search

CrowdStrike / falcon-scripts

Scripts to streamline the deployment and use of the CrowdStrike Falcon sensor
The Unlicense
127 stars 79 forks source link

windows installer fails with Error code 106 #319

Closed buzzdeee closed 2 weeks ago

buzzdeee commented 2 weeks ago

running the falcon_windows_install.ps1 script in an Administrator PowerShell window, works until it downloads the installer, then running the installer fails:

Started 'C:\WINDOWS\Temp\WindowsSensor.MaverickGyr.exe' (5732)
Waiting for the installer process to complete with PID (5732)
Installer process with PID (5732) has completed
You cannot call a method on a null-valued expression.
At C:\Users\admin\Downloads\falcon\falcon_windows_install.ps1:594 char:13
+             $errOut = $process.StandardError.ReadToEnd()
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

Falcon installer exited with code 106. Error:
Falcon installer exited with code 106. Error:
At C:\Users\admin\Downloads\falcon\falcon_windows_install.ps1:597 char:13
+             throw $message
+             ~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Falcon installe...de 106. Error: :String) [], RuntimeException
    + FullyQualifiedErrorId : Falcon installer exited with code 106. Error:
carlosmmatos commented 2 weeks ago

@buzzdeee thanks for opening this up. Looks like the issue is not downloading the installer, but fails trying to install. Generally exit code 106 on the uninstaller side is due to a missing maintenance token. Not sure if this is failing because you need a provisioning token. One way to troubleshoot is to follow the following doc: https://supportportal.crowdstrike.com/s/article/Troubleshooting-Windows-Sensors-Installation-Issues

Basically you need to look at the log files in C:\WINDOWS\Temp..

I'll look into the actual logging error being thrown there - that might be a bug in the script.

Let me know what you find in the logs or if you try it with a provisioning token.

buzzdeee commented 2 weeks ago

I tried it with these parameter: 

-FalconClientId <ID> -FalconClientSecret <SECRET> -Tags <A_TAG>

There was an old CS installation on, that I couldn't easily uninstall, due to missing maintenance token, as that old CS sensor was connected to a not existing anymore PoC instance. What I did there, was to rename the C:\Program Files\CrowdStrike Directory, AND with regedit, rename the CSFalconSensor Registry key folder. And reboot the machine. Without that, that script refused to even download, because it detected a properly installed and running CS instance.

With above two steps and reboot, the script started properly, but then in the end faild, even though, no service running, and no old install directory in the way. Even though I tampered already a lot to prevent it from starting up, seems there's more tamper protection in place ;)

carlosmmatos commented 2 weeks ago

Yeah you might have some tamper protection happening for sure.. I would have recommended you try the uninstall script with your creds:

falcon_windows_uninstall.ps1 -FalconClientId <string> -FalconClientSecret <string> - This would have used your creds to grab the maintenance token (assuming it existed) automatically. At this point, with all the changes, you might be better off rebuilding that machine if possible.

buzzdeee commented 2 weeks ago

I renamed the CrowdStrike directory back to original name, as well as the service via regedit, and reboot.

Then the uninstall script, was able to retrieve the maintenance token from our new Falcon instance, but the script failed:

Started 'C:\ProgramData\Package Cache\{df17d369-6036-4186-bd25-92269b770565}\WindowsSensor.LionLanner.x64.exe' (10620)
Uninstaller returned exit code 1603
Uninstaller returned exit code 1603
At C:\Users\sebastia\Downloads\falcon\falcon_windows_uninstall.ps1:561 char:9
+         throw $Message
+         ~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Uninstaller returned exit code 1603:String) [], RuntimeException
    + FullyQualifiedErrorId : Uninstaller returned exit code 1603

Seems to get rid of it, I'd need the maintenance token of the PoC instance, which is not existent anymore. So only a new reinstall of the OS would help me to get rid of the old CS Falcon sensor?

But in any case, when I can rename the CrowdStrike install directory, and rename or probably even delete the service in the registry as a normal administrator, to prevent the sensor from working, the tamper protection is more an annoyance than a tamper protection?

carlosmmatos commented 2 weeks ago

I'm not sure what state your are in, but if your tenant does have tamper protection on then I would say it's doing its job as intended. Just because you have keys to the kingdom, shouldn't mean that you can do whatever you want, unless you've been given the approval to do so by your security org. That's just my 2c.

If you don't want to reinstall the OS, then I would just open a support case with CrowdStrike and see if they can help you figure out the best path forward.

I just wanted to make sure you're aware of the uninstaller that is able to grab the maint token from the api.

buzzdeee commented 2 weeks ago

Thank you, I'll get in touch with the support.