• 3 min read
Windows' hidden GDID helped FBI track alleged hacker
Microsoft confirmed a persistent Windows device ID that users can’t disable without breaking core features. It surfaced in a federal case tied to Scattered Spider.

Image: Hacker News
Microsoft has confirmed that Windows uses a persistent Global Device Identifier, or GDID, a device-level ID tied to installations set up with a Microsoft Account. The identifier came to light in a US federal complaint against an alleged member of the Scattered Spider hacking group, where prosecutors described how the FBI used it to follow activity across VPNs, proxies, and multiple countries.
Microsoft had previously referenced GDID only briefly in Azure Monitor documentation, calling it simply “an identifier used by Microsoft internally.” In the complaint, a Microsoft representative described it as “a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device such as a mobile phone or laptop or a virtual machine, across certain Microsoft services and scenarios.”
The filing says GDID is created when Windows is provisioned against a Microsoft Account and is generated through several Windows services. According to the article, wlidsvc requests a Device PUID from login.live.com, then the Connected Devices Platform registers it with Microsoft’s Device Directory Service. Delivery Optimization later reports the GDID back to Microsoft when a PC shares or downloads updates.
The ID is stored in the Windows registry at HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties and appears as a lowercase “g” followed by a decimal number. It persists through Windows updates, but not after a clean reinstall. Even then, the article says signing back into the same Microsoft Account gives Microsoft a way to link the new identifier to prior activity through account, OneDrive, and activation history.
In the case described by prosecutors, the GDID g:6755467234350028 allegedly helped investigators track Peter Stokes over roughly eight months. The complaint says that identifier visited the ngrok signup page at the same time an account used in the attack was created through a Tzulo VPN proxy. Three hours later, the same GDID accessed a victim retailer’s website through that same proxy. Investigators then linked the device to IP addresses associated with Snapchat, Facebook, Apple, and Ubisoft accounts across Estonia, New York, Thailand, and other locations.

Recommended reading
T-Mobile Expands T-Life Profiles as Ad Questions Linger
Privacy researchers cited in the article argue that users have little visibility or control here. There is no consent screen, no user-facing reset option, and no straightforward way to disable GDID without affecting Windows activation and Microsoft Store apps. The report notes that Apple and Android provide more visible controls for comparable identifiers.
For users trying to reduce related tracking, the article points to a few practical steps:
- Use a local account instead of a Microsoft Account where possible
- Turn off optional diagnostic data in Settings > Privacy and security > Diagnostics and feedback
- Disable personalized ads and launch tracking under Privacy and security > Recommendations and offers
- Turn off Cloud Content Search in Privacy and security > Search
- Review and disable Activity History and other telemetry settings
The article says GDID is present on all Windows installations linked to a Microsoft Account, and that users cannot view it through standard Windows interfaces. For now, the federal complaint remains the clearest public explanation of how it works.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via Hacker News


