Scripts to help with the diagnosis and repair of unhealthy Windows Falcon sensor installations.
- Added checks for when a maintenance token would be required.
- Removed unnecessary logic when repairing the sensor, reducing API permissions required to run repair script. Added additional commenting to code.
- Added more compatibility checks to ensure script runs properly. Formatted outputted messages/errors. Fixed logic surrounding channel file deletion to avoid possible issues.
- Overall improvement to script's checks and logic including formality checks for API ID/secret. Added toggle for Flight Controlled CID's.
- New functionality added to enable the repair script to work with Falcon environments where parent-child relationships are used (Flight Control).
- Initial release
- Get-FalconServiceStatus.ps1 - Checks for common causes of an unhealthy sensor and suggests repair steps
- Runs locally with no external dependencies
- Repair-FalconSensor.ps1 - Automated script to repair many common issues with a sensor install
- Requires a properly scoped Falcon API Key and network access
- Removes 291 Channel Files
Query the current status of the Falcon sensor as installed on the endpoint, and recommend the best repair option given the sensor state. Additionally, identify whether the defective 291 Channel File(s) remains on disk and requires removal.
- PowerShell 3.0 or higher
The script must be run as an administrator on the target machine.
Run with:
.\Get-FalconServiceStatus.ps1
This script attempts to repair broken sensor installs, deletes potential bad 291 channel files, and applies file check logic to only run on systems that have the broken folder / file structure. The script will perform several actions, if the folders/files are found to be changed or altered. This script is only applicable for hosts that are functioning, where the Falcon Sensor is currently broken, or not reporting to the Falcon Console.
For machines still stuck within unusable states, please continue to follow instructions outlined in the Tech Alert.
- Falcon Administrator role required to Create API Keys
- API Key with following permission:
- 'Sensor Download: Read'
- 'Sensor Update Policies: Read + Write'
- API Key with following permission:
- 64-bit PowerShell 3.0 or higher
- TLS 1.2 minimum
- PowerShell Administrator level execution
- Was
C:\Program Files\CrowdStrike\renamed or deleted? - Was
C:\Windows\System32\drivers\CrowdStrike\renamed or deleted? - Was
csagent.sysrenamed or deleted? - Was
CsFalconService.exerenamed or deleted? - Is the
csagentservice running? - Is the
CsFalconServiceservice running? - Does the bad ChannelFile exist on disk?
- Check host for the above issues
- Remove bad ChannelFile if exists
- Via API, download WindowsSensor to
C:\Temp\ - Repair the Agent install
- Generate API Token: https://falcon.crowdstrike.com/api-clients-and-keys/
- Click on
Create API client, and grant the following permission:- Sensor Download: Read
- Sensor Update Policies: Read + Write
- Copy down the
Client IDandClient Secretfrom the pop-up. - Open
Repair-FalconSensor.ps1in a text editor - Scroll to the “Editable Region” of the script and enter the API
Client ID,Client Secret, your Falcon Cloud, and set Flight Control to$trueif using this in a Flight Controlled CID.- NOTE: These are the ONLY FIELDS THAT SHOULD BE CHANGED IN THE SCRIPT. Nothing else should be altered.
Once Set-up steps are complete, run the script with
.\Repair-FalconSensor.ps1
This script can also be ran by specifying the arguments and values when running
.\Repair-FalconSensor.ps1 -SourceID {your_ID} -SourceSecret {your_secret} -Cloud {cloud} -FlightControl {$true/$false}
- Locally: Run the following in command line:
sc query csagent- Output for STATE should show: “4 RUNNING”
- Remote: Check host
Last Seendata within host management.- It should show a recently updated timestamp if the script was successful.
- Query / Dashboard: A fresh run of any of the existing tools used to monitor “DOWN” hosts should reflect repaired hosts now communicating to CrowdStrike, and will be showing as “OKAY”.