Microsoft admits Windows 11 has a GDID tracker with no off switch, first documented publicly in an FBI hacker complaint
RSS
Youtube
Windows 11
Windows 10
Windows 10 PC Apps & Games
Privacy Policy
Contact Us
About us
Select Theme:
System
Light
Dim
Dark
Search
Sign in
Welcome! Log into your account
your username
your password
Forgot your password? Get help
Create an account
Create an account
Welcome! Register for an account
your email
your username
A password will be e-mailed to you.
Password recovery
Recover your password
your email
A password will be e-mailed to you.
Windows Latest
Windows 11
Microsoft confirms Secure Boot update failing on some Windows 11 PCs,…
Windows 11 rejuvenation list just got longer, with more legacy dialogs…
I installed Windows Movie Maker in 2026 and it uses 97%…
Microsoft admits a Windows 11 bug is eating up to 500GB…
Microsoft’s Link to Windows removes ghost PCs from your Android phone…
Windows 10
AllWindows 10 PC Apps & Games
Windows 10 is still getting Windows 11 features, but it’s only…
Windows 10 support quietly extended until Oct 2027, as users reject…
Windows 11 Taskbar vs Windows 10: What’s still missing in 2026?
Windows 10 KB5094127 improves File Explorer search, direct download links for…
Privacy Policy
Contact Us
About us
Select Theme:
System
Light
Dim
Dark
Trending:Remove Recall AI
New Start menu
Windows 11 25H2
New Windows 11 ISO
Windows 11 24H2
Windows 11 AI requirements
Restore WordPad
Home Microsoft
Microsoft
What is GDID, the Windows device fingerprint that helped the FBI catch a hacker
A 19-year-old walked through Helsinki airport in April 2026 carrying two 2TB hard drives and a ticket to Japan. He couldn’t make that flight. Finnish police stopped him on an Interpol Red Notice, and by July, US prosecutors had unsealed a federal complaint identifying him as Peter Stokes, an alleged member of the Scattered Spider hacking group, wanted over a May 2025 breach of a US luxury jewelry retailer that ended in an $8 million ransom demand.
No, we haven’t suddenly turned into a crime reporting publication, but it was Microsoft that handed the FBI a way to trace Stokes’ Windows PC across VPNs, proxy servers, and three countries. The tool is called a Global Device Identifier, or GDID , and outside a handful of enterprise documentation pages, most Windows users had never heard the term before this case made it public.
We went through the full 39-page complaint, cross checked it against independent reverse engineering of how Windows generates and transmits this identifier, and fact checked the technical claims since the story broke. Here is everything you need to know about GDID, how it caught Stokes, and what it means if you are one of the 1.6 billion people using Windows PCs.
What is GDID, and where does it come from
The complaint quotes a Microsoft representative describing the GDID as "a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device (e.g., a mobile phone or laptop) or virtual machine, across certain Microsoft services and scenarios"
A Global Device ID (GDID) is a permanent, unique digital fingerprint that Microsoft automatically assigns to your computer when you install Windows or sign into a Microsoft account.
Microsoft uses it to manage software licensing and Windows Store apps, but because it links all your online activities on that computer back to a single identity, law enforcement can use it to track a device’s true owner across the internet
It survives Windows updates. It does not survive a clean reinstall, and Microsoft’s footnote in the complaint admits "one Microsoft user could have multiple GDIDs" over the life of a single account.
Microsoft said what the GDID does without saying where it is inside Windows. For that, independent researchers had to reverse engineer it, because Microsoft has published exactly one sentence about GDID in the Azure Monitor reference for Delivery Optimization reporting, where a column called GlobalDeviceId is described only as "Microsoft global device identifier. This is an identifier used by Microsoft internally."
How Windows generates a GDID
The real chain starts with the Microsoft Account service.
When Windows provisions a device against a Microsoft Account, a system service called wlidsvc talks to login.live.com and gets back what Microsoft calls a Device PUID, a Passport Unique ID, inside the server’s SOAP response. Server assigned. Windows never computes it locally from anything on your PC. It receives a string and stores it.
The PUID lands in your own registry hive, in plain text, at HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties under a value named LID. From there, the Connected Devices Platform, the same background service (cdp.dll, running as CDPSvc) that powers Phone Link , cloud clipboard , and Nearby Share, reads...