Remove Those C-00000291*.sys CrowdStrike Files, Bring Windows Back to Life

(Revised and Updated: July 22, 2024)

If your office or facility is still affected by the CrowdStrike update from July 19, 2024, take these steps to remove any offending CrowdStrike files matching this pattern – C-00000291*.sys.


From Microsoft Support > KB5042421: CrowdStrike issue impacting Windows endpoints causing an 0x50 or 0x7E error message on a blue screen:

https://support.microsoft.com/en-us/topic/b1c700e0-7317-4e95-aeee-5d67dd35b92f

From CrowdStrike > REMEDIATION AND GUIDANCE HUB: FALCON CONTENT UPDATE FOR WINDOWS HOSTS:

https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/

Also, Microsoft released a recovery tool to automate those remediation steps:

Microsoft Support > ***KB5042429: New recovery tool to help with CrowdStrike issue impacting Windows devices:

https://support.microsoft.com/en-us/topic/new-recovery-tool-to-help-with-crowdstrike-issue-impacting-windows-endpoints-d3928eaa-160c-4b19-ae64-930e2fa68194https://lnkd.in/eVv38Jpd


Finally, even though the official recovery tool is available, you might prefer this PowerShell script from Chris Davis (https://lnkd.in/eVNcUsZa):

https://www.linkedin.com/pulse/crowdstrike-windows-blue-screen-fix-chris-davis-4lruc/

Chris is the first person I noticed who published the timestamp difference between the bad versus the good files all the way back on July 19, so it’s worth giving him a high five. 🙌🏽

ShareOpenly