Fix manually.
If BitLocker is not enabled
Based on this Reddit post.
- Boot Windows into safe mode
- Go to
C:\Windows\System32\drivers\CrowdStrike - Delete files matching the
C-00000291*.syspattern - Reboot
If BitLocker is enabled
Based on this Twitter post.
- Cycle through BSODs until you get the recovery screen.
- Navigate to Troubleshoot > Advanced Options > Startup Settings
- Press "Restart"
- Skip the first Bitlocker recovery key prompt by pressing Esc
- Skip the second Bitlocker recovery key prompt by selecting Skip This Device in the bottom right
- Navigate to Troubleshoot > Advanced Options > Command Prompt
- Type
bcdedit /set {default} safeboot minimal, then press enter - Go back to the WinRE main menu and select Continue
- It may cycle 2-3 times
- If you booted into safe mode, log in per normal
- Open Windows Explorer, navigate to
C:\Windows\System32\drivers\CrowdStrike - Delete the offending file (STARTS with
C-00000291*, .sys file extension) - Open command prompt as administrator
- Type
bcdedit /deletevalue {default} safeboot, then press enter - Restart as normal, confirm normal behaviour
Fix with a Batch script
Summary:
- A batch script that you can run in safemode to fix the issue
Supports Bitlocker Encryption?: No
Demonstration: Youtube Video
https://github.com/user-attachments/assets/e4301b83-46f7-4ce0-a508-51f3c3ce9919
One Liner
- NOTE that an internet connection and powershell is required to do this
- Open CMD as an administrator and run the command below
powershell -Command "Invoke-WebRequest -Uri https://raw.githubusercontent.com/hirusha-adi/crowdstrike-fix/main/other/fix.bat -OutFile fix.bat; Start-Process fix.bat -Wait; Remove-Item fix.bat"
- It will download the script, execute it, and remove it
Via the GUI
- Click here to download the file.
- Right click and Run as administrator.
- The script should work as intended.
Fix with a Powershell script
Summary:
- A powershell script that you can run in safemode to fix the issue
Supports Bitlocker Encryption?: No
Demonstration: scroll down...
One Liner (internet required)
- NOTE that an internet connection is required to do this
- Open powershell as an administrator and run the command below
iwr -useb https://raw.githubusercontent.com/hirusha-adi/crowdstrike-fix/main/other/fix.ps1 | iex
- It will download the script, execute it, and remove it
- Demonstration: Youtube
https://github.com/user-attachments/assets/692f218c-d8b7-4af6-9d53-b682eb7fcc90
One Liner (works offline)
- NO internet connection is required for this one-liner to work
- Open powershell as an administrator and run the command below
Write-Output "====="; Write-Output "Starting script."; Write-Output "====="; $path = Join-Path -Path $env:WINDIR -ChildPath "System32\drivers\CrowdStrike"; if (Test-Path -Path $path) { Write-Output "Found CrowdStrike folder in $path"; Write-Output "====="; Get-ChildItem -Path $path; $filesToDelete = Get-ChildItem -Path $path -Filter "C-00000291*.sys"; foreach ($file in $filesToDelete) { try { Write-Output "Deleting: $($file.FullName)"; Remove-Item -Path $file.FullName -Force } catch { Write-Output "Failed to delete file: $($file.FullName) - $($_.Exception.Message)" } }; Get-ChildItem -Path $path; Write-Output "====="; } else { Write-Output "CrowdStrike folder not found in $($env:WINDIR)\System32\drivers" }; Write-Output "====="; Write-Output "Script completed."; Write-Output "=====";
- Demonstration: Youtube
https://github.com/user-attachments/assets/fa7d4b69-e741-40d5-8d5a-d8793cb755fa
Fix by booting from a Linux distribution
Summary:
- (live) boot into a Linux distribution from the affected computer and execute a the fix script.
Supports Bitlocker Encryption?: No
Usage Guide
# get the script
wget https://raw.githubusercontent.com/hirusha-adi/crowdstrike-fix/main/other/fix.sh
# make it executable
chmod +x fix.sh
# run the script
./fix.sh