Blue Screen Error Occurs After Updating CrowdStrike

Affected Products:

• CrowdStrike

Note: Statement from CrowdStrike: Statement on Falcon Content Update for Windows Hosts .

Users may encounter a blue screen error after updating CrowdStrike.

The error message reads:

Stop Code：Page_fault_in_nonpaged_area
What failed: csagent.sys

The cause is under investigation by CrowdStrike. Contact CrowdStrike for details. https://www.crowdstrike.com/contact-us/

This article is updated as more information becomes available.

Workaround:

A restart of the computer can allow it to download a functional channel file.

If the blue screen error occurs after a restart, follow these steps as a workaround:

1. Boot the computer to Safe Mode. For information about booting to Safe Mode, reference the Dell knowledge base article How to Boot into Safe Mode in Windows 11 or Windows 10
2. Go to the CrowdStrike directory. Open File Explorer by clicking the folder icon in the Taskbar. Alternately you can click Start and search for File Explorer and select the File Explorer application (do one of the following):
   • Paste the path C:\Windows\System32\drivers\CrowdStrike into the Address Bar at the top of File Explorer and press Enter.
   • Go to the CrowdStrike folder following these steps:
     1. Click the Start Menu
     2. Click the File Explorer application
     3. Click C:/ drive
     4. Click the Windows folder
     5. Click the System32 folder
     6. Click the drivers folder
     7. Click the CrowdStrike folder
3. Delete the following file, C-00000291*.sys
4. Boot to Windows.

Identifying Affected Machines:

Query to identify impacted hosts using Advanced event search (within the CrowdStrike application):

}
| default(value="0", field=[CSUcounter, SHBcounter])
// Make sure both ConfigState update and SensorHeartbeat have happened
| selfJoinFilter(field=[cid, aid, ComputerName], where=[{ConfigStateUpdate}, {SensorHeartbeat}])
// Aggregate results
| groupBy([cid, aid], function=([{selectFromMax(field="@timestamp", include=[CFVersion])}, {selectFromMax(field="@timestamp", include=[@timestamp]) | rename(field="@timestamp", as="LastSeen")}, max(CSUcounter, as=CSUcounter), max(SHBcounter, as=SHBcounter)]), limit=max)
// Perform check on selfJoinFilter
| CFVersion=* LastSeen=*
// Calculate time between last seen and now
| LastSeenDelta:=now()-LastSeen
// Optional threshold; 3600000 is one hour
| LastSeenDelta>3600000
// Calculate duration between last seen and now
| LastSeenDelta:=formatDuration("LastSeenDelta", precision=2)
// Convert LastSeen time to human-readable format
| LastSeen:=formatTime(format="%F %T", field="LastSeen")
// Enrich aggregation with aid_master details
| aid=~match(file="aid_master_main.csv", column=[aid])
| aid=~match(file="aid_master_details.csv", column=[aid], include=[FalconGroupingTags, SensorGroupingTags])
// Convert FirstSeen time to human-readable format
| FirstSeen:=formatTime(format="%F %T", field="FirstSeen")

// Move ProductType to human-readable format and add formatting
| $falcon/helper:enrich(field=ProductType)
| drop([Time])
| default(value="-", field=[MachineDomain, OU, SiteName, FalconGroupingTags, SensorGroupingTags], replaceEmpty=true)
| case{
    CSUcounter=0 AND SHBcounter=0 | Details:="OK: Endpoint did not receive channel file during impacted window. Endpoint was offline.";
    CSUcounter=0 AND SHBcounter=1 | Details:="OK: Endpoint did not receive channel file during impacted window. Endpoint was online.";
    CSUcounter=1 AND SHBcounter=1 | Details:="CHECK: Endpoint received channel file during impacted window. Endpoint was online. Endpoint has not been seen online in past hour.";