In a YouTube video, David William Plummer, a former Microsoft software engineer who developed the Windows Task Manager, discussed how a CrowdStrike update could have caused Windows to crash. Plummer explained that CrowdStrike Falcon is an anti-malware program for Windows servers that runs as a kernel device driver, giving it full access to the computer’s operating system at “Ring Zero”. This is different from user applications that run at “Ring One” and should not affect the entire system if they crash.
Plummer mentioned that Microsoft offers WHQL certification for device drivers to ensure compatibility with Windows. However, he noted that this process is too slow for anti-malware programs like CrowdStrike, which need to release frequent updates to combat new threats. Plummer speculated that CrowdStrike may release definition files that its Windows kernel driver processes without going through WHQL certification, potentially leading to risky situations.
By analyzing crash dumps, Plummer discovered that a “null pointer reference” in the CrowdStrike device driver caused unexpected behavior. He highlighted the driver’s lack of resilience and error-checking, noting that these issues could result in system crashes. Plummer also mentioned the challenge of removing rogue kernel drivers that prevent Windows from starting up, particularly when they are marked as boot-start drivers like CrowdStrike.
Overall, Plummer pointed out the limitations of Microsoft’s certification process and the need for better safeguards to prevent similar incidents in the future.