timnott-it

You have found your next IT professional

Tag: Web Security

Automating CrowdStrike Driver Fix

July 19, 2024 /

It’s a big one

In a global outage that is about as big as they come CrowdStrike made an update that has incapacitated Windows systems around the world. Individually the fix is not so taxing but in an enterprise with 1000s of endpoints down and a handful of IT workers to fix them it’s a mammoth task.

The Fix

  • Boot Windows into Safe Mode or the Windows Recovery Environment.
    • Restart and press F8 repeatedly (May be F4 or F5).
  • Navigate to the C:\Windows\System32\drivers\CrowdStrike directory.
    • Similar to normal Windows file exploring.
  • Locate the file matching “C-00000291*.sys” and delete it.
    • Make sure you find the right one.
  • Reboot the host normally.

Why that file?

Deleting that specific CrowdStrike driver file likely fixes the BSOD because:

  • The file may be corrupted or incompatible with the current system configuration.
  • It could be conflicting with other drivers or system components.
  • Removing it allows Windows to use a default or fallback driver instead.
  • The BSOD was potentially caused by an issue within that particular CrowdStrike driver file.

Solution for Automating This?

I came across a post on the r/CrowdStrike thread for this problem. It claims to have an automated solution to this problem for enterprise environments.

  • Create a modified WinPE image
  • Add command to startnet.cmd in WinPE image:
    • del C:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys
  • Exit.
  • Set up PXE server with modified WinPE image.
  • Configure affected systems to boot from network.
  • Systems boot from PXE server.
  • WinPE environment loads on target systems.
  • startnet.cmd executes, deleting problematic driver.
  • Systems automatically reboot.
  • Normal boot process resumes without CrowdStrike issue.

WinPE

A modified WinPE (Windows Preinstallation Environment) image is a customized version of Microsoft’s lightweight operating system used for deployment, recovery, and troubleshooting. It’s tailored to include specific drivers, tools, or scripts to meet particular needs. Modified WinPE images are often used by IT professionals for tasks like system deployment or data recovery.

PXE Server

A PXE (Preboot Execution Environment) server allows network-based booting and installation of operating systems on client computers. It provides boot images and configuration files over the network, enabling diskless workstations or computers without local boot media to start up and install an OS remotely. PXE servers are commonly used in large-scale deployments and network management.

Intel i350 T4
Using Storage Sense

Website Under Attack!

June 29, 2022 / / 0 Comments

The website is under attack.

This is clearly the reality of the internet. Many random attempts at gaining access into any web server that is available/insecure/badly configured. As far as I can tell so far none of these attempts has actually succeeded.

First response I had was to limit the Login Attempts to 1 allowed try and 24 hours until reset. This worked well but actually restricted me from getting in a couple of times. I ended up with these settings to restrict the attack as much as possible without making it a pain if I got the password wrong.

I have always used a strong password to protect the site and even though this seems like a lot of attacks it would take centuries, maybe even millennia to luck upon the right password that these bot-nets are guessing.

To make it effectively impossible for these particular attacks to gain access I have added a plugin called WordFence to add Multi-Factor Authentication to the mix.

On top of this looking in the WPScan plug in it is telling me that the XML-RPC is enabled and this will significantly increase your site’s attack surface which means there are many more points of entry that the attackers can use to attempt access to the site.

The WPScan blog has a good post on this https://blog.wpscan.com/is-wordpress-xmlrpc-a-security-problem/

Unfortunately it’s not a simple fix especially if you want to fully shut it down which many of the usual plug-ins won’t do.

For now the plan is to find one of these plug-ins to close it down as much as possible until I can figure out how to fully disable XML-RPC.

Update 11/07/22

After a couple of efforts at inserting code to disable XML-RPC I have gone with the XML-RPC Security plug-in as a quick fix. Let’s see how the failed attempts fare after this.

Now the WPS Scan is clear.

Final Update 14/07/22

So the XML-RPC disable plug in has fixed the problem. Reducing the size of the attack surface available to web has made all the difference.

© 2025 timnott-it

Theme by Anders NorénUp ↑