Windows Systems administrators often encounter situations where manual intervention is required to resolve specific issues or clean up outdated files. Recently, the CroudStrike issue brought this to light, where remediation (aside from rebooting over and over) involved deleting a specific CrowdStrike driver file from your system. The file had a pattern C-00000291*.sys and was located in the C:\Windows\System32\drivers\CrowdStrike directory. Based on guidance from CrowdStrike’s Falcon Content Update Remediation and Guidance Hub, I wrote a sample PowerShell Script you can use to accomplish this task. Here’s a step-by-step guide on how I did it.

Prerequisites Link to heading

Ensure that you have administrative privileges on your system, as these are required to delete files from the System32 directory.

Step-by-Step Guide Link to heading

  1. Open PowerShell with Administrative Privileges

    The first step is to open PowerShell with administrative privileges to ensure you have the necessary permissions. Here’s how:

    • Press Windows + X and select Windows PowerShell (Admin) from the menu.
    • Confirm any prompts by clicking Yes.

  2. Navigate to the Target Directory

    Next, navigate to the directory where the target file is located. Use the following PowerShell command to change the directory:

    $directory = "C:\Windows\System32\drivers\CrowdStrike"
Set-Location -Path $directory

    This command sets the current directory to C:\Windows\System32\drivers\CrowdStrike.

  3. Locate and Delete the File

    Now that you are in the correct directory, locate the file that matches the pattern C-00000291*.sys and delete it. Here’s the PowerShell command to do this:

    $filePattern = "C-00000291*.sys"
Get-ChildItem -Path $directory -Filter $filePattern | Remove-Item -Force

    Here’s a breakdown of what this command does:

    • $filePattern = "C-00000291*.sys": Defines the pattern of the file you are looking for.
    • Get-ChildItem -Path $directory -Filter $filePattern: Searches for the file in the specified directory.
    • Remove-Item -Force: Deletes the found file(s) without prompting for confirmation.

  4. Confirm Deletion

    To confirm that the file has been deleted, run the following command to check if any files matching the pattern still exist:

    Get-ChildItem -Path $directory -Filter $filePattern

    If the file has been successfully deleted, this command should return no results.

Complete Script Link to heading

For convenience, here is the full script that combines all the steps:

# Navigate to the specified directory
$directory = "C:\Windows\System32\drivers\CrowdStrike"
Set-Location -Path $directory

# Locate the file matching the pattern and delete it
$filePattern = "C-00000291*.sys"
Get-ChildItem -Path $directory -Filter $filePattern | Remove-Item -Force

# Confirm deletion
Get-ChildItem -Path $directory -Filter $filePattern

Challlenges with this Method Link to heading

Of course, while the outage was occuring most systems were crashing with a Blue Screen of Death (BDOD). Many systems were not up long enough for you to login and deleten the file. The right solution in the CrowdStrike issue varies from letting the system reboot to try and remediate itself, to editing the files from another healthy system. The specific solution you rely on in the future may be unique to your workload and scenario. The best preparation is to know this could happen again, and have tools in place to help you get this sort of task done. Of course, remediation at scale is important, and a good topic for a future post.

Conclusion Link to heading

Using PowerShell to manage and delete files in critical system directories is a powerful and efficient method for system administrators. The steps outlined in this guide should help you safely and effectively delete the specified CrowdStrike file. As always, ensure you understand the implications of deleting system files and, if possible, take necessary backups before performing such actions.

For more detailed guidance, you can refer to the CrowdStrike Falcon Content Update Remediation and Guidance Hub or reach out for support if needed.

Emmanuel Tsouris is a Systems Development Manager working in the cloud, with extensive experience in cloud platforms, enterprise management, and automation. In his spare time, he enjoys hiking, biking, cooking, photography, and writing. For more insights and tips, visit emmanueltsouris.com.