Servers down after CrowdStrike update — How it happened and how to fix

News
By last updated

An update to CrowdStrike Falcon has caused servers to BSOD

Racks of servers inside a data center.
(Image credit: Future)

If you're managing servers you may need to cancel your weekend plans as a CrowdStrike update has caused servers to BSOD / boot loop

The incident does not appear to be a security incident or cyberattack, and only affects Windows hosts, with CrowdStrike saying Linux and Mac are not affected. 

The issue was first reported 19:00 UTC on July 18 and was acknowledged by CrowdStrike in the early hours of July 19.

Reader offer: Get up to 60% on VPS hosting with Hostinger

Reader offer: Get up to 60% on VPS hosting with Hostinger

Enjoy a host of benefits with Hostinger's plans - dedicated IP shields from DDoS attacks, automated backups for easy restores, ensuring uninterrupted gaming regardless of your configuration. Level up your gaming journey with Hostinger today.

Preferred partner (What does this mean?) 

View Deal

"CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts," CrowdStrike CEO George Kurtz wrote on Twitter/X.

"This is not a security incident or cyberattack," he added, "the issue has been identified, isolated and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website."

CrowdStrike Message

(Image credit: CrowdStrike)

The good news is that a fix has already been found. The bad news is that as servers are not booting it is likely many will require manual intervention. CrowdStrike gave the following instructions on how to fix the issue.

  1. Boot Windows into Safe Mode or the Windows Recovery Environment
  2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
  3. Locate the file matching C-00000291*.sys* and delete it
  4. Boot the host normally

Microsoft later issued further advice:

  1. We recommend customers that are able to, to restore from a backup from before 19:00 UTC on the 18th of July
  2. Alternatively, attempt to repair the OS disk offline.
  3. Attach a disk to VM for offline repair (Encrypted disks may need further instructions)
  4. Once the disk is attached delete the  Windows/System/System32/Drivers/CrowdStrike/C00000291*.sys file
  5. We can confirm the affected update has been pulled by CrowdStrike. Customers that are continuing to experience issues should reach out to CrowdStrike for additional assistance.

Who is affected by the CloudStrike update?

The CrowdStrike update has affected Windows devices and Virtual Machines running Windows Client and Windows Servers running the CrowdStrike Falcon agent. Personal PCs running Windows are not affected.

It's not yet known exactly how many machines have been affected but it's already had a large impact on the globe especially in Europe with Visa, Amazon, and Microsoft all reporting issues. There have also been reports of airlines and hospitals having issues. We won't know the full extent of the impact until later in the day.

How to fix the CrowdStrike issue?

Essentially, you need to delete the file matching C-00000291*.sys

You can do that by

1. Boot Windows into Safe Mode or the Windows Recovery Environment
2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
3. Locate the file matching C-00000291*.sys and delete it

or

You may need to manually remove /update the OS disk

What is CrowdStrike?

CrowdStrike is a cybersecurity company behind software used by some of the largest companies and institutions around the world, including hospitals, airports, banks, and many businesses listed in the Fortune 500.

You might also like

James Capell
James Capell
B2B Editor, Web Hosting

James is a tech journalist covering interconnectivity and digital infrastructure as the web hosting editor at TechRadar Pro. James stays up to date with the latest web and internet trends by attending data center summits, WordPress conferences, and mingling with software and web developers. At TechRadar Pro, James is responsible for ensuring web hosting pages are as relevant and as helpful to readers as possible and is also looking for the best deals and coupon codes for web hosting.

Read more
Crowdstrike logo
CrowdStrike claws back market value after triggering largest IT outage in history
Internet outage
Nearly all companies expect a major outage in 2025
A Windows 11 laptop sitting on a desk in front of a window
Microsoft warns its January Windows updates may fail if this Citrix software is installed
A hand laying out a password
Microsoft fixes concerning issue with its Entra ID authentication tool
Twitter social media application change logo to X. Elon Musk CEO of twitter rebranded Twitter to 'X'. Social media application technology concept.
X is back – here's what we know about the 'massive cyberattack' that caused Twitter to go down multiple times
Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
Latest in Website Hosting
Dark web scanning on a laptop
Hostinger integrates dark web scanning into hPanel
WordPress
WordPress Foundation bid for greater trademark control halted, adding to more legal setbacks for CEO Matt Mullenweg
The PebbleHost website.
PebbleHost review
An image of the Cloudways Copilot logo
AI managed web hosting: I spoke to Cloudways about its new tool and the benefits artificial intelligence brings to servers
SPanel
As cPanel increases prices SPanel's improved compatibility could shake up the web hosting world order
Web hosting logos next to a Cyber Monday image
Best Cyber Monday VPS deals: I'm a hosting expert and these are the top offers you will see all year
Latest in News
Google Gemini Robotics
Gemini just got physical and you should prepare for a robot revolution
Lilo & Stitch Official Trailer
Stitch crashes into earth and steals our hearts with the first trailer for the live-action Lilo & Stitch
GTA 5
GTA Online publisher Take-Two is gunning for a black market that’s basically heaven for cheaters
Y2K cast looking shocked
Y2K has a streaming release date on Max, so you can witness the technology uprising at home
The Discovery+ homepage
Discovery+ just got a big update to its streaming app that makes it more like Max – here are 5 great new features to try
Two Android phones on a green and blue background showing Google Messages
Struggling with slow Google Messages photo transfers? Google says new update will make 'noticeable difference'
More about website hosting
Dark web scanning on a laptop

Hostinger integrates dark web scanning into hPanel
The PebbleHost website.

PebbleHost review
Google Gemini Robotics

Gemini just got physical and you should prepare for a robot revolution
See more latest
Most Popular
Google Gemini Robotics
Gemini just got physical and you should prepare for a robot revolution
Mac Studio on a desk
I compared Apple's Mac Studio M3 Ultra with 10 Windows workstations and I am truly shocked by what I found
Lilo & Stitch Official Trailer
Stitch crashes into earth and steals our hearts with the first trailer for the live-action Lilo & Stitch
Y2K cast looking shocked
Y2K has a streaming release date on Max, so you can witness the technology uprising at home
China
Chinese hackers targeting Juniper Networks routers, so patch now
GTA 5
GTA Online publisher Take-Two is gunning for a black market that’s basically heaven for cheaters
Bolt Zeus 2c26-032 PCIe card
This GPU vendor I've never heard of claims its card is 10x faster than an Nvidia RTX 5090 at real time path tracing
Google Meet create custom backgrounds
More AI features are coming to Google Workspace
A mockup of the possible Apple M3 Ultra logo
Performance isn't the only reason you should buy Apple's M3 Ultra Mac Studio - it's reportedly one of the most power-efficient processors too
The Discovery+ homepage
Discovery+ just got a big update to its streaming app that makes it more like Max – here are 5 great new features to try