inquiry@windesk.au
Send an Inquiry
- Need Help? Request A Callback
- Working Hours: 9:00 AM – 5:00 PM. Mon-Fri
- Serving Reservoir and Mebourne's northern suburbs
Possible fixes for the Crowdstrike issue:
Crowdstrike has provided a fix that involves deleting any file in program directory starting with name 00000291 with .sys extension.
File/s to be deleted: 00000291*.sys
Location: C:\windows\system32\drivers\crowdstrike
It will be a challenge for IT teams to make this change of the computer is in location or if there are a large number of systems to make this change to.
If PC is booted into safe mode with networking option selected, the PC will connect to the internet and get the update from Crowdstrike which will update the problematic file.
If it doesn't update automatically, then a user will need to login and delete the file manually.
Another option is to restore the system to a system restore point. System restore will bring Crowdstrike software to an earlier working version.
For this, system restore should have been enabled already.
If Bitlocker is enabled then bitlocker key will be required to do a system restore.
Powershell method for remotely managed computers:
Powershell can be used to remotely delete the offending file if PC can gain network connectivity through safe mode.
Although we don't have the completed script, the commnds involved will be takeown to take ownership of the file and then run Remove-Item on the file to remove it.
Any such script should be thoroughly tested.