Ask HN: What is in C-00000291*.sys?

[lordnacho]

It's a crowdstrike update file with a bug in it, from what I gather. This makes your Windows machine go blue screen and stop working as it starts up. If you manage to remove it by various methods, it doesn't run and you're fine.

More informed people will give you more details, but this kind of AV software often has privileged access to the OS, so it can scan your files. The same privileged access also means it can really mess things up if it's not well tested.

By contrast your ordinary python or VBA script should not be able to blue screen your machine, especially not during startup.

[dathinab]

> By contrast your ordinary python or VBA script should not be able to blue screen your machine, especially not during startup.

This is misleading. If you run a python or VBA script on startup with elevated permissions to e.g. setup a driver (with a bug) or do hardware configurations (in a way which doesn't work) then it will as much blue screen as a sys file.

The issue is not that it's a `.sys` file, but that a high privilege administrative task run at startup fails so hard that it blue screens.

(In windows the sys file extension is basically just a marker that the file is part of the "system" without being clear what it is, it can be anything from a data blob,over a data base, over python/VBA files to a device driver or a blob combining multiple of such things. They mostly contain device drivers and hardware configuration, but there are some which are basically just the equivalent of /etc/hostname)

[schroeding]

Every Windows executable can crash a Windows system with the SE_SHUTDOWN_NAME privilege (which, contrary to the name, not only allows safe normal shutdowns) if they want to, though, which most of the time every user has.

The "if they want to" part is the difference, kernel drivers can easily cause BSoDs on accident, e.g. by writing to an invalid address, normal processes can't, they have to jump through hoops by choice.