Troubleshooting the CrowdStrike Falcon Sensor for Windows

Troubleshooting the CrowdStrike Falcon Sensor for Windows

NOTE: This software is NOT intended for use on computers that are NOT owned by Duke University or Duke Health. Please do NOT install this software on personally-owned devices. Installing this software on a personally-owned will place the device under Duke policies and under Duke control.

Full Documentation and Further Assistance

A recent copy of the full CrowdStrike Falcon Sensor for Windows documentation (from which most of this information is taken) can be found at https://duke.box.com/v/CrowdStrikeDocs (Duke NetID required).

If you have questions or issues that this document doesn't address, please submit a ServiceNow case to "Device Engineering - OIT" or send an email to oitderequest@duke.edu.

Troubleshooting Sensor Installation

Installation fails

If the sensor installation fails, confirm that the host meets the system requirements (listed in the full documentation, found at the link above), including required Windows services. If required services are not installed or running, you may see an error message: "A required Windows service is disabled, stopped, or missing. Please see the installation log for details."

An installation log with more information should be located in the %LOCALAPPDATA%\Temp directory for the user attempting the install.

Also, confirm that CrowdStrike software is not already installed. Duke's CrowdStrike Falcon Sensor for Windows policies have Tamper Protection enabled by default. With Tamper Protection enabled, the CrowdStrike Falcon Sensor for Windows cannot be uninstalled or manually updated without providing a computer-specific "maintenance token". If you need a maintenance token to uninstall an operating sensor or to attempt upgrading a non-functional sensor, please contact your Security office for assistance.

Verify that the Sensor is Running

To validate that the Falcon sensor for Windows is running on a host, run this command at a command prompt:

sc.exe query csagent

The following output will appear if the sensor is running:

SERVICE_NAME: csagent
TYPE               : 2  FILE_SYSTEM_DRIVER
STATE              : 4  RUNNING
                       (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE    : 0  (0x0)
SERVICE_EXIT_CODE  : 0  (0x0)
CHECKPOINT         : 0x0
WAIT_HINT          : 0x0

If you do not see output similar to this, please see Troubleshooting General Sensor Issues, below.

Troubleshooting General Sensor Issues

Sensor is Installed, but Doesn't Run

If the sensor doesn't run, confirm that the host meets our system requirements (listed in the full documentation, found at the link above), including required Windows services. If required services are not installed or running, you may see an error message in the sensor's logs: "A required Windows service is disabled, stopped, or missing. Please see the installation log for details."

The sensor can install, but not run, if any of these services are disabled or stopped:

  • LMHosts (may be disabled on your host if the TCP/IP NetBIOS Helper service is disabled)
  • Windows Base Filtering Engine (BFE)
  • DHCP Client, if you use Web Proxy Automatic Discovery (WPAD) via DHCP
  • DNS Client
  • WinHTTP AutoProxy

An installation log with more information should be located in the %LOCALAPPDATA%\Temp directory for the user attempting the install.

Verify the Host's Connection to the CrowdStrike Cloud

You can verify that the host is connected to the cloud using Planisphere or a command line on the host.
  • Planisphere: If a device is communicating with the CrowdStrike Cloud, Planisphere will collect information about that device on its regular polling of the CrowdStrike service. You can see the timing of the last and next polling on the Planisphere Data Sources tab. You can see the specific information for your device on the device's Details tab.

  • Host: Run the following command from a command line with administrative privileges: netstat -f
    After a few moments--perhaps among other lines with information from other communications--you should see lines similar to the following:

    Active Connections

      Proto  Local Address          Foreign Address        State
      ...
      TCP    192.168.1.102:52767    ec2-100-26-113-214.compute-1.amazonaws.com:https  CLOSE_WAIT
      TCP    192.168.1.102:53314    ec2-34-195-179-229.compute-1.amazonaws.com:https  CLOSE_WAIT
      TCP    192.168.1.102:53323    ec2-34-195-179-229.compute-1.amazonaws.com:https  CLOSE_WAIT
      TCP    192.168.1.102:53893    ec2-54-175-121-155.compute-1.amazonaws.com:https  ESTABLISHED
      ...

    (Press CTRL-C to exit the netstat command.)

    In the example above, the "ec2-..." addresses indicate a connection to a specific IP address in the CrowdStrike cloud. The full documentation (linked above) contains a full list of CrowdStrike cloud IPs. If your host uses a proxy, the Foreign Address shows the proxy address instead of the CrowdStrike Cloud address.

Host Can't Connect to the CrowdStrike Cloud

If your host can't connect to the CrowdStrike Cloud, check these network configuration items:

  1. Verify that your host can connect to the internet.
  2. If your host uses a proxy, verify your proxy configuration.
  3. If your host uses an endpoint firewall, configure it to permit traffic to and from the Falcon sensor.
  4. Verify that your host's LMHost service is enabled. LMHosts may be disabled if you've disabled the TCP/IP NetBIOS Helper on your host.
  5. Verify that your host trusts CrowdStrike's certificate authority.

More information on each of these items can be found in the full documentation (linked above).


Hosts must remain connected to the CrowdStrike cloud throughout installation. A host unable to reach the cloud within 10 minutes will not successfully install the sensor. If your host requires more time to connect, you can override this by using the ProvNoWait parameter in the command line. This also provides additional time to perform additional troubleshooting measures.

<installer_filename> /install CID=<Customer ID with Checksum> ProvNoWait=1

An installation log with more information should be located in the %LOCALAPPDATA%\Temp directory for the user attempting the install.

Host Can't Establish Proxy Connection

If a proxy server and port were not specified via the installer (using the APP_PROXYNAME and APP_PROXYPORT parameters), these can be added to the Windows Registry manually under CsProxyHostname and CsProxyPort keys located here:

HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default

CrowdStrike does not support Proxy Authentication. If connection to the CrowdStrike cloud through the specified proxy server fails, or no proxy server is specified, the sensor will attempt to connect directly.
















Article number: KB0035354

Valid to: March 23, 2024