csagent.sys BSOD Org Locate and delete file matching C-00000291.sys
Windows PCs are becoming unusable due to an update from infosec provider CrowdStrike.
Microsoft Windows 10 has crashed, shown the Blue Screen of Death, and many users have reported being unable to reboot their computers, according to reports compiled by The Register.
Critical services are being brought down by BSOD Org wide, which is triggered by csagent.sys. “This is a big deal, but I’ll open a ticket anyway,” one user said.
As far as the forums are aware, Crowdstrike has released an advisory titled “Tech-Alert-Windows-crashes-related-to Falcon-Sensor-2024-07-19”; however, the warning is behind a regwall and can only be seen by customers.
It appears that an image from that page states: “CrowdStrike is aware of reports of crashes on Windows hosts related to the Falcon Sensor.” A host may encounter a bugcheck or blue screen issue associated with the Falcon Sensor as a symptom.
Engineers from CrowdStrike are currently addressing the matter.
According to CrowdStrike, Falcon Sensor “blocks attacks on your systems while capturing and recording activity as it happens to detect threats fast.”
But for the time being, it seems like the sensor is the danger.
The Register will provide updates as more information becomes available regarding this developing topic.
Brody Nisbet, CrowdStrike’s chief threat hunter, has confirmed the issue and on X posted the following:
There is a faulty channel file, so not quite an update. There is a workaround…
1. Boot Windows into Safe Mode or WRE.
2. Go to C:\Windows\System32\drivers\CrowdStrike
3. Locate and delete file matching “C-00000291*.sys”
4. Boot normally.
In a later post he wrote “That workaround won’t help everyone though and I’ve no further actionable help to provide at the minute”.