Bluescreen

Unable to access OS Drive to delete C-00000291*.sys CrowdStrike bluescreen

Martin
July 19, 2024July 20, 2024
Security, Troubleshooting, Windows 10

If your laptops SSD/NVME drive is Bitlocker encrypted and you’re not able to see/access the primary Windows 11 or 10 OS partition (typically the C:\ drive) in Windows Recovery (WinRE) whilst following Crowdstrikes remediation instructions at https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/ (this will be apparent as you won’t be prompted for a Bitlocker key when you access the Command Prompt in the Windows Recovery Environment)

To get around this you’ll need to boot into your laptops BIOS to enable an alternative storage boot option

The below steps should be safe to complete if your laptop is not configured with multiple physical drives enrolled in a raided configuration

Depending on your laptops manufacturer/model the BIOS may be accessible via F12, F1, F2 or Esc

1. Once in the BIOS look for “Storage” or “Advanced” options and enable the opposite storage boot option to the one currently selected. The storage boot options you need to look for may indicate (AHCI and RAID) or (AHCI/NVME and RAID On). Select the opposite storage option to the one currently selected then save your BIOS setting changes and exit the BIOS and shut the laptop down

2. Now turn on the laptop again and boot into Windows Recovery again (this should happen automatically). If not let Windows 11 or 10 fully boot and wait for the bluescreen, the bluescreen/reboot cycle may need to be repeated for up to fives times or more before you’ll be prompted to enter Windows Recovery again, but once this happens, launch the Command Prompt from

“Advanced Options” > “Troubleshoot” > “Advanced Options” > “Command Prompt”

You should now be prompted to enter your Bitlocker Recovery Password (if you don’t have access to your Bitlocker Recovery Password then contact your domain administrator)

Once you’ve entered the Bitlocker Recovery Password your CMD dialog should auto launch to the X:\ drive

3. cd to %WINDIR%\System32\drivers\CrowdStrike or C:\windows\System32\drivers\CrowdStrike, and delete the C-00000291*.sys file as per Crowdstrikes instructions at https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/ then type “exit” to exit the CMD prompt

4. Very Important: The final step is to enter your laptop BIOS again before Windows 11 or 10 fully boots to the login screen and revert the storage boot option changes made in Step 2 to it’s original setting

5. Save your BIOS setting change again and exit the BIOS once more then let Windows 11 or 10 boot. The Crowdstrike bluescreen/reboot issue should now be resolved

The information contained in this website/blog is for general information purposes only. The information is provided by Martin Birrane and while I endeavour to keep the information up to date and correct, I make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, code samples, or related graphics contained on the website/blog for any purpose. Any reliance you place on such information is therefore strictly at your own risk. In no event will Martin Birrane be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website/blog. Through this website/blog you are able to link to other websites which are not under the control of Martin Birrane. I have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep this website/blog up and running smoothly. However, I take no responsibility for, and will not be liable for, this website/blog being temporarily unavailable due to technical issues beyond my control. Any views expressed in this website/blog are those of Martin Birrane. They should not be interpreted as reflecting the views of Martin Birranes past, current or future employers.

In no event will Martin Birrane be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website/blog.

Through this website/blog you are able to link to other websites which are not under the control of Martin Birrane. I have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.

Every effort is made to keep this website/blog up and running smoothly. However, I take no responsibility for, and will not be liable for, this website/blog being temporarily unavailable due to technical issues beyond my control.

Any views expressed in this website/blog are those of Martin Birrane. They should not be interpreted as reflecting the views of Martin Birranes past, current or future employers.