Workaround Server / Vmware affected with NO Recovery Option and not encrypted:

There are some server where you can’t boot into recovery or safe boot. If the volume is not encrypted you have one way to delete the faulty crowdstrike def file from the disk.

Base article:

19.07.2024 BSOD Blue screen Crowdstrike – www.butsch.ch

https://www.butsch.ch/post/19-07-2024-bsod-blue-screen-crowdstrike/

To move a virtual disk from one server to another in a VMware environment and modify a file on the disk, follow these steps:

1. Detach the Disk Volume:

Power off the impacted virtual server.
Open the VMware vSphere client and navigate to the affected VM.
Select the VM, go to “Edit Settings,” find the disk you want to detach, and remove it. Ensure you do not delete the disk from the datastore, just remove it from the VM configuration.

2. Create a Snapshot or Backup:

Before proceeding, create a snapshot or backup of the disk volume to prevent data loss in case of unintended changes.

3. Attach the Disk to a New Virtual Server:

Navigate to the new virtual server where you want to attach the disk.
In the vSphere client, go to “Edit Settings” for the new VM.
Click “Add” to add a new hard disk and choose “Use an existing virtual disk.”
Browse to the location of the detached disk and add it to the new server’s configuration.

4. Modify the Required File:

Power on the new VM with the attached disk.
Once the VM is running, access the file system of the attached disk.
Navigate to the directory where the required file is located, for example: `C:\Windows\System32\drivers\CrowdStrike`.
Locate and delete the problematic file (e.g., `C-00000291*.sys`).

5. Detach and Reattach the Fixed Volume:

Power off the new VM.
In the vSphere client, remove the disk from the new VM configuration without deleting it from the datastore.
Go back to the original impacted VM and reattach the disk by adding an existing virtual disk and selecting the fixed volume.

6. Power On the Original VM:

Start the original VM and verify that the changes have resolved the issue.

This procedure ensures that the problematic file is removed while keeping data integrity intact. It leverages VMware’s flexibility in handling virtual disks, allowing you to modify the disk contents by temporarily attaching them to another VM

Winload.exe error code 0xc000000e on an Azure VM – Azure | Microsoft Learn

https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/windows/error-code-0xc000000e

Falls “winload.exe boot manager error“

Follow the instructions in the document to run bcdedit repairs on your boot directory. So in our case, that meant the following — replace F: and H: with the appropriate drive letters.

Note that the document says you need to delete your original VM — we found that just swapping out the disk was OK and we did not need to actually delete and recreate anything, but YMMV.

bcdedit /store F:\boot\bcd /set {bootmgr} device partition=F:

bcdedit /store F:\boot\bcd /set {bootmgr} integrityservices enable

bcdedit /store F:\boot\bcd /set {af3872a5-<therestofyourguid>} device partition=H:

bcdedit /store F:\boot\bcd /set {af3872a5-<therestofyourguid>} integrityservices enable

bcdedit /store F:\boot\bcd /set {af3872a5-<therestofyourguid>} recoveryenabled Off

bcdedit /store F:\boot\bcd /set {af3872a5-<therestofyourguid>} osdevice partition=H:

bcdedit /store F:\boot\bcd /set {af3872a5-<therestofyourguid>} bootstatuspolicy IgnoreAllFailures

Also read for AZURE VM:

Attach an unmanaged disk to a VM for offline repair – Azure | Microsoft Learn

https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/windows/unmanaged-disk-offline-repair

Also read for AZURE VM with Bitlocker Disks:

Unlocking an encrypted disk for offline repair – Azure | Microsoft Learn

https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/windows/unlock-encrypted-disk-offline

AWS-specific documentation:

To attach an EBS volume to an instance:

https://docs.aws.amazon.com/ebs/latest/userguide/ebs-attaching-volume.html#:~:text=To%20attach%20an%20EBS%20volume,and%20choose%20Actions%2C%20Attach%20volume

Detach an Amazon EBS volume from an instance:

https://docs.aws.amazon.com/ebs/latest/userguide/ebs-detaching-volume.html

Bitlocker recovery
related KB‘s:

BitLocker recovery in Microsoft Azure: https://www.crowdstrike.com/wp-content/uploads/2024/07/BitLocker-recovery-in-Microsoft-Azure.pdf

BitLocker recovery in Microsoft environments using SCCM: https://www.crowdstrike.com/wp-content/uploads/2024/07/BitLocker-recovery-in-Microsoft-environments-using-SCCM.pdf

BitLocker recovery in Microsoft environments using Active Directory and GPOs: https://www.crowdstrike.com/wp-content/uploads/2024/07/BitLocker-recovery-in-Microsoft-environments-using-Active-Directory-and-GPOs.pdf

BitLocker recovery in Microsoft environments using Ivanti Endpoint Manager: https://www.crowdstrike.com/wp-content/uploads/2024/07/BitLocker-recovery-in-Microsoft-environments-using-Ivanti-Endpoint-Manager.pdf

BitLocker recovery: known issues – Windows Client | Microsoft Learn

https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues

https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues#tablet-devices-dont-support-using-manage-bdeexe–forcerecovery-to-test-recovery-mode

Also we have seen some chater related to AWS EC2 from our cloud native admins:

https://www.redditmedia.com/r/aws/comments/1e6ykzy/how_to_boot_windows_ec2_instance_into_recovery/

Please check and tear together write better a new part esp for EC2: I said to give it a try using EC2Rescue, but it still needs another EC2 instance in the same AWS region so you can mount the volume.

So I’ll go the same path – create a new WIN EC2 instance in the same availability zone, mount the EBS volume, delete the file and then attach the volume to the initial EC2.

I said to give it a try using EC2Rescue, but it still needs another EC2 instance in the same AWS region so you can mount the volume.

So I’ll go the same path – create a new WIN EC2 instance in the same availability zone, mount the EBS volume, delete the file and then attach the volume to the initial EC2.

KEYS: DRIVER_OVERRAN_STACK_BUFFER

Sensor runs on:

64-bit server OSes:
Windows Server 2019
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2 SP1
Windows Server Core 2019
Windows Server Core 2016
Windows Storage Server 2012 R2
64-bit desktop OSes:
Windows 10 November 2019 Update, also named v1909, or 19H2
Windows 10 May 2019 Update, also named Redstone 6, v1903, or 19H1
Windows 10 October 2018 Update, also named Redstone 5 or v1809
Windows 10 April 2018 Update, also named Redstone 4 or v1803
Windows 10 Fall Creators Update, also named Redstone 3 or v1709
Windows 10 Creators Update, also named Redstone 2 or v1703
Windows 10 Anniversary Update, also named Redstone 1 or v1607
Windows 10
Windows 8.1
Windows 7 SP1
Windows 7 Embedded
32-bit desktop OSes:
Windows 7 SP1
Windows 7 Embedded POSReady

Blue Screen of Death
BSOD
Stop Error
Bug Check
System Crash
Fatal System Error
Kernel Panic
Windows Stop Code
Crash Dump
Memory Dump
Error Screen
Blue Screen Error
System Halt
Critical System Error
Windows Crash
Hardware Failure
Software Failure
Driver Failure
System Fault
Critical Process Died
Inaccessible Boot Device

Falcon Sensor, Bluescreen of Death Vmware workaround if you can’t boot into recovery

Posted by admin on 19.07.2024

Workaround Server / Vmware affected with NO Recovery Option and not encrypted:

Related Post

Server 2019 bug c:\windows\system32\control.exe error

SMB over QUIC a OneDrive, Sharepoint replacement, SRV 2025?

Crowdstrike Falcon Sensor, Azure VM Repair paths


Try our new Certificate Revocation List Check Tool CRLcheck.exe is a tool developed to verify digital signatures of executable files. It collects files from known paths on your client, checks their signature, and checks Certificate Revocation Lists (CRL) and OCSP download. This helps avoid delays in launching files.