Microsoft admits Windows 11 has a GDID tracker with no off switch

GBiT1 pts0 comments

Microsoft admits Windows 11 has a GDID tracker with no off switch, first documented publicly in an FBI hacker complaint

Facebook

Mail

RSS

Twitter

Youtube

Windows 11

Windows 10

Windows 10 PC Apps & Games

Privacy Policy

Contact Us

About us

Select Theme:

System

Light

Dim

Dark

Search

Sign in

Welcome! Log into your account

your username

your password

Forgot your password? Get help

Create an account

Create an account

Welcome! Register for an account

your email

your username

A password will be e-mailed to you.

Password recovery

Recover your password

your email

A password will be e-mailed to you.

Windows Latest

Windows 11

Microsoft confirms Secure Boot update failing on some Windows 11 PCs,…

Windows 11 rejuvenation list just got longer, with more legacy dialogs…

I installed Windows Movie Maker in 2026 and it uses 97%…

Microsoft admits a Windows 11 bug is eating up to 500GB…

Microsoft’s Link to Windows removes ghost PCs from your Android phone…

Windows 10

AllWindows 10 PC Apps & Games

Windows 10 is still getting Windows 11 features, but it’s only…

Windows 10 support quietly extended until Oct 2027, as users reject…

Windows 11 Taskbar vs Windows 10: What’s still missing in 2026?

Windows 10 KB5094127 improves File Explorer search, direct download links for…

Privacy Policy

Contact Us

About us

Select Theme:

System

Light

Dim

Dark

Trending:Remove Recall AI

New Start menu

Windows 11 25H2

New Windows 11 ISO

Windows 11 24H2

Windows 11 AI requirements

Restore WordPad

Home Microsoft

Microsoft

What is GDID, the Windows device fingerprint that helped the FBI catch a hacker

A 19-year-old walked through Helsinki airport in April 2026 carrying two 2TB hard drives and a ticket to Japan. He couldn’t make that flight. Finnish police stopped him on an Interpol Red Notice, and by July, US prosecutors had unsealed a federal complaint identifying him as Peter Stokes, an alleged member of the Scattered Spider hacking group, wanted over a May 2025 breach of a US luxury jewelry retailer that ended in an $8 million ransom demand.

No, we haven’t suddenly turned into a crime reporting publication, but it was Microsoft that handed the FBI a way to trace Stokes’ Windows PC across VPNs, proxy servers, and three countries. The tool is called a Global Device Identifier, or GDID , and outside a handful of enterprise documentation pages, most Windows users had never heard the term before this case made it public.

We went through the full 39-page complaint, cross checked it against independent reverse engineering of how Windows generates and transmits this identifier, and fact checked the technical claims since the story broke. Here is everything you need to know about GDID, how it caught Stokes, and what it means if you are one of the 1.6 billion people using Windows PCs.

What is GDID, and where does it come from

The complaint quotes a Microsoft representative describing the GDID as "a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device (e.g., a mobile phone or laptop) or virtual machine, across certain Microsoft services and scenarios"

A Global Device ID (GDID) is a permanent, unique digital fingerprint that Microsoft automatically assigns to your computer when you install Windows or sign into a Microsoft account.

Microsoft uses it to manage software licensing and Windows Store apps, but because it links all your online activities on that computer back to a single identity, law enforcement can use it to track a device’s true owner across the internet

It survives Windows updates. It does not survive a clean reinstall, and Microsoft’s footnote in the complaint admits "one Microsoft user could have multiple GDIDs" over the life of a single account.

Microsoft said what the GDID does without saying where it is inside Windows. For that, independent researchers had to reverse engineer it, because Microsoft has published exactly one sentence about GDID in the Azure Monitor reference for Delivery Optimization reporting, where a column called GlobalDeviceId is described only as "Microsoft global device identifier. This is an identifier used by Microsoft internally."

How Windows generates a GDID

The real chain starts with the Microsoft Account service.

When Windows provisions a device against a Microsoft Account, a system service called wlidsvc talks to login.live.com and gets back what Microsoft calls a Device PUID, a Passport Unique ID, inside the server’s SOAP response. Server assigned. Windows never computes it locally from anything on your PC. It receives a string and stores it.

The PUID lands in your own registry hive, in plain text, at HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties under a value named LID. From there, the Connected Devices Platform, the same background service (cdp.dll, running as CDPSvc) that powers Phone Link , cloud clipboard , and Nearby Share, reads...

windows microsoft gdid device account password

Related Articles