CrowdStrike Falcon Command Builder

Build CrowdStrike Falcon sensor commands for Windows, macOS & Linux. Generate install (CID), uninstall (maintenance token), verify (sc query csagent / falconctl stats), proxy, and grouping tag commands. Tokens stay in your browser.

Advertisement

What Is the CrowdStrike Falcon Command Builder

The CrowdStrike Falcon sensor is a lightweight endpoint detection and response (EDR) agent that runs on Windows, macOS, and Linux hosts. While day-to-day policy management happens in the Falcon console, sensor lifecycle operations — installing, uninstalling, verifying, and troubleshooting the agent — are performed with platform-specific command-line tools that are easy to get wrong.

This tool generates ready-to-run commands for Falcon sensor administration. Pick an action and an operating system, paste in your CID or maintenance token where required, and copy a complete, correctly-formatted command sequence.

Key Commands and Tools

Windows uses WindowsSensor.exe for installation (with the CID= parameter and optional provisioning token), CsUninstallTool.exe for removal (with MAINTENANCE_TOKEN= when uninstall protection is enabled), and the standard service commands sc query csagent and net start csagent for verification.

macOS uses the bundled falconctl utility at /Applications/Falcon.app/Contents/Resources/falconctl for licensing, stats, and uninstallation, plus launchctl for service control.

Linux uses the package manager (yum, apt, or zypper) for installation, /opt/CrowdStrike/falconctl for configuration (CID, provisioning tokens, proxy settings, grouping tags), and systemctl for service management.

Common Use Cases

  • Mass deployment: generate the exact silent-install command with your CID for use in SCCM, Intune, Jamf, or Ansible
  • Sensor removal: build the uninstall command with the maintenance token retrieved from the Falcon console
  • Health checks: verify the sensor service is running and connected to the CrowdStrike cloud after installation or troubleshooting
  • Proxy environments: configure the sensor to communicate through an HTTP proxy on isolated networks
  • Host organization: apply sensor grouping tags so hosts land in the right host groups and policies

Best Practices

Always retrieve the maintenance token before uninstalling. When uninstall protection (sensor tamper protection) is enabled, removal requires a per-host maintenance token from Host setup and management → Host management in the Falcon console. Disabling tamper protection instead weakens your security posture.

Verify after every install or uninstall. A successful installer exit code does not guarantee the sensor is registered. Run the verification command for your platform and confirm the host appears in the Falcon console within a few minutes.

Use provisioning tokens for new installs when your CID has installation token enforcement enabled — installs without a valid token are rejected.

Keep tokens out of scripts and tickets. Maintenance tokens and CIDs pasted into this tool are processed entirely in your browser and never sent to a server, but treat them as credentials: do not commit them to source control or paste them into ticketing systems.

Advertisement

Frequently Asked Questions

How do I uninstall the CrowdStrike Falcon sensor with a maintenance token?+

On Windows, run 'CsUninstallTool.exe MAINTENANCE_TOKEN=YOUR-TOKEN /quiet' or 'WindowsSensor.exe /uninstall /quiet MAINTENANCE_TOKEN=YOUR-TOKEN'. On macOS, run 'sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall --token YOUR-TOKEN'. On Linux, run 'sudo falconctl uninstall --token YOUR-TOKEN'. Paste your token into the builder and it is injected into the command locally - it never leaves your browser.

Where do I get my CrowdStrike maintenance token?+

Log into the Falcon console, go to Hosts > Host Management, select the target device, open the three-dot menu, and choose Reveal maintenance token. You will need a note in the textbox before the token is shown. The token (uninstall passcode) is required when sensor uninstall protection is enabled.

How do I verify the Falcon sensor is running?+

On Windows, run 'sc query csagent' and look for STATE: RUNNING (start it with 'net start csagent' if stopped). On macOS, run 'sudo /Applications/Falcon.app/Contents/Resources/falconctl stats' and look for 'Sensor operational: true'. On Linux, run 'sudo systemctl status falcon-sensor' and look for Active (running).

What is the silent install command for the Falcon sensor on Windows?+

Run 'WindowsSensor.exe /install /quiet /norestart CID=YOUR-CUSTOMER-ID' from the folder containing the installer. The /quiet flag suppresses prompts and /norestart prevents an automatic reboot. If your CID enforces installation tokens, append ProvToken=YOUR-INSTALLATION-TOKEN. Confirm the result with 'sc query csagent'.

How do I install the Falcon sensor on Linux with a CID and provisioning token?+

Install the package ('sudo yum install falcon-sensor-.rpm' or 'sudo dpkg -i falcon-sensor__amd64.deb'), then configure it with 'sudo /opt/CrowdStrike/falconctl -s --cid=YOUR-CID --provisioning-token=YOUR-TOKEN'. Start the sensor with 'sudo systemctl start falcon-sensor' and confirm registration with 'sudo /opt/CrowdStrike/falconctl -g --aid'.

How do I configure a proxy for the Falcon sensor on Linux?+

Stop the sensor, then run 'sudo /opt/CrowdStrike/falconctl -s --apd=FALSE --aph=http://proxy.example.com --app=8080'. Setting --apd=FALSE forces traffic through the proxy (--aph is the host, --app is the port). Start the sensor and verify with 'sudo /opt/CrowdStrike/falconctl -g --apd --aph --app'.

How do I set grouping tags on a Linux Falcon sensor?+

Run 'sudo /opt/CrowdStrike/falconctl -s -f --tags="prod,webserver,us-east-1"' (setting tags overwrites existing tags), then restart with 'sudo systemctl restart falcon-sensor' so the tags sync to the console. View current tags with 'sudo /opt/CrowdStrike/falconctl -g --tags'. Use comma-separated lowercase tags with no spaces.

Does this tool send my maintenance token or CID anywhere?+

No. The CrowdStrike Falcon Command Builder runs entirely in your browser. Any maintenance token, installation token, or CID you paste is injected directly into the generated commands client-side and is never transmitted to a server. If you leave a field blank, a clearly-marked placeholder such as YOUR-MAINTENANCE-TOKEN is used instead.

This tool is provided for informational and educational purposes only. All processing happens in your browser — no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results.