Microsoft’s Hidden Windows GDID: Persistent Device Tracking Revealed

by Anika Shah - Technology
0 comments

Windows Global Device Identifier: Understanding the Persistent Tracking ID Used in Federal Investigations

The Global Device Identifier (GDID) is a persistent, device-level identifier assigned to Windows installations that allows Microsoft to track specific hardware across various services. Recently disclosed in a federal complaint against an alleged member of the Scattered Spider hacking group, the GDID enables long-term tracking of Windows devices even when users employ VPNs or proxy servers, as the ID remains constant across network sessions.

How the GDID Functions Within Windows

According to the federal complaint filed by U.S. prosecutors, the GDID is generated during the initial Windows setup process when a device is linked to a Microsoft Account. The identifier is created through a chain of internal Windows services: the `wlidsvc` service requests a Device PUID from login.live.com, which is then registered into Microsoft’s Device Directory Service via the Connected Devices Platform.

The identifier is stored in the Windows registry under `HKCUSOFTWAREMicrosoftIdentityCRLExtendedProperties`. It persists through Windows updates and is reported back to Microsoft servers whenever the operating system interacts with services like the Microsoft Store or Delivery Optimization. While a clean reinstallation of the operating system generates a new GDID, the identifier remains linked to a user’s account history, meaning that signing back into the same Microsoft Account often allows the company to correlate the new ID with previous activity.

Role in Federal Law Enforcement Investigations

The FBI utilized the GDID as a primary tool to track Peter Stokes, an alleged member of the Scattered Spider hacking group, over an eight-month period. Investigators were able to follow the suspect across multiple countries, including Estonia, Thailand, and the United States, by cross-referencing the GDID with IP addresses associated with various online accounts, such as Snapchat and Ubisoft.

The persistent nature of the GDID proved critical because it remained unchanged despite the suspect’s use of VPNs and proxy servers. While IP addresses changed frequently, the underlying Windows installation continued to transmit the same GDID. Prosecutors cited specific instances where the identifier was recorded accessing an attack-related account and a victim retailer’s website at the exact times an attack was underway. This digital trail allowed investigators to match travel timelines and hotel bookings with the device’s activity.

FBI REVEALS SCATTERED SPIDER HACKER GROUP TATICS

Privacy Concerns and User Controls

Security researchers have criticized the lack of transparency surrounding the GDID, noting that there is no user consent screen or simple opt-out mechanism. Unlike advertising identifiers on iOS or Android, which offer clear reset and privacy controls, the GDID is deeply integrated into the Windows activation and licensing framework. Blocking the assignment of a GDID can interfere with Windows activation and the functionality of Universal Windows Platform (UWP) apps.

While Microsoft has documented the GDID briefly in Azure Monitor technical references for enterprise administrators, it remains largely opaque to the average user. For those seeking to limit device-level tracking, experts suggest several defensive steps:

* Use Local Accounts: Opting for a local account during the Windows setup process—rather than signing in with a Microsoft Account—limits the extent to which the device is tied to a centralized identity.
* Adjust Privacy Settings: Users can navigate to “Privacy & security” in the Settings menu to disable optional diagnostic data, personalized ads, and activity history.
* Restrict Search Data: Turning off “Cloud Content Search” prevents local search queries from being sent to Bing.
* Alternative Environments: For high-stakes privacy needs, such as journalism or activism, security professionals often recommend using Linux-based systems routed through Tor, as commercial VPNs on a standard Windows installation do not mask the persistent device identifier.

Despite these measures, the GDID remains a core component of the Windows ecosystem. Microsoft has not announced any changes to the identifier’s generation or reporting practices following the public disclosure of its role in the Scattered Spider investigation.

Privacy Concerns and User Controls

Related Posts

Leave a Comment