New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints

New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints(techcommunity.microsoft.com)

80 points by thejournalizer 1 year ago | 64 comments

etskinner 1 year ago |

Really impressive that they got thru an entire develop, build, approval, and documentation process in just about 2 days. Not that any of those steps are extremely hard for this fix, but I'm always impressed when big corporations can move so fast

nerdjon 1 year ago | |

I sympathize with the engineers, QA, and everyone involved in getting this out.

I have to imagine it was a lot of long hours, and the testing was insane. The last thing I want to do is put this tool out and it somehow messes things up more.

But glad it’s out. Hopefully it helps with the remaining machines and with any that are being problematic.

xinayder 1 year ago | | |

They probably got an exemption to fast track the release because this is a critical issue. I wouldn't expect testing to be so thorough for a release in 2 days. The exemption is more likely.

selykg 1 year ago | | |

I wrote and maintained a tool that was sent to users when something went wrong.

Man was I always afraid and stressed that the tool meant to help users when they were already having a failure was also having a failure.

ffhhj 1 year ago | | |

Surveillance software is top priority of BigCo's nowadays. If they prove to be useful for governments they'll get softer antimonopoly measures.

Kwpolska 1 year ago | |

To be fair, there isn't a whole lot of code there. I wouldn't be surprised if Microsoft had the WinPE generator written already for some other project.

kchr 1 year ago | | |

Yeah, WinPE media tools have been around for years. Here is an article from 2021 (although it has been a thing long before then):

https://learn.microsoft.com/en-us/windows-hardware/manufactu...

Still, customizing the toolchain to fit this particular scenario and making sure it works, in two days, is commendable effort.

beefnugs 1 year ago | |

Actually they may not have a choice, since they have forced people to install their local windows with a Microsoft login, and tying bitlocker to this login, there is probably many situations out there that requires microsoft login supported winPE just to fix this

ssahoo 1 year ago | |

When their bottom line and head is at stake, what were they supposed to do?

Bognar 1 year ago | | |

They could say "third party kernel modules are installed at your own risk" and provide the usual level of business hours support. CrowdStrike fucked up and Microsoft is helping its customers recover from CrowdStrike's fuckup.

phoe-krk 1 year ago | |

> an entire develop, build, approval, and documentation process in just about 2 days

...on a weekend.

mkl95 1 year ago | |

They are not claiming they built it themselves. This kind of tool could easily be an offshore job.

aaomidi 1 year ago | | |

Probably not doing that with this incident. But FBI/NSA is probably involved.

switch007 1 year ago | |

> develop, build, approval, and documentation process

Under the immense pressures, I'm sure one or two of the usual steps were missed or reduced (perhaps this is what you were insinuating?)

gnfargbl 1 year ago |

Given the harm that Crowdstrike caused Microsoft here, it does seem like they missed an opportunity in not calling this tool Blue Falcon.

ComputerGuru 1 year ago |

We released ours the same day as the mass crashes :)

https://x.com/mqudsi/status/1814367837940515098

stackskipton 1 year ago | |

Congrats? Microsoft has higher quality assurance concerns since anything with their name on it means customers will come beating down their door for support if ANYTHING goes wrong even if it's not them.

windexh8er 1 year ago | | |

> Microsoft has higher quality assurance concerns...

No, they don't. This is the same company that has turned the Windows OS into an advertisement platform within the OS [0]. A company that puts buggy telemetry collection over their end users [1]. And a platform that is known to spy on its end users [2]. So, no - Microsoft really doesn't care about its end users with "higher quality assurance concerns". They care about turning a profit.

[0] https://www.theverge.com/2024/4/12/24128640/microsoft-window... [1] https://www.maketecheasier.com/fix-microsoft-compatibility-t... [2] https://www.techradar.com/news/is-windows-11-spying-on-you-n...

dataflow 1 year ago | |

Yours also says nothing about BitLocker...

rdtsc 1 year ago |

It's interesting Microsoft is dealing with this. I wonder how they feel about CS? Can't imagine they are happy with them. So I would guess it's less of "let's work with our friends at CS" and more like "Those $#%!, they made a mess and we're left to clean it up".

I've already heard from multiple non-technical people presenting this as a "Microsoft problem". "Omg, did you hear what Microsoft just did to their customers?". I don't know if CS subtly pulling strings to look less guilty, but probably just happens by simple association "blue screen of death = Windows problem". Can't image Microsoft is too happy to take this kind of a reputational hit.

dbcurtis 1 year ago | |

> but probably just happens by simple association "blue screen of death = Windows problem"

This certainly happens. Before driver signing, an extremely common cause of BSODs was a page fault in the kernel caused by a driver bug that failed to lock down a page during I/O. Only if you had the hex codes of the various exceptions memorized would you be in a position to tell a driver-caused BSOD from some other cause. So.... "it must be Windows again". This was a powerful motivation for MSFT to start a driver validation lab that they forced vendors through.

And then... you have OS/2 -- where they actually used more than two security rings. Kernel in ring 0, user space in ring 3, and drivers in ring 1. Now the kernel can properly blame the driver. But of course, that can't be ported to CPU's with only 2 security levels.

stefan_ 1 year ago | |

Well there is at least one way which they should be dealing with it, which is to immediately revoke the current CrowdStroke kernel driver. Surely that thing can't be kept loaded ready to explode at the next malformed "channel update". God knows the vendor can't be trusted to ensure that.

hedora 1 year ago | |

Yep; was at a restaurant yesterday, and it sounds like they got hit with the CloudStrike Linux outage a month or so ago.

They had no idea the two were probably the same vendor.

augusto-moura 1 year ago | | |

Sorry for the ignorance, but what is this Crowdstrike Linux outage you mention? Couldn't find any easily accessible news on it

NelsonMinar 1 year ago |

This tool requires you physically plug in a UBS device and then touch the keyboard. One at a time. I can imagine it has to be this way but ouch, that is a lot of manual work. At least it's simple enough to train someone to do it.

hedora 1 year ago | |

Now you've got me wondering about the pile of regulatory fail that leads a company to install cloudstrike for endpoint security, but also to ship kiosks with physically accessible, bootable USB ports.

ok123456 1 year ago |

They should add CS Falcon to their malware definitions in Windows Defender. Crowdstrike has proved that its software is indistinguishable from malware.

Also, while they're at it, add Trellex.

qingcharles 1 year ago | |

If you're running CrowdStrike I would think Windows Defender is probably disabled, no?

hedora 1 year ago | | |

They could push a windows update that nukes CrowdStrike and re-enables Windows Defender. I'm pretty sure they've done that sort of thing in the past.

bloopernova 1 year ago |

Did anyone write a script to remove the file directly from VM disks, rather than booting the OS? Or does crowdstrike somehow prevent that solution?

baq 1 year ago | |

I imagine having an unencrypted disk in 2024 can be most charitably called 'an oversight', so there's little point in attempting to deal with them. (Remember we're talking about boxes with crowdstrike installed...)

bloopernova 1 year ago | | |

Ahh, right. You'd need bitlocker keys. Although I wonder if the central key server could be queried to obtain each host's key?

Also makes me wonder about a software configuration management system that operated on disks while the virtual hosts were powered down. With windows it feels like that'd be at least very difficult, but Linux could definitely be managed that way. Like an immutable operating system where changes can only come from the central controller, and the OS itself is written with that in mind. Dunno what benefit that might bring, but it's a fun mental excursion.

hedora 1 year ago | | |

Are there VM platforms that can encrypt disks without giving the host access to the disk? Sure, they could use TPM or something, but that doesn't solve the problem.

Worst case, I imagine you could boot to the bootloader menu, then scrape the unwrapped bitlocker key from RAM.

(I agree that the org that mandated cloudstrike would collectively lay an egg if they realized this was possible.)

jaredhallen 1 year ago |

We were doing something similar with our SCCM boot drives. Boot off the stick, press F8 for cmd prompt, use manage-bde to unlock bitlocker, and delete the files from the cmd prompt.

mikemitchelldev 1 year ago |

Very carefully worded blog post title.

andrewmcwatters 1 year ago |

People have been talking about how this is a CrowdStrike issue, and such on Reddit, etc. But in my opinion, it's appalling that Windows can allow this to happen.

vesinisa 1 year ago | |

CrowdStrike installs as an operating system driver. It becomes essentially a part of the operating system and can do literally anything it wants, and Microsoft can not do much anything about it.

Going forward, I could foresee Microsoft requiring endpoint protection solution providers certify their QA processes to get signing. But staged rollouts and canary builds have already been an industry standard process long before CrowdStrike. There was no way Microsoft could have known that they were dealing with a company so incompetent as CrowdStrike to cause this to happen.