Article Details

Microsoft releases Windows repair tool to remove CrowdStrike driver. Microsoft has released a custom WinPE recovery tool to find and remove the faulty CrowdStrike update that crashed an estimated 8.5 million Windows devices on Friday. On Friday, CrowdStrike pushed out a faulty update that caused millions of Windows devices worldwide to suddenly crash with a Blue Screen of Death (BSOD) and enter reboot loops. This glitch caused massive IT outages, as companies suddenly found that all of their Windows devices no longer worked. These IT outages affected airports, hospitals, banks, companies, and government agencies worldwide. To resolve the fix, admins needed to reboot impacted Windows devices into Safe More or the Recovery Environment and manually remove the buggy kernel driver from the C:\Windows\System32\drivers\CrowdStrike. However, as organizations face hundreds, if not thousands, of impacted Windows devices, manually performing these fixes can be problematic, time consuming, and difficult. To help IT admins and support staff, Microsoft has released a custom recovery tool that automates the removal of the buggy CrowdStrike update from Windows devices so that they can once again boot normally. "As a follow-up to the CrowdStrike Falcon agent issue impacting Windows clients and servers, we have released a USB tool to help IT Admins expedite the repair process," reads a Microsoft support bulletin. "The signed Microsoft Recovery Tool can be found in the Microsoft Download Center: https://go.microsoft.com/fwlink/?linkid=2280386." To use Microsoft's recovery tool, IT staff need a Windows 64-bit client with at least 8 GB of space, administrative privileges on this device, a USB drive with at least 1 GB of storage, and a Bitlocker recovery key if required. It should be noted that you will need a USB flash drive that is 32GB or smaller, as otherwise you will not be able to format it with FAT32, which is required to boot the drive. The recovery tool is created through a PowerShell script downloaded from Microsoft, which needs to run with Administrative privileges. When run, it will format a USB drive and then create a custom WinPE image, which is copied to the drive and made bootable. You can then boot your impacted Windows device with the USB key, and it will automatically run a batch file named CSRemediationScript.bat. This batch file will prompt you to enter any necessary Bitlocker recovery keys, which can be retrieved using these steps. The script will then search for the buggy CrowdStrike kernel driver in the C:\Windows\system32\drivers\CrowdStrike folder, and if it's detected, automatically delete it. BleepingComputer's tests and review of the batch file show that it will not create any logs or a backup of the CrowdStrike driver. When completed, the script will prompt you to press any key, and your device will reboot. Now that the CrowdStrike driver has been deleted, the device should boot back into Windows and be available again. Unfortunately, Windows admins' biggest obstacle is retrieving any necessary Bitlocker recovery keys. Therefore, determining if one is needed and recovering it should be the first steps taken before attempting to recover devices.