Someone on X has shared the kernel stack trace of the crash
The faulting driver in the stack trace was csagent.sys.
Now, Crowdstrike has got two mini filter drivers registered with Microsoft (for signing and allocation of altitude).
1) csagent.sys - Altitude (321410)
This altitude falls within the range for Anti-Virus filters.
2) im.sys - Altitude (80680)
This altitude falls within the range for access control drivers.
So, it is clear that the driver causing the crash is their AV driver, csagent.sys.
The workaround that CrowdStrike has given is to delete C-00000291*.sys files from the directory:
C:\Windows\System32\Drivers\CrowdStrike\
These files being suggested to be deleted are not driver files (.sys files) but probably some kind of virus definition database files.
The reason they name these files with the .sys extension is possibly to leverage Windows System File Checker tool's ability to restore back deleted system files.
This seems to be a workaround and the actual fix might be done in their driver, csagent.sys and the fix will be rolled out later.
Anyone having access a Falcon endpoint might see a change in the timestamp of the driver csagent.sys when the actual fix rolls out.
Drill down on your DSA and start doing problems on leetcode. Be regular with your prep.
Side by side, review your web dev course and start building projects.
Freecodecamp would be useful here.
I work in a peculiarly dark matter technology. Windows File System Encryption drivers. The only book available on this subject (Windows File System Drivers) is Rajeev Nagar’s “Windows NT File System Internals” which was written in 1997 and is still relevant.
