Workaround Server / Vmware affected with NO Recovery Option and not encrypted:
There are some server where you can’t boot into recovery or safe boot. If the volume is not encrypted you have one way to delete the faulty crowdstrike def file from the disk.
Base article:
19.07.2024 BSOD Blue screen Crowdstrike – www.butsch.ch
https://www.butsch.ch/post/19-07-2024-bsod-blue-screen-crowdstrike/
To move a virtual disk from one server to another in a VMware environment and modify a file on the disk, follow these steps:
1. Detach the Disk Volume:
- Power off the impacted virtual server.
- Open the VMware vSphere client and navigate to the affected VM.
- Select the VM, go to “Edit Settings,” find the disk you want to detach, and remove it. Ensure you do not delete the disk from the datastore, just remove it from the VM configuration.
2. Create a Snapshot or Backup:
- Before proceeding, create a snapshot or backup of the disk volume to prevent data loss in case of unintended changes.
3. Attach the Disk to a New Virtual Server:
- Navigate to the new virtual server where you want to attach the disk.
- In the vSphere client, go to “Edit Settings” for the new VM.
- Click “Add” to add a new hard disk and choose “Use an existing virtual disk.”
- Browse to the location of the detached disk and add it to the new server’s configuration.
4. Modify the Required File:
- Power on the new VM with the attached disk.
- Once the VM is running, access the file system of the attached disk.
- Navigate to the directory where the required file is located, for example: `C:\Windows\System32\drivers\CrowdStrike`.
- Locate and delete the problematic file (e.g., `C-00000291*.sys`).
5. Detach and Reattach the Fixed Volume:
- Power off the new VM.
- In the vSphere client, remove the disk from the new VM configuration without deleting it from the datastore.
- Go back to the original impacted VM and reattach the disk by adding an existing virtual disk and selecting the fixed volume.
6. Power On the Original VM:
- Start the original VM and verify that the changes have resolved the issue.
This procedure ensures that the problematic file is removed while keeping data integrity intact. It leverages VMware’s flexibility in handling virtual disks, allowing you to modify the disk contents by temporarily attaching them to another VM
Winload.exe error code 0xc000000e on an Azure VM – Azure | Microsoft Learn
https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/windows/error-code-0xc000000e
Falls “winload.exe boot manager error“ |
Follow the instructions in the document to run bcdedit repairs on your boot directory. So in our case, that meant the following — replace F: and H: with the appropriate drive letters.
Note that the document says you need to delete your original VM — we found that just swapping out the disk was OK and we did not need to actually delete and recreate anything, but YMMV.
bcdedit /store F:\boot\bcd /set {bootmgr} device partition=F:
bcdedit /store F:\boot\bcd /set {bootmgr} integrityservices enable
bcdedit /store F:\boot\bcd /set {af3872a5-<therestofyourguid>} device partition=H:
bcdedit /store F:\boot\bcd /set {af3872a5-<therestofyourguid>} integrityservices enable
bcdedit /store F:\boot\bcd /set {af3872a5-<therestofyourguid>} recoveryenabled Off
bcdedit /store F:\boot\bcd /set {af3872a5-<therestofyourguid>} osdevice partition=H:
bcdedit /store F:\boot\bcd /set {af3872a5-<therestofyourguid>} bootstatuspolicy IgnoreAllFailures
|
Also read for AZURE VM:
Attach an unmanaged disk to a VM for offline repair – Azure | Microsoft Learn
Also read for AZURE VM with Bitlocker Disks:
Unlocking an encrypted disk for offline repair – Azure | Microsoft Learn
AWS-specific documentation:
To attach an EBS volume to an instance:
Detach an Amazon EBS volume from an instance:
https://docs.aws.amazon.com/ebs/latest/userguide/ebs-detaching-volume.html
Bitlocker recovery
related KB‘s:
BitLocker recovery in Microsoft Azure: https://www.crowdstrike.com/wp-content/uploads/2024/07/BitLocker-recovery-in-Microsoft-Azure.pdf
BitLocker recovery in Microsoft environments using SCCM: https://www.crowdstrike.com/wp-content/uploads/2024/07/BitLocker-recovery-in-Microsoft-environments-using-SCCM.pdf
BitLocker recovery in Microsoft environments using Active Directory and GPOs: https://www.crowdstrike.com/wp-content/uploads/2024/07/BitLocker-recovery-in-Microsoft-environments-using-Active-Directory-and-GPOs.pdf
BitLocker recovery in Microsoft environments using Ivanti Endpoint Manager: https://www.crowdstrike.com/wp-content/uploads/2024/07/BitLocker-recovery-in-Microsoft-environments-using-Ivanti-Endpoint-Manager.pdf
BitLocker recovery: known issues – Windows Client | Microsoft Learn
Also we have seen some chater related to AWS EC2 from our cloud native admins:
https://www.redditmedia.com/r/aws/comments/1e6ykzy/how_to_boot_windows_ec2_instance_into_recovery/
Please check and tear together write better a new part esp for EC2: I said to give it a try using EC2Rescue, but it still needs another EC2 instance in the same AWS region so you can mount the volume.
So I’ll go the same path – create a new WIN EC2 instance in the same availability zone, mount the EBS volume, delete the file and then attach the volume to the initial EC2.
I said to give it a try using EC2Rescue, but it still needs another EC2 instance in the same AWS region so you can mount the volume.
So I’ll go the same path – create a new WIN EC2 instance in the same availability zone, mount the EBS volume, delete the file and then attach the volume to the initial EC2.
KEYS: DRIVER_OVERRAN_STACK_BUFFER
Sensor runs on:
- 64-bit server OSes:
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2 SP1
- Windows Server Core 2019
- Windows Server Core 2016
- Windows Storage Server 2012 R2
- 64-bit desktop OSes:
- Windows 10 November 2019 Update, also named v1909, or 19H2
- Windows 10 May 2019 Update, also named Redstone 6, v1903, or 19H1
- Windows 10 October 2018 Update, also named Redstone 5 or v1809
- Windows 10 April 2018 Update, also named Redstone 4 or v1803
- Windows 10 Fall Creators Update, also named Redstone 3 or v1709
- Windows 10 Creators Update, also named Redstone 2 or v1703
- Windows 10 Anniversary Update, also named Redstone 1 or v1607
- Windows 10
- Windows 8.1
- Windows 7 SP1
- Windows 7 Embedded
- 32-bit desktop OSes:
- Windows 7 SP1
- Windows 7 Embedded POSReady
Blue Screen of Death
BSOD
Stop Error
Bug Check
System Crash
Fatal System Error
Kernel Panic
Windows Stop Code
Crash Dump
Memory Dump
Error Screen
Blue Screen Error
System Halt
Critical System Error
Windows Crash
Hardware Failure
Software Failure
Driver Failure
System Fault
Critical Process Died
Inaccessible Boot Device