CrowdStrike Falcon Command Builder
Generate copy-ready CrowdStrike Falcon sensor commands for Windows, macOS, and Linux. Compose install, uninstall (with maintenance token), verify, restart, proxy, grouping tag, and version commands - all built locally in your browser.
Building something secure?
I ship production-ready SaaS apps in 6 weeks — built secure from day one by someone who knows how attackers think. Or get a pen test if you already shipped.
What Is the CrowdStrike Falcon Command Builder
The CrowdStrike Falcon sensor is a lightweight endpoint detection and response (EDR) agent that runs on Windows, macOS, and Linux hosts. While day-to-day policy management happens in the Falcon console, sensor lifecycle operations — installing, uninstalling, verifying, and troubleshooting the agent — are performed with platform-specific command-line tools that are easy to get wrong.
This tool generates ready-to-run commands for Falcon sensor administration. Pick an action and an operating system, paste in your CID or maintenance token where required, and copy a complete, correctly-formatted command sequence.
Key Commands and Tools
Windows uses WindowsSensor.exe for installation (with the CID= parameter and optional provisioning token), CsUninstallTool.exe for removal (with MAINTENANCE_TOKEN= when uninstall protection is enabled), and the standard service commands sc query csagent and net start csagent for verification.
macOS uses the bundled falconctl utility at /Applications/Falcon.app/Contents/Resources/falconctl for licensing, stats, and uninstallation, plus launchctl for service control.
Linux uses the package manager (yum, apt, or zypper) for installation, /opt/CrowdStrike/falconctl for configuration (CID, provisioning tokens, proxy settings, grouping tags), and systemctl for service management.
Common Use Cases
- Mass deployment: generate the exact silent-install command with your CID for use in SCCM, Intune, Jamf, or Ansible
- Sensor removal: build the uninstall command with the maintenance token retrieved from the Falcon console
- Health checks: verify the sensor service is running and connected to the CrowdStrike cloud after installation or troubleshooting
- Proxy environments: configure the sensor to communicate through an HTTP proxy on isolated networks
- Host organization: apply sensor grouping tags so hosts land in the right host groups and policies
Best Practices
Always retrieve the maintenance token before uninstalling. When uninstall protection (sensor tamper protection) is enabled, removal requires a per-host maintenance token from Host setup and management → Host management in the Falcon console. Disabling tamper protection instead weakens your security posture.
Verify after every install or uninstall. A successful installer exit code does not guarantee the sensor is registered. Run the verification command for your platform and confirm the host appears in the Falcon console within a few minutes.
Use provisioning tokens for new installs when your CID has installation token enforcement enabled — installs without a valid token are rejected.
Keep tokens out of scripts and tickets. Maintenance tokens and CIDs pasted into this tool are processed entirely in your browser and never sent to a server, but treat them as credentials: do not commit them to source control or paste them into ticketing systems.
Frequently Asked Questions
Common questions about the CrowdStrike Falcon Command Builder
On Windows, run 'CsUninstallTool.exe MAINTENANCE_TOKEN=YOUR-TOKEN /quiet' or 'WindowsSensor.exe /uninstall /quiet MAINTENANCE_TOKEN=YOUR-TOKEN'. On macOS, run 'sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall --token YOUR-TOKEN'. On Linux, run 'sudo falconctl uninstall --token YOUR-TOKEN'. Paste your token into the builder and it is injected into the command locally - it never leaves your browser.
Log into the Falcon console, go to Hosts > Host Management, select the target device, open the three-dot menu, and choose Reveal maintenance token. You will need a note in the textbox before the token is shown. The token (uninstall passcode) is required when sensor uninstall protection is enabled.
On Windows, run 'sc query csagent' and look for STATE: RUNNING (start it with 'net start csagent' if stopped). On macOS, run 'sudo /Applications/Falcon.app/Contents/Resources/falconctl stats' and look for 'Sensor operational: true'. On Linux, run 'sudo systemctl status falcon-sensor' and look for Active (running).
Run 'WindowsSensor.exe /install /quiet /norestart CID=YOUR-CUSTOMER-ID' from the folder containing the installer. The /quiet flag suppresses prompts and /norestart prevents an automatic reboot. If your CID enforces installation tokens, append ProvToken=YOUR-INSTALLATION-TOKEN. Confirm the result with 'sc query csagent'.
Install the package ('sudo yum install falcon-sensor-
Stop the sensor, then run 'sudo /opt/CrowdStrike/falconctl -s --apd=FALSE --aph=http://proxy.example.com --app=8080'. Setting --apd=FALSE forces traffic through the proxy (--aph is the host, --app is the port). Start the sensor and verify with 'sudo /opt/CrowdStrike/falconctl -g --apd --aph --app'.
Run 'sudo /opt/CrowdStrike/falconctl -s -f --tags="prod,webserver,us-east-1"' (setting tags overwrites existing tags), then restart with 'sudo systemctl restart falcon-sensor' so the tags sync to the console. View current tags with 'sudo /opt/CrowdStrike/falconctl -g --tags'. Use comma-separated lowercase tags with no spaces.
No. The CrowdStrike Falcon Command Builder runs entirely in your browser. Any maintenance token, installation token, or CID you paste is injected directly into the generated commands client-side and is never transmitted to a server. If you leave a field blank, a clearly-marked placeholder such as YOUR-MAINTENANCE-TOKEN is used instead.