Microsoft Releases Tool to Fix CrowdStrike-Caused Windows Chaos

Microsoft releases a recovery tool to fix CrowdStrike outages that crippled IT systems worldwide. The tool offers two repair options: Recovery from WinPE and Recovery from Safe Mode. Download it now from the Microsoft Download Center and restore your systems!

A minor software update by CrowdStrike caused the biggest IT outage in history on July 19, 2024, affecting banks, airlines, hospitals, and media outlets worldwide. The update led to Windows-based systems rebooting and displaying blue screens of death. CrowdStrike CEO George Kurtz confirmed the issue stemmed from an update to the Falcon Sensor.

The resulting IT outage was exploited by threat actors to primarily target LATAM customers. A deceptive ZIP file, crowdstrike-hotfix.zip, containing HijackLoader, was used to deploy RemCos RAT, giving attackers control over infected systems.

Now, Microsoft has released an upgraded recovery tool designed to assist IT administrators in resolving problems stemming from the CrowdStrike Falcon agent on Windows clients and servers. It is worth noting approximately 8.5 million Windows devices were impacted by the issue.

CrowdStrike continues to focus on restoring all systems as soon as possible. Of the approximately 8.5 million Windows devices that were impacted, a significant number are back online and operational.

Together with customers, we tested a new technique to accelerate impacted…

— CrowdStrike (@CrowdStrike) July 21, 2024

This new Microsoft Recovery Tool provides two repair options to streamline the repair process. This tool is available for download from the Microsoft Download Center here.

The two available recovery options are:

1. Recovery from WinPE: This method creates boot media to facilitate device repair. It’s a direct recovery option that does not require local admin privileges. If BitLocker is activated, you might have to manually input the recovery key. For third-party disk encryption solutions, consult the vendor’s guidance.
2. Recovery from Safe Mode: This option allows devices to boot into safe mode using boot media. Users need local admin access to run remediation steps. This method is suitable for devices with TPM-only protectors or non-encrypted devices. BitLocker-enabled devices might require entering the recovery key or PIN.

For both methods, it’s recommended to test the recovery process on multiple devices before deploying it widely. If neither USB nor PXE recovery is feasible, reimaging the device may be necessary.

Prerequisites for Creating Boot Media

To create the boot media, you’ll need:

• A 64-bit Windows client with a minimum of 8GB of available storage.
• Administrative privileges on the client device.
• A USB drive (1GB to 32GB) that will be formatted.

Creating WinPE Recovery Media

Here’s how to proceed on the 64-bit Windows client:

• Obtain the Microsoft Recovery Tool from the Microsoft Download Center.
• Extract the PowerShell script from the downloaded package.
• Run the MsftRecoveryToolForCSv2.ps1 script from an elevated PowerShell prompt.
• The ADK will download, and the media creation process will start.
• Choose between WinPE or Safe Mode recovery options.
• Optionally, import driver files into the recovery image if needed.
• Generate either an ISO or USB drive and specify the drive letter.

Using the Boot Media

WinPE Recovery:

• Insert the USB drive into the affected device and reboot.
• Enter the BIOS boot menu (usually by pressing F12) and select Boot from USB.
• The recovery tool will prompt for the BitLocker recovery key if necessary.
• Follow the on-screen instructions to complete the remediation.

Safe Mode Recovery:

• Insert the USB drive and reboot the device.
• Enter the BIOS boot menu and select Boot from USB.
• The tool will configure the device to boot into safe mode.
• Login with a local admin account and run the provided script from the USB drive to complete the remediation.

Hyper-V Virtual Machines

The recovery media can also remediate Hyper-V virtual machines. Create an ISO using the recovery tool and follow these steps:

• Add a DVD drive to the virtual machine’s SCSI controller.
• Attach the recovery ISO as the image file.
• Change the boot order to prioritize the DVD drive.
• Start the VM and follow the appropriate recovery steps.

For PXE recovery, ensure the affected devices and PXE server are on the same subnet. Configure the PXE server as described, and follow the specific steps to recover impacted devices using PXE boot.

For more detailed information and regular updates, refer to Microsoft’s support articles and CrowdStrike’s statements regarding the issue.

RELATED TOPICS

1. CISA Publishes List of Free Cybersecurity Tools and Services
2. Why Cybersecurity Business Needs a Real-Time Collaboration Tool
3. ZDI Slams Microsoft for Not Crediting It in Last Week’s Patch Tuesday
4. Kaspersky’s iShutdown Tool Detects Pegasus Spyware on iOS Devices
5. McAfee’s Mockingbird AI Tool Detects Deepfake Audio with 90% accuracy