Dubbed the “digital pandemic” by some, a CrowdStrike bug triggered the infamous Blue Screen of Death (BSoD) on millions of systems worldwide. The impact was widespread, hitting airlines, banks, emergency services, and TV stations.

Despite the situation, it’s important to clarify that Microsoft is not to blame. The culprit here is a faulty driver update pushed out by cybersecurity company CrowdStrike, which caused PCs everywhere to crash. While CrowdStrike is at fault, Microsoft has been proactive, rolling out tools to help fix the affected systems.

Last week, Microsoft released a USB Recovery Tool to tackle the CrowdStrike bug.

This tool aims to speed up the repair process, allowing IT admins to restore PCs to a pre-bug state. It offers two recovery options: WinPE and safe mode. Microsoft recommends using WinPE, though there are scenarios where the safe mode option is more appropriate, particularly if BitLocker is enabled.

The recovery key isn’t available (admin rights are needed).

A new Tech Community post from Microsoft details these options and their respective pros and cons:

Recover from WinPE (Recommended)

• Quickly and directly recovers systems.
• Does not require local admin privileges.
• Manually entering the BitLocker recovery key may be required if BitLocker is enabled.
• For third-party disk encryption, refer to vendor guidelines for recovering the drive so that the remediation script can run from WinPE.

Recover from Safe Mode

• It may allow recovery on BitLocker-enabled devices without entering recovery keys.
• Requires access to an account with local administrator rights.
• Suitable for devices using TPM-only protectors, unencrypted devices, or where the BitLocker recovery key is unknown.
• If using TPM+PIN BitLocker protectors, the user must enter the PIN or use the recovery key.
• If BitLocker is not enabled, just sign in with an admin account.
• For third-party disk encryption, consult vendors to recover the drive for the remediation script to run.

Microsoft also notes that while the USB tool is preferred, some devices can’t use USB connections. In such cases, a Preboot Execution Environment (PXE) option or reimaging the device might be necessary.

We’ll update our guide on fixing the CrowdStrike Blue Screen error on Windows 11 soon, incorporating these new methods. You can also check out Microsoft’s detailed breakdown of the process.

What is the CrowdStrike Outage?

Chances are, you’ve been impacted by the CrowdStrike outage somehow.

A vast number of companies and organizations have experienced PC crashes, and repairs are still ongoing. Even if you weren’t directly affected, the incident has been a hot topic outside tech circles.

Over the weekend, I overheard people at American football practices discussing the “Microsoft outage.” Friends and colleagues have reported similar conversations in hospitals, restaurants, and casual settings.

CrowdStrike is a cybersecurity company specializing in Internet security. Their Falcon platform provides real-time attack indicators and helps security experts protect systems. Unfortunately, a buggy update to the Falcon Sensor app wreaked havoc, affecting many organizations.

The fallout grounded planes, forcing some airports to issue handwritten boarding passes. Banks, emergency services, and millions of PCs were hit hard.

While some viewed the downtime as a welcome break, the CrowdStrike outage caused significant disruption across multiple industries. Ironically, CrowdStrike’s stock plummeted, but many could not capitalize on the dip due to the bug affecting trading services.

Although a fix is now available, the repercussions of the CrowdStrike outage will be felt for a while as IT admins work tirelessly to recover and repair affected systems.

Interestingly, the company did not turn to another update to fix this problem.

Instead, it made use of a whole different solution.

In an advisory published on April 29, Redmond confirmed that File Explorer, Start Menu, and Task Manager were all impacted by screen flickering. The company also confirmed that a previous cumulative update shipped to Windows 11 was to blame for the whole fiasco.

As explained:

“After installing KB5012643, devices starting in Safe Mode might show a flickering screen. Components that rely on Explorer.exe, such as File Explorer, Start Menu, and Taskbar, can be affected and appear unstable. Devices experiencing this issue can log a System error on the Windows Event Log, with Source “Winlogon” and the following description: “The shell stopped unexpectedly and explorer.exe was restarted.”

Sounds serious.

According to the company’s information, this error affected only Windows 11 21H2. Users of other versions of the operating system need not worry.

Microsoft used a KIR to implement the fix for this problem:

“This issue is resolved using Known Issue Rollback (KIR). Please note that it might take up to 24 hours for the resolution to propagate automatically to consumer devices and non-managed business devices. Restarting your device might help the resolution apply to your device faster. Enterprise-managed devices that have installed an affected update and encountered this issue can resolve it by installing and configuring the special Group Policy listed below.”

No input is required on the user side, as the fix is implemented via the Known Issue Rollback system that the software titan has been using for quite some time now.

Full instructions on how to configure a special Group Policy to resolve the glitch are available here.

Another day, another piece of Windows 10 that is broken. We are fast becoming accustomed to these problems with Windows 10 and this latest threat, found by a team of researchers, is particularly vicious.

It’s no secret to anyone that the latest Windows 10 updates have been somewhat controversial. While they provide patches to kill off bugs from previous updates, it seems that all they do is create even more issues and now we have a brand-new problem – updates filled with fake ransomware.

The researchers who identified the latest bug work for Sophos Labs, one of the top security software companies. They have been constantly monitoring several Windows 10 ransomware threats that target a Safe Mode vulnerability.

They first identified it in mid-October and the malware, named Snatch, forces a computer to reboot to Safe Mode – here, most security software and many other vital programs are disabled.   Sophos says, “Snatch can run on most common versions of Windows, from 7 through 10, in 32- and 64-bit versions. The malware we’ve observed isn’t capable of running on platforms other than Windows. Snatch can run on most common versions of Windows, from 7 through 10, in 32- and 64-bit versions.”

Once a device has been successfully penetrated by the ransomware, a Bitcoin ransom demand will follow. According to the researcher’s report, at least 12 demands were made between July and October 2019, with the ransoms valued between $2,900 and $51,000 in Bitcoin.

How to Avoid Getting Caught

First, Sophos is recommending that organizations don’t use remote desktop access if they don’t have the proper protections in place. If needs be a VPN should be used to provide protection to the network.  And it goes without saying that MFA (multi-factor authentication) should be in place too.

As always, common sense goes an awfully long way – avoiding dodgy websites, links in emails, downloading unknown files and so on. Most of the time, your antivirus software will kick up an alert, sometimes even a browser will, but you shouldn’t rely on those to save you.

The same commonsense approach applies to consumer users too.