Build CrowdStrike Falcon sensor commands for Windows, macOS & Linux. Generate install (CID), uninstall (maintenance token), verify (sc query csagent / falconctl stats), proxy, and grouping tag commands. Tokens stay in your browser.
The CrowdStrike Falcon sensor is a lightweight endpoint detection and response (EDR) agent that runs on Windows, macOS, and Linux hosts. While day-to-day policy management happens in the Falcon console, sensor lifecycle operations — installing, uninstalling, verifying, and troubleshooting the agent — are performed with platform-specific command-line tools that are easy to get wrong.
This tool generates ready-to-run commands for Falcon sensor administration. Pick an action and an operating system, paste in your CID or maintenance token where required, and copy a complete, correctly-formatted command sequence.
Windows uses WindowsSensor.exe for installation (with the CID= parameter and optional provisioning token), CsUninstallTool.exe for removal (with MAINTENANCE_TOKEN= when uninstall protection is enabled), and the standard service commands sc query csagent and net start csagent for verification.
macOS uses the bundled falconctl utility at /Applications/Falcon.app/Contents/Resources/falconctl for licensing, stats, and uninstallation, plus launchctl for service control.
Linux uses the package manager (yum, apt, or zypper) for installation, /opt/CrowdStrike/falconctl for configuration (CID, provisioning tokens, proxy settings, grouping tags), and systemctl for service management.
Always retrieve the maintenance token before uninstalling. When uninstall protection (sensor tamper protection) is enabled, removal requires a per-host maintenance token from Host setup and management → Host management in the Falcon console. Disabling tamper protection instead weakens your security posture.
Verify after every install or uninstall. A successful installer exit code does not guarantee the sensor is registered. Run the verification command for your platform and confirm the host appears in the Falcon console within a few minutes.
Use provisioning tokens for new installs when your CID has installation token enforcement enabled — installs without a valid token are rejected.
Keep tokens out of scripts and tickets. Maintenance tokens and CIDs pasted into this tool are processed entirely in your browser and never sent to a server, but treat them as credentials: do not commit them to source control or paste them into ticketing systems.
On Windows, run 'CsUninstallTool.exe MAINTENANCE_TOKEN=YOUR-TOKEN /quiet' or 'WindowsSensor.exe /uninstall /quiet MAINTENANCE_TOKEN=YOUR-TOKEN'. On macOS, run 'sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall --token YOUR-TOKEN'. On Linux, run 'sudo falconctl uninstall --token YOUR-TOKEN'. Paste your token into the builder and it is injected into the command locally - it never leaves your browser.
Log into the Falcon console, go to Hosts > Host Management, select the target device, open the three-dot menu, and choose Reveal maintenance token. You will need a note in the textbox before the token is shown. The token (uninstall passcode) is required when sensor uninstall protection is enabled.
On Windows, run 'sc query csagent' and look for STATE: RUNNING (start it with 'net start csagent' if stopped). On macOS, run 'sudo /Applications/Falcon.app/Contents/Resources/falconctl stats' and look for 'Sensor operational: true'. On Linux, run 'sudo systemctl status falcon-sensor' and look for Active (running).
Run 'WindowsSensor.exe /install /quiet /norestart CID=YOUR-CUSTOMER-ID' from the folder containing the installer. The /quiet flag suppresses prompts and /norestart prevents an automatic reboot. If your CID enforces installation tokens, append ProvToken=YOUR-INSTALLATION-TOKEN. Confirm the result with 'sc query csagent'.
Install the package ('sudo yum install falcon-sensor-
Stop the sensor, then run 'sudo /opt/CrowdStrike/falconctl -s --apd=FALSE --aph=http://proxy.example.com --app=8080'. Setting --apd=FALSE forces traffic through the proxy (--aph is the host, --app is the port). Start the sensor and verify with 'sudo /opt/CrowdStrike/falconctl -g --apd --aph --app'.
Run 'sudo /opt/CrowdStrike/falconctl -s -f --tags="prod,webserver,us-east-1"' (setting tags overwrites existing tags), then restart with 'sudo systemctl restart falcon-sensor' so the tags sync to the console. View current tags with 'sudo /opt/CrowdStrike/falconctl -g --tags'. Use comma-separated lowercase tags with no spaces.
No. The CrowdStrike Falcon Command Builder runs entirely in your browser. Any maintenance token, installation token, or CID you paste is injected directly into the generated commands client-side and is never transmitted to a server. If you leave a field blank, a clearly-marked placeholder such as YOUR-MAINTENANCE-TOKEN is used instead.