Skip to content

Instantly share code, notes, and snippets.

@whichbuffer
Last active August 28, 2024 09:26
Show Gist options
  • Save whichbuffer/7830c73711589dcf9e7a5217797ca617 to your computer and use it in GitHub Desktop.
Save whichbuffer/7830c73711589dcf9e7a5217797ca617 to your computer and use it in GitHub Desktop.
Automated CrowdStrike BSOD Workaround in Safe Mode using Group Policy

Automated Workaround in Safe Mode using Group Policy

You can set up a GPO to run a script during Safe Mode. Here’s how you can do this:

  1. Create the PowerShell Script

    Create a PowerShell script that deletes the problematic CrowdStrike driver file causing BSODs and handles the Safe Mode boot and revert:

    # CrowdStrikeFix.ps1
    # This script deletes the problematic CrowdStrike driver file causing BSODs and reverts Safe Mode
    
    $filePath = "C:\Windows\System32\drivers\C-00000291*.sys"
    $files = Get-ChildItem -Path $filePath -ErrorAction SilentlyContinue
    
    foreach ($file in $files) {
        try {
            Remove-Item -Path $file.FullName -Force
            Write-Output "Deleted: $($file.FullName)"
        } catch {
            Write-Output "Failed to delete: $($file.FullName)"
        }
    }
    
    # Revert Safe Mode Boot after Fix
    bcdedit /deletevalue {current} safeboot
    
  2. Create a GPO for Safe Mode

    • Open the Group Policy Management Console (GPMC).
    • Right-click on the appropriate Organizational Unit (OU) and select Create a GPO in this domain, and Link it here....
    • Name the GPO, for example, CrowdStrike Fix Safe Mode.
  3. Edit the GPO

    • Right-click the new GPO and select Edit.
    • Navigate to Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup/Shutdown).
    • Double-click Startup, then click Add.
    • In the Script Name field, browse to the location where you saved CrowdStrikeFix.ps1 and select it.
    • Click OK to close all dialog boxes.
  4. Force Safe Mode Boot Using a Script

    Create another PowerShell script to force Safe Mode boot and link it to a GPO for immediate application:

    # ForceSafeMode.ps1
    # This script forces the computer to boot into Safe Mode
    
    bcdedit /set {current} safeboot minimal
    Restart-Computer
    
  5. Create a GPO to Apply the Safe Mode Script

    • Open the Group Policy Management Console (GPMC).
    • Right-click on the appropriate Organizational Unit (OU) and select Create a GPO in this domain, and Link it here....
    • Name the GPO, for example, Force Safe Mode.
    • Right-click the new GPO and select Edit.
    • Navigate to Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup/Shutdown).
    • Double-click Startup, then click Add.
    • In the Script Name field, browse to the location where you saved ForceSafeMode.ps1 and select it.
    • Click OK to close all dialog boxes.
  6. Apply the GPOs

    • Make sure the Force Safe Mode GPO is applied to the affected computers first.
    • The computer will boot into Safe Mode and execute the CrowdStrikeFix.ps1 script.
    • Once the issue is fixed, the script will revert the boot settings to normal mode.
@percu
Copy link

percu commented Jul 20, 2024

@Inoriol
Copy link

Inoriol commented Jul 20, 2024

Just use Linux nerds <3

Well...
https://access.redhat.com/solutions/7068083

@Grime121
Copy link

Grime121 commented Jul 20, 2024

Didn’t work for me. Computers reboot too quickly for the GPO/script to run. Also, I had to change the “bcdedit” lines to use Start-Process. Running them directly from PowerShell resulted in not all the arguments getting passed to it (bcdedit failed with “bad parameters” error).

@Grime121
Copy link

Grime121 commented Jul 20, 2024

Didn’t work for me. Computers reboot too quickly for the GPO/script to run. Also, I had to change the “bcdedit” lines to use Start-Process. Running them directly from PowerShell resulted in not all the arguments getting passed to it (bcdedit failed with “bad parameters” error).

Actually, it's not that the system crashes before the script can run. It's that the boot config simply cannot be modified by a startup script. I even tried using Start-Process to call bcdedit, and specifying credentials rather than using the local system account permissions. It simply will not work. I was finally able to get the error that it is throwing when the script runs at startup. It is:

The boot configuration data store could not be opened.
A required privilege is not held by the client.

I don't know of any way to get around this. This simply won't work as a startup script. In fact, even the command to delete the file doesn’t seem to work when you manually boot the computer to safe mode w/ networking. I tried a startup script that had a single line in it (the Remove-Item line), applied it to computers that I manually rebooted into safe mode, and it was unable to delete the file.

At this point, we are pretty much stuck with booting from WinPE images to delete the file. We’re having to walk users through this process on 7k+ systems, not including the 1k servers that we have already remediated. CrowdStrike should die a very slow and painful death for this…..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment