Skip to main content

CrowdStrike Outage: Instructions to Recover Windows Devices

Worldwide outage

Starting at 9:30 p.m. on Thursday, July 18, a faulty update from CrowdStrike (software installed on Windows computers that provides protection against threats, ransomware, and other cyberattacks) led to Windows system crashes worldwide.

CrowdStrike withdrew the update at 10:27 p.m. and many Windows systems should recover on their own as they check in with the CrowdStrike servers. Some systems may be in a state where they crash before they're able to download the updated content, however.

macOS and Linux machines are not affected

If your Windows machine is still working

If your Windows machine is still working, CrowdStrike will pick up the updated file automatically, and you do not need to do anything.

If your Windows machine has crashed

If your Windows machine has crashed, you should attempt to reboot the machine and log in as normal.

If your machine is able to reach the Internet, it will attempt to download a fix from CrowdStrike. If you reboot your Windows machine and it stays online for more than 15 minutes, it has likely downloaded the fix, and you do not need to do anything. You may need to reboot more than once before the system reconnects long enough to download the corrected content from Crowdstrike.

A  self-service process to recover your encryption key is available through MyDevices for managed computers. Refer to the instructions on How to Self-Recover Your Computer Encryption Key.

For IT professionals only

For devices with reliable (preferably wired) network connections, recovery should be possible simply through a small number of reboots. If your machine has crashed and is not recovering after rebooting, you can follow these steps:

  • Boot Windows into Safe Mode or the Windows Recovery Environment

  • Navigate to the C:\Windows\System32\drivers\CrowdStrike directory

  • Locate the files whose names begin with "C-00000291" and delete them.

  • Boot the host normally.

  • Wait a few minutes.  If your system does not crash within a few minutes, then the workaround is successful.

If you still need help

If your system does not recover on its own, please call the UIT Service Desk at 650-725-4357 (5-HELP) and someone will walk you through the process to restore your machine. Please allow sufficient time, as this process may take up to 20 minutes.

Additional guidance from the Information Security Office (ISO)

  • ISO is directing technical engagement in Slack at #iso-crowdstrike channel.
  • Do not uninstall or disable CrowdStrike; adversaries are actively scanning for newly vulnerable systems.
  • Be on the lookout for phishing messages deliberately crafted to take advantage of the global event.

DISCLAIMER: UIT News is accurate on the publication date. We do not update information in past news items. We do make every effort to keep our service information pages up-to-date. Please search our service pages at uit.stanford.edu/search.