Bypassing Tamper Protection: The Orphaned CrowdStrike Removal Guide
Break the tamper protection on orphaned CrowdStrike agents. Learn how to use WinRE to neuter kernel drivers and cleanly remove locked EDRs.
How to remove CrowdStrike without Token or Console Access
5 min. read
The Ticket: The Hostage Handoff
You just signed a fantastic new client and the onboarding project is officially underway. There is only one massive roadblock. The previous IT provider went completely radio silent during the offboarding process and left their CrowdStrike Falcon agents installed on every single endpoint. Because the agent has Tamper Protection enabled, you cannot uninstall it via the Control Panel, you cannot stop the services, and you cannot deploy your own security stack because the orphaned agent actively blocks your RMM scripts. You are completely locked out of the console and do not have the maintenance token. We need to physically drop the machines into Recovery Mode and neuter the kernel drivers before Windows even boots.
Pre-Flight Check
- Permissions: Physical access to the workstation or Out of Band Management (iLO, iDRAC, vPro) to reach the recovery partition.
- Tools: The 48 digit BitLocker Recovery Key for the specific endpoint.
- Impact: High. We are performing an ungraceful, forced removal of an Early Launch Anti-Malware (ELAM) driver.
[!WARNING] The Risk Factor: Boot critical drivers are heavily integrated into the Windows kernel. Forcibly removing the driver files without gracefully unregistering them from the registry can occasionally trigger an INACCESSIBLE_BOOT_DEVICE blue screen on older operating systems. Always ensure the client's OneDrive or folder redirection is fully synced before performing a hostile EDR takeover. Additionally, if you do not have the BitLocker recovery key, this method is impossible. You will have to wipe and reload the machine.The Solution: The WinRE Neuter Protocol
Do not waste time trying to boot into Safe Mode. CrowdStrike is designed to protect itself in Safe Mode too. You must operate completely outside the active operating system.
1. Locate and Unlock the OS Drive Force the machine into the Windows Recovery Environment (WinRE) by holding the Shift key while clicking Restart. Navigate to Troubleshoot > Advanced Options > Command Prompt.
Correction to standard guides: WinRE almost never assigns the C: drive letter to your actual operating system. It usually shifts it to D: or E:. Type diskpart and then list vol to identify the largest partition. Note that letter. We will use D: for this example.
Type the following to unlock the encrypted volume: manage-bde -unlock D: -rp <Insert-48-Digit-Key-Here>
2. Neuter the Kernel Drivers Once the drive is unlocked, navigate to the system drivers directory and rename the entire CrowdStrike folder. This physically hides the driver binaries from the Windows kernel.
DOS
D:
cd \Windows\System32\drivers
ren CrowdStrike CrowdStrike_bak
3. The Clean Up Boot Type exit and restart the computer normally. You might see a service failure warning in the Windows Event Viewer. This is perfect. The CSAgent.sys driver failed to load, which means Tamper Protection is officially dead.
Log in as a Local Administrator, open an elevated Command Prompt, and rip out the leftover services:
DOS
sc delete csagent
sc delete csboot
sc delete csdevicecontrol
4. Nuke the Leftovers Open File Explorer and delete the C:\Program Files\CrowdStrike directory so it does not trigger false positives on your vulnerability audits. Finally, open regedit and verify that the keys under HKLM\SYSTEM\CurrentControlSet\Services for the three services deleted above are actually gone.
The "Why" (Root Cause)
Why do we have to go through this extreme process? Enterprise Endpoint Detection and Response (EDR) platforms like CrowdStrike, SentinelOne, and Sophos utilize an anti-tampering mechanism integrated directly into the Windows ELAM architecture.
This architecture allows the security vendor to launch their driver first, immediately after the Windows bootloader, before any user space applications or other drivers can start. Once loaded, the EDR explicitly denies "Write" and "Delete" access to its own files and registry keys, even if the user requesting the action is the NT AUTHORITY\SYSTEM account. Without the cloud generated maintenance token to temporarily pause this protection, the file locks are mathematically unbreakable from within the active OS.
Under the Hood (Technical Deep Dive)
By executing the rename command in WinRE, we are exploiting the way the Windows Service Control Manager (SCM) handles startup execution.
The SCM reads the Windows Registry to build a list of drivers that must be loaded during the boot sequence. It looks at the ImagePath key for the csagent service, which points to \SystemRoot\System32\drivers\CrowdStrike\csagent.sys. Because we renamed the folder to CrowdStrike_bak while the OS was offline and helpless, the SCM follows the path, finds nothing, logs a "File Not Found" error, and simply moves on to the next driver. The tamper protection code never executes, leaving the registry keys and program files completely unprotected and ready for standard deletion.
RMM & Automation Tips
- The Post Reboot Cleanup Script: While you cannot script the WinRE portion, you can absolutely script step 3 and 4. Build a PowerShell script that stops any lingering CS processes, runs the
sc deletecommands, and forces a recursive deletion of the Program Files directory. Keep this script handy in your RMM to push out the exact second the tech reboots the machine from the physical WinRE intervention.
Troubleshooting & Edge Cases
- Edge Case 1: The Boot Loop. Very rarely, if the machine is using a heavily customized boot sequence, removing the ELAM driver ungracefully will cause a blue screen loop. If this happens, boot back into WinRE, unlock the drive again, and use the
regeditcommand to load the offlineSYSTEMhive. Navigate toControlSet001\Services\csagentand change theStartvalue to4(Disabled). This tells the kernel to gracefully ignore the missing driver. - Edge Case 2: The Unkillable Sensor. If the
sc deletecommands throw an "Access Denied" error even after renaming the drivers folder and rebooting, a secondary scheduled task or WMI hook might have re-enabled a backup protection module. Boot the machine into Safe Mode without Networking and run thesc deletecommands from there to bypass the secondary hook.
If you want to see more guides, scripts, and technical deep dives just like this, make sure to follow us on Twitter, check out our Facebook page, and sign up for the weekly 404+ newsletter! ✌️