Global BSOD

Ok gurus, please help!

I'm sure I should be getting a Bit locker screen when I hit "Command Prompt" but it's taking me straight to DOS. How can I access the OS drive from the command prompt?
 
Just an observation but it is kind of interesting from a historical change point of view how much mission critical and core infrastructure is now on Windows based servers if today is anything to go by. Go back 15+ years ago in the SME space at least, Windows was very much the tertiary part of a companies infrastructure with a Sun (Oracle)/RS/AIX/HPUX etc. backend doing the heavy lifting in the main (and on prem). Of course really back in the day it'd be a VME/VMS and dumb terminals, but I digress (and also feel quite old ;) ).

I know Red Hat (and it's successor flavours) and Ubuntu etc are a thing in Enterprise (my own company has a ton of them for different hardened tasks) but I guess I'm just surprised how many large/multinational companies are now Windows reliant.
 
Last edited:
Nasher said:
Given the way this software works and what it does, governments should not be using it. It would not comply with security requirements (not in the UK at least). Of course some will probably just do it anyway without checking..
Click to expand...
I heard government just use whatsapp, the CIA can probably read every message every MP ever sent as plain text.

America probably has it's own little blackbook just like the political parties do to blackmail their members into pushing the party line.

weirdly blackmail is illegal in any other business setting
 
Last edited:
SupraWez said:
And only MS if running CrowdStrike.
Click to expand...
No. Microsoft Windows is not the only OS running CrowdStrike. Actually all three Windows, MacOS and Linux hosts are running CrowdStrike.


CrowdStrike pushed out bug ridden single content update for Windows hosts first that caused BSOD, they probably pulled back bug ridden single content update for MacOS and Linux after CrowdStrike software engineers saw what they had done witnessed Windows global IT meltdown.
 
Last edited:
Amusing that it's cyber security software at fault.
They get away with anything In the name of cyber these days and they have so much overreach it's astounding.
These companies come in and put the fear into execs and anyone else that will listen to get sales.

Did more damage than hacker groups could dream of, well done
 
AthlonXP1800 said:
CrowdStrike pushed out bug ridden single content update for Windows hosts first that caused BSOD, they probably pulled back bug ridden single content update for MacOS and Linux after CrowdStrike software engineers saw what they had done witnessed Windows global IT meltdown.
Click to expand...
A good use case for why backups are critical on that rare occassion they are needed
 
AthlonXP1800 said:
CrowdStrike pushed out bug ridden single content update for Windows hosts first that caused BSOD, they probably pulled back bug ridden single content update for MacOS and Linux after CrowdStrike software engineers saw what they had done witnessed Windows global IT meltdown.
Click to expand...

The part that was causing the issues was a channel device driver. Linux and OSX don't have these, so your last point is incorrect.
 
Last edited:
Crowdstrike can set N-1 or N-2 policy settings for groups of devices to avoid update issues. It might be bypassed due to this being classed as a channel update, although I am not sure. Either way, it's not a good look and expect some legal implications for them outside the stock price hit.
 
arknor said:
I heard government just use whatsapp, the CIA can probably read every message every MP ever sent as plain text.

America probably has it's own little blackbook just like the political parties do to blackmail their members into pushing the party line.

weirdly blackmail is illegal in any other business setting
Click to expand...

Not supposed to for official use. There are known backdoors in to it despite what Zuckerberg claims.
 
413x said:
Yeah this is looking like a good entry point have to say.
Click to expand...
I've held CRWD for a while now. PE aside, I still think it has legs - least until the demands for compensation roll in.

I dumped a chunk of money at opening. I've had a torrid couple of weeks shares-wise so it was a bit of rage punt "Have it all! I don't care anymore" :D
 
Mercurial said:
Just an observation but it is kind of interesting from a historical change point of view how much mission critical and core infrastructure is now on Windows based servers if today is anything to go by. Go back 15+ years ago in the SME space at least, Windows was very much the tertiary part of a companies infrastructure with a Sun (Oracle)/RS/AIX/HPUX etc. backend doing the heavy lifting in the main (and on prem). Of course really back in the day it'd be a VME/VMS and dumb terminals, but I digress (and also feel quite old ;) ).
Click to expand...
Partially explained by the introduction of server core, which is now the default version.
 
Mercurial said:
Just an observation but it is kind of interesting from a historical change point of view how much mission critical and core infrastructure is now on Windows based servers if today is anything to go by. Go back 15+ years ago in the SME space at least, Windows was very much the tertiary part of a companies infrastructure with a Sun (Oracle)/RS/AIX/HPUX etc. backend doing the heavy lifting in the main (and on prem). Of course really back in the day it'd be a VME/VMS and dumb terminals, but I digress (and also feel quite old ;) ).

I know Red Hat (and it's successor flavours) and Ubuntu etc are a thing in Enterprise (my own company has a ton of them for different hardened tasks) but I guess I'm just surprised how many large/multinational companies are now Windows reliant.
Click to expand...
Even with the brunt of the work being done by real servers (tm), there is so much ancillary stuff being done by Windows now - think AD, DNS, DHCP... Even though your database is humming along happily thinking it's having a nice day off, your app servers can't establish connections to it because there's no DNS resolution...
 
Sinbad2000 said:
Even with the brunt of the work being done by real servers (tm), there is so much ancillary stuff being done by Windows now - think AD, DNS, DHCP... Even though your database is humming along happily thinking it's having a nice day off, your app servers can't establish connections to it because there's no DNS resolution...
Click to expand...
Very true, I've been involved with a few ransomware incidents and as you say the actual real servers(tm) :) have been unaffected, just the rest of the infrastructure has been compromised and laid to waste.
 
I gather this hit around the middle of Friday afternoon in Australia! Ooof. RIP weekends for sys admins having to deal with this lol.

There are some people that have to deal with thousands of machines with this problem. The main reason this is so huge is:

1: There is no remote fix
2: Manual fixes are hampered by not being able to boot into safe mode easily on client machines, since these days most are protected with bitlocker
3: A lot of bitlocker keys are hosted..... you guessed it..... on servers with this same problem.

This has been confirmed as not a hack/security issue, but an internal issue by Crowdstrike making a bad update. The problem is that antivirus software typically is on auto update for clients to get things delivered fast, to prevent a time gap between exploits being able to be used on unprotected systems.
It is likely that no one individual can be blamed for this such as the dev that coded it, or the person that approved it etc. Deployment methods for even small companies will have processes in place to test things before being promoted to Prod. Usually multiple lower environments. There has obviously been a failing here of some sort. Either that test coverage did not capture this scenario somehow, or test environments were either by choice or by accident, bypassed.

On the other hand, I wonder if they have any Russian employees that work on the code. ;)
 
Mercurial said:
Very true, I've been involved with a few ransomware incidents and as you say the actual real servers(tm) :) have been unaffected, just the rest of the infrastructure has been compromised and laid to waste.
Click to expand...
And the ******* thing about all this is that the advent of automation means smaller and smaller IT teams are looking after bigger and bigger estates.... then suddenly along comes something where the fix cannot be automated ....
 
AthlonXP1800 said:
No. Microsoft Windows is not the only OS running CrowdStrike. Actually all three Windows, MacOS and Linux hosts are running CrowdStrike.


CrowdStrike pushed out bug ridden single content update for Windows hosts first that caused BSOD, they probably pulled back bug ridden single content update for MacOS and Linux after CrowdStrike software engineers saw what they had done witnessed Windows global IT meltdown.
Click to expand...

I didnt say microsoft was the only one running crowdstrike, I said windows with crowdstrike, its the combo thats the issue :)
 
Dirk Diggler said:
Ok gurus, please help!

I'm sure I should be getting a Bit locker screen when I hit "Command Prompt" but it's taking me straight to DOS. How can I access the OS drive from the command prompt?
Click to expand...

You should be straight onto the OS drive, if not try a few drive letters till you find the directory.

Depending on the build of the machine, if its been upgraded etc, you can try the following

c:\windows\system32\drivers\crowdstrike
d:\windows\system32\drivers\crowdstrike

even had one machine where it was on x:, no idea how that was built :D :-

x:\windows\system32\drivers\crowdstrike

Then once in there you can delete the file causing the issue :-

dir C-00000291*.sys
del C-00000291*.sys
 
You must log in or register to reply here.
Back
Top Bottom