I have created a Powershell script for the Crowdstrike issue for some automation purposes. you can create a WinPE ISO File to boot into and remediate the crowdstrike issue.
- Boot into WinPE:
- Delete Problematic File: In
startnet.cmd, add:
del C:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys
exit3. Reboot: The system should boot normally.
The script:
This script is designed for use in an on-premises VMware environment. It automates the process of mounting an ISO file to a list of virtual machines (VMs) specified in a text file. The script performs the following steps:
- Input File: Reads a list of VMs from a specified text file.
- ISO File Path: Requires the user to specify the local path of the ISO file in the $isoFile variable.
- vCenter Connection: Connects to the vCenter server using provided credentials.
- ISO Upload: Uploads the ISO file to the datastore with the most free space, using the first VM from the list to determine the appropriate datastore.
- VM Processing: For each VM in the list:
- Maps the ISO file to the VM.
- Powers off the VM.
- Modifies the boot order to boot from the ISO file.
- Powers on the VM and waits for 60 seconds to allow for any necessary modifications (e.g., updating the CrowdStrike folder).
- Powers off the VM again and unmounts the ISO file.
- Resets the boot order to boot from the Windows OS disk.
- Powers on the VM.
6. vCenter Disconnection: Disconnects from the vCenter server.
This script ensures that the specified VMs are updated with the ISO file and then returned to their original boot configuration.
Test before using; don’t repeat CrowdStrike’s mistakes. Modify for your own needs.
