Dear Crowdstrike, you insisted on software with "god level" privs.
It’s not as if Microsoft leaves them a whole lot of choice. Since Windows NT 3.1, Windows has only ever supported two of the four Intel rings of execution — Ring 0 (kernel mode) and Ring 3 (user mode). If drivers had the option of running in Ring 1 they could potentially be isolated when they misbehave without risking corrupting kernel structures — but that option doesn’t exist. The only place where CrowdStrike Falcon Sensor can functionally run on Windows is in Ring 0. That’s a Windows architecture flaw IMO.
AFAIK there are no sufficient APIs to allow Ring 3 processes in Windows to monitor kernel events.
In contrast, on macOS CrowdStrike Falcon Sensor runs as a System Extension entirely in user space (Ring 3 on Intel; I’m not sure if Apple Silicon uses the same notation). It used to be a kext (kernel extension) that ran in Ring 0/kernel mode, but after Apple introduced Endpoint Security Framework (and limitations to running/installing kexts on Apple Silicon) CrowdStrike redeveloped Falcon Sensor to use these new facilities to run completely in Ring 3. Had this flaw hit macOS, the OS simply would have isolated the misbehaving Falcon Sensor without crashing the system.
So I’d say it’s less that CrowdStrike “insisted” on “god level” privs on Windows than it is that they don’t have any choice. Where they do have choice (macOS) they run in plain old user mode — and by all accounts, continue to function just as well as they ever did running in kernel mode.
Yaz