Skip to main content
Red Canary help

Installing and uninstalling the Crowdstrike Falcon sensor on Windows

  • Updated .

Prerequisites

Prior to deploying the CrowdStrike Falcon sensor, please ensure you have accounted for the following:

Configure the necessary network connectivity

The CrowdStrike sensor communicates with the CrowdStrike cloud using bidirectionally authenticated Transport Layer Security (TLS) via port 443. All communications are outbound, sensor-to-server.

You can find your CrowdStrike cloud’s IP addresses by clicking Support > Docs > Cloud IP Addresses in your Falcon console.

Please be sure that these addresses are authorized at network egress points and that traffic is not subject to manipulation or TLS interception.

Installing CrowdStrike Falcon using a deployment tool

Use this installation method if you want to automate silent installations on many devices, including installations via a deployment tool such as Windows System Center Configuration Manager (SCCM).

To automatically the install the CrowdStrike Falcon sensor for Windows:

  1. Login to your CrowdStrike Falcon console.
  2. Download the sensor installer from Hosts > Sensor Downloads.
  3. Copy your customer ID checksum (CCID) from Hosts > Sensor Downloads.
  4. Run or configure your deployment tool to use the following command, replacing <your executable file name> with the name of the install file you downloaded, and <CCID> with the CCID from step 2:
    <your executable file name>.exe /install /quiet /norestart CID=<CCID>

Installing CrowdStrike Falcon manually

Use this installation method if you want to install the sensor manually on a single endpoint.

To manually install the CrowdStrike Falcon sensor for Windows:

  1. Login to your CrowdStrike Falcon console.
  2. Download the sensor installer from Hosts > Sensor Downloads.
  3. Copy your customer ID checksum from Hosts > Sensor Downloads.
  4. Run the sensor installer on your device.
  5. Enter your customer ID checksum and accept the EULA.
  6. If your OS prompts to allow the installation, click Yes.

After installation, the sensor will run silently and will be invisible to the user. To validate that the sensor is running on the host, run this command at a command prompt:

sc query csagent

This output will appear if the sensor is running:

SERVICE_NAME: csagent
TYPE               : 2  FILE_SYSTEM_DRIVER
STATE              : 4  RUNNING
                       (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE    : 0  (0x0)
SERVICE_EXIT_CODE  : 0  (0x0)
CHECKPOINT         : 0x0
WAIT_HINT          : 0x0

For more information on advanced installation types, please visit Support > Docs in your CrowdStrike Falcon console.

Uninstalling CrowdStrike Falcon

To uninstall from the Control Panel:

  1. Open the Windows Control Panel.
  2. Click Uninstall a Program.
  3. Choose CrowdStrike Windows Sensor and uninstall it, providing the maintenance token via the installer if necessary.

To uninstall using the command line:

  1. Login to your CrowdStrike Falcon console.
  2. Download CSUninstallTool from Tool Downloads.
  3. Run CSUninstallTool with this command:
    CsUninstallTool.exe /quiet