I don't do Windows but here are some (initial) details about why the CrowdStrike's CSAgent.sys crashed Faulting inst: mov r9d, [r8] R8: unmapped address ...taken from an array of pointers (held in RAX), index RDX (0x14 * 0x8) holds the invalid memory address @John Hammond

The other "drivers" (e.g. 'C-00000291-...32.sys') appear to be obfuscated data ...and are x-ref'd (perhaps ingested?) by CSAgent.sys ...so maybe invalid (config/signature) data triggered the fault in CSAgent.sys This would be easier to tell/confirm via debugging

This is all surmised static analysis ...reversing CSAgent.sys (now on VT: https://www.virustotal.com/gui/file/fc17c021f18ec73d1544ad46dde6a1f1949f126bf3e75f97e241f982e2b07c86…) and data from a single crash dump ...so take with a pinch of ...and big mahalo to Tom!

Sharing a .zip with: A few versions of CSAgent.sys (+idb) Various C-....sys files (including the latest that I believe contains the "fix"?) I don't have any Windows systems/VMs, so hopefully ya'll can keep digging https://drive.google.com/file/d/1OVIWLDMN9xzYv8L391V1ob2ghp8igoZm/view?usp=share_link… #SharingIsCaring

A big outstanding questions to me is; what are the 'C-00000291-...xxx.sys' files? As deleting them fixes the crash, this seems imply their contents matter (as its CSAgent.sys that has references to them, that is crashing). But as their contents change between systems...

"The .sys files causing the issue are channel update files, they cause the top level CS driver to crash as they're invalidly formatted." -Kevin Beaumont https://cyberplace.social/@GossiTheDog/112812454405913406…

Note "channel updates ...bypassed client's staging controls and was rolled out to everyone regardless" https://www.resetera.com/threads/windows-blue-screen-of-death-bsod-happening-worldwide-right-now-up-caused-by-crowdstrike-falcon-sensor-see-threadmarks.931566/page-17?post=126021399#post-126021399… A few IT folks who had set the CS policy to ignore latest version confirmed this was, ya, bypassed, as this was "content" update (vs. a version update)

An update from @CrowdStrike confirms our analysis: https://www.crowdstrike.com/blog/technical-details-on-todays-outage/… Namely: The C-...sys files aren't kernel drivers, but rather are "configuration files" dubbed "Channel Files" C-00000291- "triggered a logic error that resulted in an OS crash" (via CSAgent.sys)

Some surmised a blank (0x0, ...) Channel File was to blame. @CrowdStrike debunked that stating the issue was "not related to null bytes contained in ...any... Channel File" Also @Malware Utkonos notes a check that shows files must start w/ "0xaaaaaaaa": https://x.com/MalwareUtkonos/status/1814777806145847310…