CrowdStrike Triggers Change in Windows

Posted in: Bank Michigan News, Your Security

As some of you have heard either from the news or had your own personal experience with the issue, recently Windows based computers were brought down by a BSOD (blue screen of death) caused by a driver from the security company, CrowdStrike. This affected both Windows based workstations and servers. Today, I’d like to touch on what’s finally being done to keep this from happening in the future.

To explain what happened, we need to first get a little technical. Windows has two modes in which processes can run, user mode and kernel mode.

Most things that we interact with directly, the Windows interface, user programs, and printer drivers tend to run in user mode. When these user mode processes fail, they affect little else. At most, the parent program may be halted.

Kernel mode is a lower-level construct. This is where device drivers run. It requires a much higher level of permission. Processes that go wrong in this mode will trigger Windows to protect itself from damage by bringing down the entire Windows session. This is why we see the BSOD.

The problem with CrowdStrike was that while its driver was certified to run in kernel mode, it was getting updated information from what that vendor calls a channel driver. This file would feed its associated kernel mode driver information on how to run. This worked fine until CrowdStrike released a faulty channel file. This caused their kernel mode driver to fail, which caused Windows to throw a BSOD. And since the channel file couldn’t get updated without Windows booting up properly, the condition would happen on all subsequent reboots. The fix for this was to boot an alternate copy of Windows, such as Windows PE or Windows recovery mode, then remove the offending driver. After which, Windows would boot normally.

This brings us to Microsoft’s recent decision. They will be working with security companies like CrowdStrike, to move their drivers out of the Windows kernel. That way, if the drivers provided by these vendors were to fail, it would not take down Windows. This would make recovery much easier for users and administrators as it would not affect Window’s ability to complete its bootup cycle.