search

CrowdStrike / psfalcon

PowerShell for CrowdStrike's OAuth2 APIs
The Unlicense
350 stars 66 forks source link

[ QUESTION ] `System.TypeInitializationException` error with `Uninstall-FalconSensor` #376

Closed geoscoutCJ closed 8 months ago

geoscoutCJ commented 8 months ago

Hello all,

I am trying to build a script to bulk uninstall Crowdstrike from a CSV file with hostnames but I seem to be doing something wrong when I get to the Uninstall-FalconSensor portion of the script.

To take other factors of my script out of the question, I reduced my script to just trying to uninstall Crowdstrike on one host. Here is what I have:

param(
    [Parameter(Mandatory,Position=1)]
    [ValidatePattern('^[a-fA-F0-9]{32}$')]
    [string]$clientid,
    [Parameter(Mandatory,Position=2)]
    [ValidatePattern('^\w{40}$')]
    [string]$clientsecret

)
Import-Module -Name PSFalcon
request-falcontoken -ClientId $clientid -Clientsecret $clientsecret
Uninstall-FalconSensor -Id 0000000000000000000000 -QueueOffline $true

I also tried putting the Id in single quotes (-Id '0000000000000000000000')

But I always get the following error:

Invoke-FalconRtr : The type initializer for 'System.Management.Automation.Tracing.PowerShellChannelWriter' threw an exception.
At C:\Users\myuser\OneDrive - MyOneDriv\Documents\WindowsPowerShell\Modules\PSFalcon\2.2.6\public\psf-sensors.ps1:384 char:30
+       $Request = $HostList | Invoke-FalconRtr @Param
+                              ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Invoke-FalconRtr], TypeInitializationException
    + FullyQualifiedErrorId : System.TypeInitializationException,Invoke-FalconRtr

Based on the examples I find on the GitHub repo and what I am seeing on Reddit, I think my command should uninstall the sensor on the machine I am indicating.

I have confirmed that I have the right Device ID and the correct API permissions (as per https://github.com/CrowdStrike/psfalcon/wiki/Uninstall-FalconSensor) but I am not sure how to dig into the TypeInitializationException error. My best guess is something is not being returned formatted correctly to Invoke-FalconRtr but I am not sure how to validate that.

Environment:

Any suggestions?

Thanks, Caleb

bk-cs commented 8 months ago

Hmm, this is a new one! Could you provide a transcript?

Import-Module -Name PSFalcon
Request-FalconToken ...
$VerbosePreference=2
Start-Transcript
Uninstall-FalconSensor -Id 0000000000000000000000 -QueueOffline $true
Stop-Transcript
geoscoutCJ commented 8 months ago

Well....now that I am trying to replicate the issue today, it seems to have gone away. Bummer. I would have liked to have tracked that down.

One other thing I did find when troubleshooting yesterday: I was using PowerShell ISE and something about that seemed to be part of the problem. If I ran the command in a regular PowerShell window, the command completes without any issue. Maybe there was something weird about the ISE session, and closing/opening cleared it out?

bk-cs commented 8 months ago

PowerShell ISE doesn't behave like normal PowerShell, and it is no longer supported by Microsoft. I recommend switching to something like VSCode, and also never using PSFalcon inside of ISE because I've seen weird things happen.

geoscoutCJ commented 8 months ago

Good to know, thanks for your help!