Republic of the Philippines
CYBERCRIME INVESTIGATION AND COORDINATING CENTER
Quezon City (CICC) and Taguig City (National Cybercrime Hub)
www.cicc.gov.ph
PUBLIC ADVISORY
DATE : July 19, 2024
SUBJECT : Windows Systems Simultaneously Suffered from a “Blue Screen of
Death” (BSOD) Issue due to an update Bug
DETAILS :
On July 19, 2024, many Windows users experienced a critical issue where their
devices displayed a blue screen error, leading to repeated unsuccessful startup attempts.
This disruption was caused by a problem with CrowdStrike's EDR Falcon Sensor software,
resulting in widespread crashes of Microsoft Windows systems.
Endpoint Detection and Response (EDR) is a cybersecurity product that companies
install on their clients' computers to protect against attacks. This software runs in the
background on clients' machines, monitoring for signs of attacks on their networks.
The issue arose following a recent update to CrowdStrike's Falcon Sensor, causing
Windows PCs to encounter the "Blue Screen of Death" (BSOD). This screen indicates a
serious problem that forces the system to restart abruptly, potentially leading to data loss.
This issue affected a wide range of industries globally, including airlines, banks,
supermarkets, and media companies. Major US airlines such as American Airlines, Delta
Airlines, and United Airlines were unable to conduct flights due to communication difficulties.
Similarly, businesses in Australia, India, and other nations reported being unable to access
their computers or workstations.
RECOMMENDED ACTIONS:
In this Public Advisory, it is recommended for the government agencies and the public
to undertake the following actions:
a) For affected users, perform the following steps:
Boot Windows into Safe Mode or the Windows Recovery Environment
Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
Locate the file matching “C-00000291*.sys”, and delete it.
Boot the host normally.
However, according to CrowdStrike, for those using virtual servers, the following steps must
be taken:
Detach the operating system disk volume from the impacted virtual server
� Republic of the Philippines
CYBERCRIME INVESTIGATION AND COORDINATING CENTER
Quezon City (CICC) and Taguig City (National Cybercrime Hub)
www.cicc.gov.ph
Create a snapshot or backup of the disk volume before proceeding further as a
precaution against unintended changes
Attach/mount the volume to to a new virtual server
Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
Locate the file matching “C-00000291*.sys”, and delete it.
Detach the volume from the new virtual server
Reattach the fixed volume to the impacted virtual server
b) To mitigate the risk of further complications, it's crucial to immediately disconnect affected
devices from the main network.
c) Furthermore, users are strongly advised against forcing their laptops to shut down,
hibernate, or restart, as these actions could result in irreversible data loss.
d) On the other hand, according to CrowdStrike, Windows hosts which have not been
impacted do not require any action as the problematic channel file has been reverted.
CrowdStrike has deployed a new content update that resolves the previously erroneous
update and subsequent host issues. As devices receive this update, they may need to reboot
for the changes to take effect and for the blue screen (BSOD) issues to be resolved.
Taking these actions are critical to prevent worsening the situation and ensure the affected
devices can be safely restored.
