Quick Steps to recover from current Crowdstrike situation stopping business
Option A –
- NEED BOOT DEVICES ON WINDOWS RECOVERY MODE OR SAFE MODE.
- YOU NEED TO GO TO COMMAND PROMPT
- RENAME CSAGENT.SYS TO CSAGENT_OLD.SYS IN THIS PATH “windows/system32/drivers/Crowdstrike/CSAGENT.SYS”
Option B –
- Ideally, wait for Crowdstrike to give a new release
- If you have a BSOD, the only step is to rebuild the machine from scratch. And use any other good EDR as part of the new build who can give you free licenses
Option C –
- If there is no BSOD, you could use the following uninstaller scripts as per the version of the CS sensors.
- Change which is required in the $source, where we need to update source repository to the below uninstaller package.
- Immediately reboot with an alternate EDR as part of the new build who can give you free licenses
$serviceName = “CSFalconService”
$source = “http://51.79.XX.XX/EDRNEWFolder/CSUninstall.exe?download=1”.
$destination = “C:\CSuninstall.exe”
$logPath = “C:\CSUninstall_Log.txt”
Function to check if service exists and is running
function IsServiceRunning {
param (
[string]$serviceName
)
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
return ($service -ne $null) -and ($service.Status -eq ‘Running’)
}
Check if CrowdStrike service is running
if (IsServiceRunning -serviceName $serviceName) {
# Download CSUninstall.exe
Invoke-RestMethod -Uri $source -OutFile $destination
# Uninstall CrowdStrike agent
$InstallArgs = "/quiet"
$installProcess = Start-Process -NoNewWindow -PassThru -Wait -FilePath $destination -ArgumentList $InstallArgs
# Log the uninstallation status
Add-Content -Path $logPath -Value "$(Get-Date): CrowdStrike agent uninstallation completed."
} else {
# Log the error message
Add-Content -Path $logPath -Value “$(Get-Date): Error – CrowdStrike service is not running. Cannot uninstall.”
}
You can work with few selected OEM / partner who are able to help WITHOUT any charges to migrate today!
This can help you get back to business ASAP.