Not providing a way to inspect those data except from within kernel drivers (or whatever Windows calls them.) The huge HN thread about what happened weeks ago had some comments about Linux using eBPF to get the same kind of information Crowdstrike needs and Macs having another technology to do the same thing. In both cases the kernel won't crash and take down the machine. Of course it's possible to hog a machine from user space and make it unusable.
People also pointed out that bugs in Red Hat's and Debian's kernels caused CrowdStrike's non-buggy eBPF drivers to hang the system a few months prior (as they would for any code calling similar eBPF methods). Having the API is not enough, though in this case CrowdStrike couldn't really help it as none of their supported platforms were affected.
