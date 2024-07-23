In a YouTube video, David William Plummer, former Microsoft software engineer, who developed the Windows Task Manager, posted a video describing how the CrowdStrike update could have caused Windows to halt.

He described CrowdStrike Falcon as anti-malware for Windows servers, which “proactively detects new attacks” that analyses application behaviour. To do this, CrowdStrike needs to run as a kernel device driver.

Kernel device drivers usually provide a way to abstract hardware, such as graphics cards, from applications. When they run, they generally have full access to the computer and operating system and, in operating system terminology, they are said to run at “Ring Zero”. This is different to application code, which users run in the operating system’s user space known as “Ring One”.

The difference, as Plummer notes, is that when a user application crashes, nothing else on the computer should be affected. However, a fault in code running at Ring Zero is considered so serious that the operating system immediately halts, which, in Windows results in the so-called Blue Screen of Death.

“Even though there’s no hardware device that it’s really talking to, by writing the code as a device driver, CrowdStrike lives down in the kernel Ring Zero and has complete and unfettered access to the system data structures and the services that CrowdStrike believes it needs to do its job,” said Plummer.