search

CrowdStrike / psfalcon

PowerShell for CrowdStrike's OAuth2 APIs
The Unlicense
370 stars 71 forks source link

[ QUESTION ] `System.TypeInitializationException` error with `Uninstall-FalconSensor` #376

Closed geoscoutCJ closed 10 months ago

geoscoutCJ commented 10 months ago

Hello all,

I am trying to build a script to bulk uninstall Crowdstrike from a CSV file with hostnames but I seem to be doing something wrong when I get to the Uninstall-FalconSensor portion of the script.

To take other factors of my script out of the question, I reduced my script to just trying to uninstall Crowdstrike on one host. Here is what I have:

param(
    [Parameter(Mandatory,Position=1)]
    [ValidatePattern('^[a-fA-F0-9]{32}$')]
    [string]$clientid,
    [Parameter(Mandatory,Position=2)]
    [ValidatePattern('^\w{40}$')]
    [string]$clientsecret

)
Import-Module -Name PSFalcon
request-falcontoken -ClientId $clientid -Clientsecret $clientsecret
Uninstall-FalconSensor -Id 0000000000000000000000 -QueueOffline $true

I also tried putting the Id in single quotes (-Id '0000000000000000000000')

But I always get the following error:

Invoke-FalconRtr : The type initializer for 'System.Management.Automation.Tracing.PowerShellChannelWriter' threw an exception.
At C:\Users\myuser\OneDrive - MyOneDriv\Documents\WindowsPowerShell\Modules\PSFalcon\2.2.6\public\psf-sensors.ps1:384 char:30
+       $Request = $HostList | Invoke-FalconRtr @Param
+                              ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Invoke-FalconRtr], TypeInitializationException
    + FullyQualifiedErrorId : System.TypeInitializationException,Invoke-FalconRtr

Based on the examples I find on the GitHub repo and what I am seeing on Reddit, I think my command should uninstall the sensor on the machine I am indicating.

I have confirmed that I have the right Device ID and the correct API permissions (as per https://github.com/CrowdStrike/psfalcon/wiki/Uninstall-FalconSensor) but I am not sure how to dig into the TypeInitializationException error. My best guess is something is not being returned formatted correctly to Invoke-FalconRtr but I am not sure how to validate that.

Environment:

Any suggestions?

Thanks, Caleb

bk-cs commented 10 months ago

Hmm, this is a new one! Could you provide a transcript?

Import-Module -Name PSFalcon
Request-FalconToken ...
$VerbosePreference=2
Start-Transcript
Uninstall-FalconSensor -Id 0000000000000000000000 -QueueOffline $true
Stop-Transcript
geoscoutCJ commented 10 months ago

Well....now that I am trying to replicate the issue today, it seems to have gone away. Bummer. I would have liked to have tracked that down.

One other thing I did find when troubleshooting yesterday: I was using PowerShell ISE and something about that seemed to be part of the problem. If I ran the command in a regular PowerShell window, the command completes without any issue. Maybe there was something weird about the ISE session, and closing/opening cleared it out?

bk-cs commented 10 months ago

PowerShell ISE doesn't behave like normal PowerShell, and it is no longer supported by Microsoft. I recommend switching to something like VSCode, and also never using PSFalcon inside of ISE because I've seen weird things happen.

geoscoutCJ commented 10 months ago

Good to know, thanks for your help!