Build bootable images to remediate Windows hosts impacted by the recent Falcon Content Update.
Release 1.2
- OPTIONAL - Automated BitLocker Recovery Key support via CSV file
- CSPERecovery image now supports multiple drives and automated drive selection
- Quality and reliability improvements
- Automated builds of bootable Windows PE images with CrowdStrike recovery tools
- Device driver options: default, minimal, limited and custom (user defined)
- OPTIONAL: BitLocker Recovery Keys support via CSV file
Two bootable images are available - use the image that best suits your needs.
CSSafeBoot
- Automated host remediation using Safe Mode with Networking
- Manual host remediation using Safe Mode with Networking
CSPERecovery
- Automated host remediation with prompt for manual entry of BitLocker Recovery Key
- Automated host remediation with automated entry of BitLocker Recovery Key
Use this project to build bootable Windows PE images using the latest Microsoft ADK and Windows PE add-ons and drivers.
Requirements
- A Windows 10 (or higher) 64-bit client with at least 8GB of free space, and administrative privileges.
Build bootable images with device drivers from all of the following: Red Hat/Virtio, Dell, HP, VMWare and Microsoft Surface (Models: Pro 8, 9, 10, Laptop 4 (Intel/AMD), 5.6).
NOTE: may take upwards of 30 minutes to build based on network and disk performance
- Download the falcon-windows-host-recovery github project as a ZIP file.
- Click the green Code button and select Download ZIP
- Extract falcon-windows-host-recovery-main.zip file contents to a directory of your choosing
- Example:
C:\falcon-windows-host-recovery - IMPORTANT: path cannot contain spaces or special characters
- Example:
- Open a Windows PowerShell command prompt (as Administrator) and run script to build ISO images
cd C:\falcon-windows-host-recoverySet-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process.\BuildISO.ps1- downloads device drivers and creates ISO images
- Build output ISO images
C:\falcon-windows-host-recovery\CSPERecovery_x64.isoC:\falcon-windows-host-recovery\CSSafeBoot_x64.iso
Builds bootable images with default WinPE drivers and preferred device drivers.
- Open a Windows PowerShell command prompt
- Change into your extracted file directory
cd C:\falcon-windows-host-recovery
- Change into your extracted file directory
- Custom drivers - download and unpack device drivers of your choosing into
C:\falcon-windows-host-recovery\Drivers- NOTE: drivers in this folder will always be installed, regardless of command-line arguments.
- Command-line Arguments for
BuildISO.ps1script- Optional drivers - include one or more driver sets (any combination supported)
-IncludeDellDrivers-IncludeHPDrivers-IncludeSurfaceDrivers-IncludeVMwareDrivers
- Minimal drivers - skip all included driver sets (NOTE: overrides any
-Include*args)-SkipThirdPartyDriverDownloads
- Optional drivers - include one or more driver sets (any combination supported)
- Create bootable ISO images
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process.\BuildISO.ps1 -<Command-line Arguments>
- Build output ISO images
C:\falcon-windows-host-recovery\CSPERecovery_x64.isoC:\falcon-windows-host-recovery\CSSafeBoot_x64.iso
Builds bootable images with your BitLocker Recovery Keys in the CSPERecovery image
WARNING: BitLocker Recovery Keys should be rotated after host remediation
BitLocker Keys via CSV Example of your Recovery Keys in a CSV file
- IMPORTANT: column headers KeyID and RecoveryKey are required and case sensitive
| KeyID | RecoveryKey |
|---|---|
| 3ca7495e-4252-432b-baf1-SAMPLE | 001317-088010-034473-667247-160608-471717-100894-INVALD |
| 92e89e08-ad6e-4a98-e584-SAMPLE | 509542-050497-158529-325316-496853-372340-593355-INVALID |
| 72E460C8-4FE8-4249-99CF-SAMPLE | 529408-021370-702581-530739-028721-610907-461582-INVALID |
| 72E460C8-4FE8-4249-99CF-SAMPLE | 529408-021370-702581-530739-028721-610907-461582-INVALID |
- Open a Windows PowerShell command prompt
- Change into your extracted file directory
cd C:\falcon-windows-host-recovery
- Change into your extracted file directory
- BitLocker Recovery Keys - provide keys via CSV file named
BitLockerKeys.csvC:\falcon-windows-host-recovery\BitLockerKeys.csv- IMPORTANT: safe handling and destruction of BitLocker Recovery Keys required
- Create bootable images
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process- .\BuildISO.ps1 -
- Build output
5.
C:\falcon-windows-host-recovery\CSPERecovery_x64.iso6.C:\falcon-windows-host-recovery\CSSafeBoot_x64.iso
- Download Rufus, an open-source utility for creating bootable USB sticks from https://rufus.ie/en/
- Open Rufus:
- Use the “Device” menu to select the desired USB drive target
- WARNING: USB drive will be wiped clean
- Use the “Select” button (next to “Boot Selection”) and choose the CSPERecovery or CSSafeBoot ISO file
- Use “Partition scheme” dropdown menu and select “GPT”
- Use the “Target System” dropdown menu to select “UEFI (non CSM)”
- Press Start
- IMPORTANT: If prompted to write in ISO mode or ESP mode, please read the following guidance carefully:
- ISO mode should be attempted first.
- It offers the most complete user experience, supports both MBR and UEFI booting, and enables the automated cleanup script for the CSSafeBoot ISO.
- The CSPERecovery ISO is not impacted.
- It offers the most complete user experience, supports both MBR and UEFI booting, and enables the automated cleanup script for the CSSafeBoot ISO.
- ESP mode should be tried if the machine does not see the bootable USB drive, particularly on older UEFI systems
- Go back to Step 2 and repeat these steps and select ESP mode.
- The automated cleanup script will be unavailable for the CSSafeBoot ISO, but manual remediation steps are still available and will succeed.
- The CSPERecovery ISO is not impacted.
- Use the “Device” menu to select the desired USB drive target
Once you have created a bootable USB drive using https://rufus.ie/en/ (in section above)
- Once complete, insert the USB drive into the impacted system
- Confirm the host has network access, preferably via wired ethernet
- Reboot the target system and enter the UEFI boot Menu
- Usually the F1, F2, F8, F11, or F12 key
- Prepare to select the USB Flash Drive.
- If given both a MBR and UEFI option with the same label, prepare to select UEFI
- Wait while Windows PE loads
- Use the appropriate "Recover..." guide below for CSSafeBoot or CSPERecovery
CSPERecovery image will automatically remediate
- Select recovery image drive mount in BootManager
- If more than one drive is detected, select the drive letter associated with the impacted OS.
- If BitLocker enabled
- WARNING: BitLocker Recovery Keys should be rotated after host remediation
- If prompted, enter your BitLocker Recovery Key to unlock the volume
- If BitLocker Recovery Keys CSV is available in recovery image,
- WARNING: BitLocker Recovery Keys should be rotated after host remediation
- Recovery script will remove the impacted Channel File 291 sys file
- Deletes all files starting with
C-00000291*located in theC:\Windows\System32\drivers\CrowdStrike\folder - The device will automatically reboot
- Deletes all files starting with
- Windows host should load successfully.
CSSafeBoot image will automatically reconfigure the bootloader on the machine to boot into Safe Mode with Networking and reboot.
- Select recovery image drive mount in BootManager
- NOTE: If your system reboots into the Windows Recovery environment as a part of a prior boot loop, select Continue.
- The machine will reboot into Safe Mode after the next boot.
- Log in as an user with Local Administrator permissions
- Confirm the Safe Mode banner is displayed on the desktop
- Remediation
- To perform remediation steps automatically
- Open Windows Explorer and navigate to drive letter for your bootable image mount (e.g. D:)
- If your bootable image is not listed as a drive letter in Windows Explorer, please skip to the next section titled “To execute remediation steps manually” as your specific configuration may preclude the use of the automatic remediation script.
- Right-click on the file
CSRecovery.cmdand Run as administrator- Script will delete all files starting with
C-00000291*located in theC:\Windows\System32\drivers\CrowdStrike\folder - The device will automatically reboot and load the operating system.
- Script will delete all files starting with
- Open Windows Explorer and navigate to drive letter for your bootable image mount (e.g. D:)
- To execute remediation steps manually
- Open Windows Explorer and navigate to
C:\Windows\System32\drivers\Crowdstrike - Delete all files starting with
C-00000291*located in theC:\Windows\System32\drivers\CrowdStrike\folder - Right-click on Command Prompt and select Run as administrator
- Type the following command and press enter
bcdedit /deletevalue {default} safeboot
- Reboot the device and verify the operating system loads successfully.
- Open Windows Explorer and navigate to
- To perform remediation steps automatically
For PXE booting, these ISO files can be deployed and booted through existing PXE booting capability deployed at your business.
Due to significant differences in network and software configurations with PXE booting, we cannot recommend specific generic PXE booting instructions.
WARNING: BitLocker Recovery Keys should be rotated after host remediation
Safe Handling Bootable Images with BitLocker Recovery Keys
- should only be accessible to those who absolutely need it.
- should be stored on password protected storage devices with disk encryption
- should be transferred over encrypted communication channels
Secure Destruction Bootable Images with BitLocker Recovery Keys
- Digital ISO Image files must be destroyed using software designed for secure deletion to ensure data cannot be recovered
- Physical storage media containing ISO images should be destroyed using methods such as shredding, incineration or crushing
CSPERecovery on dual boot Windows OS systems only remediates the first drive found
- the second Windows OS boot drive will not be automatically remediated
- Verify your CSV has column headers KeyID and RecoveryKey
- Verify your CSV column header case sensitivity for KeyID and RecoveryKey
Copyright (c) CrowdStrike, Inc.
By accessing or using this image, script, sample code, application programming interface, tools, and/or associated documentation (if any) (collectively, “Tools”), You (i) represent and warrant that You are entering into this Agreement on behalf of a company, organization or another legal entity (“Entity”) that is currently a customer or partner of CrowdStrike, Inc. (“CrowdStrike”), and (ii) have the authority to bind such Entity and such Entity agrees to be bound by this Agreement. CrowdStrike grants Entity a non-exclusive, non-transferable, non-sublicensable, royalty free and limited license to access and use the Tools solely for Entity’s internal business purposes, including without limitation the rights to copy and modify the Tools as necessary for your internal purposes. Any third-party software, files, drivers or other components accessed and/or downloaded by You when using a Tool may be governed by additional terms or by a separate license provided or maintained by the third party provider. THE TOOLS ARE PROVIDED “AS-IS” WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED OR STATUTORY OR OTHERWISE. CROWDSTRIKE SPECIFICALLY DISCLAIMS ALL SUPPORT OBLIGATIONS AND ALL WARRANTIES, INCLUDING WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. IN NO EVENT SHALL CROWDSTRIKE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THE TOOLS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. THIS TOOL IS NOT ENDORSED BY ANY THIRD PARTY.