PENDING remove crowdstrike falcon sensor

[eagle876291]

I’m seeing two instances of the CrowdStrike Sensor installed on several machines. It appears the duplicate entry was created during an agent upgrade, and the first instance seems to be corrupted.

When attempting to run csuninstalltool.exe, I receive an error stating that the specified file does not exist. However, if I first remove the corrupted sensor entry through Control Panel and then run the uninstall tool, the process completes successfully without any issues.

I need assistance with creating a script that can be deployed through SCCM to handle this uninstall process across multiple machines.

ProductCodes = @("{4c3177b2-7f9d-486c-85f5-0e50b731486c}", "{854ddf2e-d35b-407e-8296-800441e6562c}")

 

[Stanley Road]

*** Untested AI Generated Script ***

# CrowdStrike Duplicate Sensor Cleanup Script for SCCM
# Run as SYSTEM (SCCM default). Handles uninstall of both ProductCodes, then csuninstalltool.exe
# Place csuninstalltool.exe in the same package folder as this script

$ProductCodes = @("{4c3177b2-7f9d-486c-85f5-0e50b731486c}", "{854ddf2e-d35b-407e-8296-800441e6562c}")
$UninstallTool = "csuninstalltool.exe" # Assumes in same dir as script

# Log function
function Write-Log {
param([string]$Message)
$Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
"$Timestamp - $Message" | Out-File -FilePath "$env:TEMP\CS_Uninstall.log" -Append -Encoding UTF8
}

Write-Log "Starting CrowdStrike duplicate cleanup on $env:COMPUTERNAME"

# Step 1: Uninstall MSI instances via msiexec (handles corrupted ones)
foreach ($Code in $ProductCodes) {
Write-Log "Attempting uninstall of ProductCode: $Code"
$UninstallArgs = @("/x", $Code, "/qn", "/norestart", "REBOOT=ReallySuppress")
$Process = Start-Process -FilePath "msiexec.exe" -ArgumentList $UninstallArgs -Wait -PassThru -NoNewWindow
if ($Process.ExitCode -eq 0) {
Write-Log "Successfully uninstalled $Code (ExitCode: $($Process.ExitCode))"
} else {
Write-Log "msiexec failed for $Code (ExitCode: $($Process.ExitCode)) - may already be gone"
}
Start-Sleep -Seconds 2 # Brief pause between uninstals
}

# Step 2: Run csuninstalltool.exe to clean remnants
if (Test-Path $UninstallTool) {
Write-Log "Running $UninstallTool"
$CSArgs = @("MAINTENANCE_TOKEN=YOUR_TOKEN_HERE", "/quiet") # Replace with bulk token or remove if policy allows
$CSProcess = Start-Process -FilePath $UninstallTool -ArgumentList $CSArgs -Wait -PassThru -NoNewWindow
Write-Log "csuninstalltool completed (ExitCode: $($CSProcess.ExitCode))"
} else {
Write-Log "WARNING: $UninstallTool not found - skipping"
}

# Step 3: Cleanup leftovers (services, files, registry)
$CSPaths = @(
"${envrogramFiles}\CrowdStrike",
"${envrogramFiles(x86)}\CrowdStrike"
)
$CSServices = @("csagent", "csfalconservice")

foreach ($Path in $CSPaths) {
if (Test-Path $Path) {
Write-Log "Removing folder: $Path"
Remove-Item $Path -Recurse -Force -ErrorAction SilentlyContinue
}
}

foreach ($Service in $CSServices) {
if (Get-Service -Name $Service -ErrorAction SilentlyContinue) {
Write-Log "Stopping and deleting service: $Service"
Stop-Service $Service -Force -ErrorAction SilentlyContinue
sc.exe delete $Service | Out-Null
}
}

# Optional: Kill any lingering CS processes
Get-Process | Where-Object { $_.ProcessName -like "*cs*" -or $_.ProcessName -like "*falcon*" } | Stop-Process -Force -ErrorAction SilentlyContinue

Write-Log "Cleanup complete. Review $env:TEMP\CS_Uninstall.log for details."

# SCCM exit code 0 for success
exit 0