launch the listener process:.\MSFTPXEToolForCS.exe

    1. You won't see additional responses as the PXE server handlesconnections. Don't close this window as that will stop the PXE server.

    2. You can monitor the PXE server progress in the MSFTPXEToolForCS.log file in the same directory.

      Note:If you want to run multiple PXE servers for different subnets, copy the directory with the PXE server tool, and rerun steps 3 & 4.

Additional information about PXE

  • PXE boot in Configuration Manager

  • Advanced troubleshooting for PXE boot issues

  • You want to PXE Boot? Don't use DHCP Options

Use PXE to recover an affected device

The affected device must be on the same subnet as PXE server. If the devices are in different subnets, configure IP helpers in your network environment to enable the discovery of the PXE server.

If the affected device isn't configured for PXE boot, follow these steps:

  1. On the affected device, access the BIOS\UEFI menu.

    1. This action is different across different models and manufacturers. Refer to documentation provided by the original equipment manufacturer for the specific make and model of the device.

    2. Common options for accessing the BIOS\UEFI involve pressing a key like F2, F12, DEL, or ESC during the startup sequence.

  2. Ensure Network boot is enabled on the device. For additional guidance, refer to documentation from the device manufacturer.

  3. Configure the network boot option as the first boot priority.

  4. Save the new settings. Restart the device for the settings to apply and boot from PXE.

When you PXE boot the affected device, the behavior will depend upon whether you chose Windows PE or safe mode recovery media for the PXE server.

For more information on these options, seethe additional steps to use the Windows PE or safe mode recovery options.

  1. For the Windows PE recovery option, the user is prompted to boot to Windows PE and the remediation script runs automatically.

  2. For the safe mode recovery option, the device boots to safe mode. The user needs to sign in with the local Administrator accountand manually run the script.

    1. In safe mode and signed in as the local Administrator, open Windows PowerShell as an administrator.

    2. Run the following commands:
      del %SystemRoot%\System32\drivers\CrowdStrike\C-00000291*.sys
      bcdedit /deletevalue {current} safeboot
      shutdown -r -t 00

Once complete, restart the device normally by responding to the prompt on the screen. Access the BIOS\UEFI menu and update the boot order to remove PXE boot.

Contact CrowdStrike

If after following the above steps, if you still experience issues logging into your device, please reach out to CrowdStrike for additional assistance.

Additional information

For more information on the issue impacting Windows clients and servers running the CrowdStrike Falcon agent, see the following resources:

  • A wide variety of Windows information is available from Windows release health (aka.ms/WRH).

  • Detailed recovery steps are available in the following articles:

    • KB5042421: CrowdStrike issue impacting Windows endpoints causing an 0x50 or 0x7E error message on a blue screen

    • KB5042426: CrowdStrike issue impacting Windows servers causing an 0x50 or 0x7E error message on a blue screen​​​​​

  • Windows 365 Cloud PCcustomers can attempt to restore their Cloud PC to a known good state prior to the release of the update (July 19, 2024). For more information, see one of the following articles:

    • Point-in-time restore for Windows 365 Enterprise

    • Point-in-time restore for Windows 365 Business

  • For Windows VMs running on Microsoft Azure, follow the mitigation steps in Azure status.

  • Additional details from CrowdStrike are available from theCrowdStrike remediation and guidance hub: Falcon content update for Windows hosts.

  • The Microsoft Intune Customer Success blog post on the recovery tool has comments from other IT administrators that may be helpful.

References

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. We make no warranty, implied or otherwise, about the performance or reliability of these products.

We provide third-party contact information to help you find technical support. This contact information may change without notice. We do not guarantee the accuracy of this third-party contact information.

KB5042429: New recovery tool to help with CrowdStrike issue impacting Windows devices (2024)

FAQs

How to fix CrowdStrike issue on Windows? ›

Option 2: Using the Windows Recovery Environment
  1. Reboot Your Device into the Recovery Environment. - Restart your computer by holding down the power button until the device powers off. ...
  2. Open Command Prompt. ...
  3. Navigate to the Correct Drive and Folder. ...
  4. Delete the Problematic File. ...
  5. Boot Normally.
Jul 22, 2024

Show Me More
How to recover from CrowdStrike issues? ›

Recover from the CrowdStrike Blue Screen of Death (BSOD) in just 5 Steps
  1. Step 1: Access Windows Recovery Environment. Restart your computer. ...
  2. Step 2: Choose Troubleshoot. On the Recovery screen, click on Troubleshoot.
  3. Step 3: Choose Advanced Options. ...
  4. Step 4: Choose Command Prompt. ...
  5. Step 5: Enter the Command.

Tell Me More
Has the CrowdStrike issue been fixed? ›

This is not a security incident or cyber attack. “The issue has been identified, isolated and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website.

Know More
How to restore Windows after CrowdStrike? ›

If your machine has crashed and is not recovering after rebooting, you can follow these steps:
  1. Boot Windows into Safe Mode or the Windows Recovery Environment.
  2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory.
  3. Locate the files whose names begin with "C-00000291" and delete them.
  4. Boot the host normally.
Jul 25, 2024

Discover More Details
How to solve the CrowdStrike problem? ›

How to Fix the CrowdStrike Blue Screen Problem
  1. Boot Windows into Safe Mode or the Windows Recovery Environment. ...
  2. Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory.
  3. In that directory, delete any . ...
  4. After a normal reboot, your Windows PC will operate normally.
Jul 19, 2024

Tell Me More
Why does CrowdStrike affect Windows? ›

CrowdStrike's software doesn't just run on Microsoft Windows; it also runs on Apple's macOS and the Linux OS. But the July outage only affected Microsoft Windows. The root cause of the outage was a faulty sensor configuration update that specifically affected Windows systems.

Read More
What is the root cause of the CrowdStrike outage? ›

The main issue was a mismatch between the input fields expected by CrowdStrike's Falcon driver and the ones supplied in a content update. CrowdStrike is now promising to better test updates and is using two independent third-party software security vendors to review its sensor code and release processes.

Discover More Details
How do I check my CrowdStrike status on Windows? ›

How To Detect CrowdStrike Using a Fully Native osquery Implementation
  1. Identifier - The system extension identity. ( com.crowdstrike.falcon.Agent )
  2. State - The status of the extension. I.e. active and enabled or deactivated and disabled.
  3. Version - The version of the extension.
Aug 19, 2024

Find Out More
How do I remove CrowdStrike sensor from Windows? ›

Uninstall from Control Panel
  1. Open the Windows Control Panel.
  2. Click Uninstall a Program.
  3. Choose CrowdStrike Windows Sensor and uninstall it.

Find Out More
What is the cause of the CrowdStrike issue? ›

Microsoft confirms the analysis done by CrowdStrike last week. The crash was due to a read-out-of-bounds memory safety error in CrowdStrike's CSagent. sys driver.

Read On

Does the CrowdStrike issue affect personal computers? ›

The CrowdStrike-Microsoft outage that disrupted flight operations globally, flashing the Blue Screen of Death (BSOD) on several enterprise Windows PCs last week, did not affect Windows computers used at home.

Learn More
What is the Microsoft CrowdStrike issue? ›

Millions of Windows users worldwide are experiencing the Blue Screen of Death (BSOD) error, causing sudden shutdowns or restarts. This severe outage has impacted airports, banks, companies, and superstores, leading to widespread chaos. Microsoft has traced the root of this issue to a recent update from CrowdStrike.

See More
How do I force a Windows recovery? ›

Here's how:
  1. Press Windows logo key + L to get to the sign-in screen, and then restart your PC by pressing the Shift key while you select the Power button > Restart in the lower-right corner of the screen.
  2. Your PC will restart in the Windows Recovery Environment (WinRE) environment.

View More
How to fix CrowdStrike issue with command prompt? ›

In the command prompt window, type each line below, and press the return key after each line:
  1. c:
  2. cd windows.
  3. cd system32.
  4. cd drivers.
  5. cd crowdstrike.
  6. del C-00000291*
  7. exit.
Jul 19, 2024

Show Me More
How to fix CrowdStrike issue in Windows 11? ›

Hold the power button for 10 seconds to turn off your device and then press the power button again to turn on your device. On the Windows sign-in screen, press and hold the Shift key while you select Power > Restart. After your device restarts to the Choose an option screen, select Troubleshoot. Restart your device.

Get More Info Here
What is the problem with CrowdStrike? ›

On 19 July 2024, American cybersecurity company CrowdStrike distributed a faulty update to its Falcon Sensor security software that caused widespread problems with Microsoft Windows computers running the software.

Find Out More
How to fix the cloudstrike problem? ›

How to manually fix your affected computer
  1. Boot Windows into safe mode or the Windows Recovery Environment.
  2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory.
  3. Locate the file matching “C-00000291*.sys” and delete it.
  4. Boot the machine normally.
Jul 19, 2024

Explore More
How do I stop CrowdStrike service in Windows? ›

Uninstall from Control Panel
  1. Open the Windows Control Panel.
  2. Click Uninstall a Program.
  3. Choose CrowdStrike Windows Sensor and uninstall it.

Show Me More
Top Articles
Leevy's Funeral Home Columbia Sc
Bbc Numberblocks
Spasa Parish
Rentals for rent in Maastricht
159R Bus Schedule Pdf
Sallisaw Bin Store
Black Adam Showtimes Near Maya Cinemas Delano
Espn Transfer Portal Basketball
Pollen Levels Richmond
11 Best Sites Like The Chive For Funny Pictures and Memes
Things to do in Wichita Falls on weekends 12-15 September
Craigslist Pets Huntsville Alabama
Paulette Goddard | American Actress, Modern Times, Charlie Chaplin
Red Dead Redemption 2 Legendary Fish Locations Guide (“A Fisher of Fish”)
What's the Difference Between Halal and Haram Meat & Food?
R/Skinwalker
Rugged Gentleman Barber Shop Martinsburg Wv
Jennifer Lenzini Leaving Ktiv
Justified - Streams, Episodenguide und News zur Serie
Epay. Medstarhealth.org
Olde Kegg Bar & Grill Portage Menu
Cubilabras
Half Inning In Which The Home Team Bats Crossword
Amazing Lash Bay Colony
Juego Friv Poki
Dirt Devil Ud70181 Parts Diagram
Truist Bank Open Saturday
Water Leaks in Your Car When It Rains? Common Causes & Fixes
What’s Closing at Disney World? A Complete Guide
New from Simply So Good - Cherry Apricot Slab Pie
Drys Pharmacy
Ohio State Football Wiki
Find Words Containing Specific Letters | WordFinder®
FirstLight Power to Acquire Leading Canadian Renewable Operator and Developer Hydromega Services Inc. - FirstLight
Webmail.unt.edu
2024-25 ITH Season Preview: USC Trojans
Metro By T Mobile Sign In
Restored Republic December 1 2022
12 30 Pacific Time
Jami Lafay Gofundme
Wi Dept Of Regulation & Licensing
Pick N Pull Near Me [Locator Map + Guide + FAQ]
Crystal Westbrooks Nipple
Ice Hockey Dboard
Über 60 Prozent Rabatt auf E-Bikes: Aldi reduziert sämtliche Pedelecs stark im Preis - nur noch für kurze Zeit
Wie blocke ich einen Bot aus Boardman/USA - sellerforum.de
Infinity Pool Showtimes Near Maya Cinemas Bakersfield
Dermpathdiagnostics Com Pay Invoice
How To Use Price Chopper Points At Quiktrip
Maria Butina Bikini
Busted Newspaper Zapata Tx
Latest Posts
About Greenville | Greenville, NC
Craigslist Cars For Sale By Owner Buffalo Ny
Article information

Author: Tish Haag

Last Updated:

Views: 5879

Rating: 4.7 / 5 (47 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Tish Haag

Birthday: 1999-11-18

Address: 30256 Tara Expressway, Kutchburgh, VT 92892-0078

Phone: +4215847628708

Job: Internal Consulting Engineer

Hobby: Roller skating, Roller skating, Kayaking, Flying, Graffiti, Ghost hunting, scrapbook

Introduction: My name is Tish Haag, I am a excited, delightful, curious, beautiful, agreeable, enchanting, fancy person who loves writing and wants to share my knowledge and understanding with you.