CrowdStrike Windows Outage

Last updated: April 1, 2025

Target Audience

Undergraduate
Graduate

Keywords

CrowdStrike
Patch management
Privileged mode vulnerability
Dynamic updates v.s. Phased rollouts

Introduction

Overview

On July 19, 2024, millions of Windows users encountered the dreaded 'blue screen of death.' A bug within the Falcon application of cybersecurity technology company, CrowdStrike, was causing the Windows operating system to crash. What followed was 8.5 million crashed Windows installations on critical architecture for hospitals, airlines, banks, and an estimated loss of $5.4 billion for industries worldwide. Standing as the largest IT outage in history, the CrowdStrike incident highlights an evergrowing need for companies to build greater failover mechanisms, incident responses, and crisis managment frameworks.

Learning Objectives

Describe the CrowdStrike Outage in 2024
Explain the potential vulnerabilities of a privileged mode application
Describe what Dynamic Updates and Phased Rollouts are, and the benefits of each

Download

Module Questions

What are Dynamic Updates? What is Phased Rollout?Software updates that can occur without needing to stop or restart a system/application. A strategy for deploying software updates gradually to subsets of users or systems over time.

What caused the BSOD (Blue Screen Of Death) to occur?After a faulty software update, the Falcon driver (which runs in kernel mode) crashed which caused the Windows system to crash and display a BSOD

How was the outage fixed?Devices that were unable to safetly boot had to follow 4 main steps. 1. Boot Windos into Safe Mode or WRE, 2. Navigate to C:\Windows\System32\drivers\CrowdStrike\, 3. Delete files matching 'C-00000291*.sys', and 4. Reboot the system like normal

What is the difference between Privileged Mode and Non-Privileged Mode applications?A Privileged Mode application has full access of system resources, can execute any CPU instruction, and access any memory address, whilst a Non-Privileged Mode application has restricted access to system resources and must use system calls or the operating systems APIs' to request services or interact with hardware.

What are the potential vulnerabilities of a Privileged Mode application?