The remediation instructions provided by CrowdStrike call for booting affected machines into Safe mode, and deleting certain SYS file(s).
An easier alternative is to create a USB bootable disk (containing WinRE) and using a batch file to simplify the remediation process.
- Create your RecoverAssist USB bootable media (7 minutes)
- Create a batch file on your USB media (1 minute)
- On each affected machine, boot from USB and run the fix.bat (3 minutes)
To create your RecoverAssist bootable USB, you’ll need to download a free trial of BackupAssist (a backup product for Windows machines). However, you do not need to purchase a license, which means you can do this for free.
Important notice
This article is provided for educational purposes only and with no warranties. If you wish to use the methods and batch script in this article, you should take the time to thoroughly understand what it does, how it works, and customize it to your specific needs.
This process also assumes that you possess the appropriate Windows licenses. Licensing is beyond the scope of this article, so seek your own independent advice.
Step 1 – Create your RecoverAssist bootable USB media
You can create a Windows Recovery Environment on a bootable USB disk. On a functioning Windows machine, follow these simple steps. Screenshots are included below to illustrate the process.
- Download a free 30 day trial of BackupAssist Classic from this URL.
- Run the downloaded installer file and run it.
- Follow the prompts in the installer, clicking OK or Next where required. Finish the wizard and run BackupAssist Classic.
- Skip over the onboarding process by clicking OK to clear any message boxes, and click “No thanks – I’d like to take a look around the software first”
- From the main menu, click on “System” and then “Create a recovery media using the installed version of Windows”.
- Click “Next” to skip over the steps, and then click “Removable drive”. (If you need to add drivers or tools to your RecoverAssist disk, follow the prompts.)
- You can create additional USB disks by clicking the checkbox in the final step of the wizard.
Your bootable recovery environment is now ready for use!
Step 2 – Create the "fix.bat" batch file on the USB
Run notepad, copy and paste the following code, and save it to your USB drive as “fix.bat”.
@echo off
setlocal enabledelayedexpansion
rem Loop through all drive letters
for %%D in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (
rem Check if the drive exists
if exist %%D:\ (
rem Check if any file matching the pattern exists
if exist "%%D:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys" (
rem Attempt to delete all matching files
for %%F in ("%%D:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys") do (
del /F "%%F" >nul 2>&1
if not errorlevel 1 (
echo File deleted: %%F
) else (
echo Error deleting file: %%F
)
)
)
)
)
If you created multiple USB disks, then save the file to all your disks.
This batch file will search all drives on your system for the particular faulty SYS files, and delete them. It does not check whether the SYS file is the faulty version or not – it assumes that you will only run this remediation on systems that have the BSOD problem.
Step 3 – on each affected machine, boot from USB and run fix.bat
On each affected machine:
- Boot from USB. RecoverAssist will boot – and may take a minute or two as it detects your devices.
- When the main menu appears, click on “Launch a command prompt window”
- In the command prompt, run “fix.bat” – if any SYS files were deleted, they will be listed in the output of the batch file.
- Reboot the machine.
Conclusion
You can use the trial version of BackupAssist to create yourself a bootable recovery environment from Windows.
The batch file shown on this page will search for and delete the particular SYS file that CrowdStrike specify as causing the problem.
Following this process for repetitive remediations will likely save you time and simplify the process.