• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

A Hacker's Arrest Reveals Microsoft Can Track Users Via a Windows Device ID

MrGuvernment

Fully [H]
2FA
Joined
Aug 3, 2004
Messages
24,095
We all know MS tracks everything, just adds something else, not to mention a "hacker" who I would more consider a script kiddie with no clue if they were using windows day to day for their activities...

A Hacker's Arrest Reveals Microsoft Can Track Users Via a Windows Device ID

https://www.pcmag.com/news/a-hackers-arrest-reveals-microsoft-can-track-users-via-a-windows-device

A Hacker's Arrest Reveals Microsoft Can Track Users Via a Windows Device ID​

The arrest of a teenage hacker has revealed that Microsoft can track a Windows PC and its online activity through a “Global Device ID" that seems to have no easy opt-out, sparking fears about potential surveillance.
Last week, the US announced it had extradited 19-year-old Peter Stokes from Europe for allegedly being a member of the notorious hacking group Scattered Spider. But the case stands out because Microsoft played a key role in linking Stokes to the suspected hacking crimes, according to an unsealed criminal complaint.
02VZVE6JO9dXqKyKowYhZzj-6.fit_lim.size_768x.png

(Credit: DOJ)
Stokes allegedly hacked an unnamed luxury jewelry retailer in May 2025 while using a VPN. The 39-page criminal complaint shows the FBI used Microsoft records to discover that his IP address was associated with a Microsoft device identifier known as Global Device ID (GDID).
“According to a Microsoft representative, a Global Device Identifier in the Windows ecosystem is a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device (e.g., a mobile phone or laptop) or virtual machine, across certain Microsoft services and scenarios," the complaint explains.
The global device ID isn’t exactly surprising, given that it's standard practice to assign a unique ID to each account or device so a tech provider can recognize and distinguish between them. But the complaint reveals Microsoft can associate the GDID with third-party services and the timing as well, giving Redmond a way to theoretically track a user’s online activity. In other words, Redmond might be able to track the online activity of your Windows PC without third-party browser cookies.
02VZVE6JO9dXqKyKowYhZzj-5.fit_lim.size_768x.png

(Credit: DOJ)
Stokes was discovered exploiting a web development tool called ngrok to bypass the jewelry retailer's network defenses. The complaint says Microsoft had records showing that on May 12, 2025, at 19:21 UTC, the GDID associated with Stokes’ computer “accessed, among other ngrok pages, 'https://dashboard[.]ngrok.com/signup,' the ngrok page to set up an ngrok account.”
The document adds that Microsoft records also showed the GDID accessing “multiple sites” from servers at Tzulo, a web hosting provider, to help pull off the hack.
02VZVE6JO9dXqKyKowYhZzj-7.fit_lim.size_768x.png

The GDID for Stokes' PC was allegedly 6755467234350028. (Credit: DOJ)
Hence, the fact that federal investigators used the Microsoft identifier to nab a suspected hacker is raising concerns that it could be abused for other surveillance purposes. “Microsoft Windows is surveillance software,” cybersecurity expert Matthew Hickey alleged in a tweet.
The device ID is mentioned briefly on this support page, but Microsoft hasn't otherwise commented on it publicly. According to the criminal complaint, a Windows user can reset the GDID on their own, although it's not easy. “A GDID remains consistent across Windows operating system updates on a device, but a reinstall of Windows, either on the same device or on a different device, will be tied to a new unique GDID,” the court document says. In a footnote, it adds, “Thus, one Microsoft user could have multiple GDIDs.”

Still, we suspect it wouldn’t be hard for Microsoft to tie a newly set GDID to the old one, since the company could look at other identifiers, such as a Microsoft account login or an IP address, and match them. In response to the surveillance potential, some users have already been exploring ways to contain and scrub the GDID identifier.
Meanwhile, cybersecurity researcher Costin Raiu is questioning whether other tech companies have the same surveillance capabilities, given the use of unique identifiers.
"I would also ask: how much of this is happening on Apple devices? Is it on the same scale? Is it happening at an even higher level — do they tie it to the hardware, so that even if you reinstall, it doesn’t matter, because it’s hardware-based?" he said in the Three Buddy Problem podcast. "Very likely it’s not unique to Microsoft. And probably, if you want to be fully anonymous, you may at some point have to use Linux, FreeBSD, whatever, for your development environments, and tunnel everything through proxies, Tor, VPNs, and such."
 
Microsoft's GDID is a unique variation on the RFC 4122 standard, and Apple follows the open UUID variation of that same standard.
Android uses the newer RFC 9562 UUID standard.
On the Apple platform, if you enable the Limit IP Address Tracking feature and set your Private Wi-Fi Address to Rotating, it will randomize your UUID every time you connect or disconnect from the WiFi network.
On Android, you can download tools to randomize your UUID, but it does not do it natively.
 
No surprise there. If you are signed into something (like a Facebook account, or a Google account or a Microsoft account in your OS) no method of concealing your origin like a VPN is going to be effective. They already know who you are by virtue of you signing in...
There are also tools out there that can track the VPN entry and exit nodes, and they are extremely adept at matching the traffic, essentially unmaking the VPN. Corelite and Vectra come immediately to mind.
And every website now has a high degree of tracking and fingerprinting, to the point where each one would meet the old definitions for being classified as spyware.
Even if you don't sign in to Meta or Google services, they can identify you based on the hole you leave behind
 
Microsoft's GDID is a unique variation on the RFC 4122 standard, and Apple follows the open UUID variation of that same standard.
Android uses the newer RFC 9562 UUID standard.
On the Apple platform, if you enable the Limit IP Address Tracking feature and set your Private Wi-Fi Address to Rotating, it will randomize your UUID every time you connect or disconnect from the WiFi network.
On Android, you can download tools to randomize your UUID, but it does not do it natively.

Its utterly ridiculous that they are even allowed to do this.

Its almost not worth even trying to avoid tracking these days, because it becomes a game of whack-a-mole you can never win. Disable or override one thing and twelve more pop up. Or your settings disabling the first are unceremoniously disregarded and re-enabled as soon as you stop looking.

Its absolutely disgusting. Makes me think we need to burn the whole system to the ground.
 
If you are signed into something (like a Facebook account, or a Google account or a Microsoft account in your OS) no method of concealing your origin like a VPN is going to be effective. They already know who you are by virtue of you signing in...
I struggle to make people realize this. They think they are safe just cuz they are on a VPN, then proceed to log into all their accounts which exposes them and gives them away anyways.
 
There are also tools out there that can track the VPN entry and exit nodes, and they are extremely adept at matching the traffic, essentially unmaking the VPN. Corelite and Vectra come immediately to mind.

Yup. From what I understand this still requires a bit of a state level actor though, from what I understand. If the FBI wants you and they have a warrant, there isn't much that is going to stop them. And honestly I don't have a problem with that. That's how the system is supposed to work. If you are trying to hide from police to commit crime, I have just about zero sympathy.

It's the other shit. The warrantless surveillance of everyone whether or not they are suspected of a crime, done by not just law enforcement but every single app, website or goddamn "smart" vacuum cleaner we didn't ask for that drives me up an absolute wall.

And every website now has a high degree of tracking and fingerprinting, to the point where each one would meet the old definitions for being classified as spyware.
Even if you don't sign in to Meta or Google services, they can identify you based on the hole you leave behind

There are some tools that can limit your exposure here (like clearing all cookies every time you restart your browser, using strong fingerprinting resistance, like randomized canvas, WebGL particulars, UserAgent's and the like) but it isn't easy, and god knows how well it actually works or if those sleazy pieces of shit have other ways of tracking us we don't even know of yet.
 
Its utterly ridiculous that they are even allowed to do this.

Its almost not worth even trying to avoid tracking these days, because it becomes a game of whack-a-mole you can never win. Disable or override one thing and twelve more pop up. Or your settings disabling the first are unceremoniously disregarded and re-enabled as soon as you stop looking.

Its absolutely disgusting. Makes me think we need to burn the whole system to the ground.
It is utterly pointless to avoid it, outside of keeping yourself safe from drive-by infections.

ISPs sell your traffic data; websites collect and trade visitor logs and their metrics. Everything collects enough "random", "anonymous" data that once it is all aggregated, it is no longer random, and certainly no longer anonymous. At best, you can control who you are giving your data away to, but you have no control over who is getting it.
Google collects analytics on at least 80% of the internet; let that sink in for a moment.
 
Yup. From what I understand this still requires a bit of a state level actor though, from what I understand. If the FBI wants you and they have a warrant, there isn't much that is going to stop them. And honestly I don't have a problem with that. That's how the system is supposed to work. If you are trying to hide from police to commit crime, I have just about zero sympathy.

It's the other shit. The warrantless surveillance of everyone whether or not they are suspected of a crime, done by not just law enforcement but every single app, website or goddamn "smart" vacuum cleaner we didn't ask for that drives me up an absolute wall.
ISPs sell the data, so while state actors can tell in real time, Netflix and the like can find out a week or so later, it's how they clamp down on account sharing, or how EA and the like attempt to stamp out cheaters.

Much to my wife's chagrin, I have configured the home firewall to block and scrub as much of that data leaving the house as I can, which breaks the Ads in her mobile games, so they either don't load or she watches them and doesn't get the in-game credit for watching them... I sympathize, but it's a small price to pay.
 
I struggle to make people realize this. They think they are safe just cuz they are on a VPN, then proceed to log into all their accounts which exposes them and gives them away anyways.
This, blame the false marketing from the likes of NordVPN and others claiming a VPN makes you safe, secure and private...

Yet people can not put 2 and 2 together "Well I am on a VPN and I signed into my facebook account, why am I getting these ad's and other things, it is supposed to be private" /facepalm.

Lakados similar for me and pfblocker, the DNSBL lists I have are huge, and the wife plays a couple games that do ad's, but for her, instead it fails to load them and she can get the reward anyways! :D
 
It is utterly pointless to avoid it, outside of keeping yourself safe from drive-by infections.

ISPs sell your traffic data; websites collect and trade visitor logs and their metrics. Everything collects enough "random", "anonymous" data that once it is all aggregated, it is no longer random, and certainly no longer anonymous. At best, you can control who you are giving your data away to, but you have no control over who is getting it.
Google collects analytics on at least 80% of the internet; let that sink in for a moment.
its fucked up but u are correct.
 
No surprise there. If you are signed into something (like a Facebook account, or a Google account or a Microsoft account in your OS) no method of concealing your origin like a VPN is going to be effective. They already know who you are by virtue of you signing in...

you can be tracked via GDID without signing into a microsoft (or any other) account, honestly I can't understand why anyone would be using a microsoft OS at this point so meh
 
you can be tracked via GDID without signing into a microsoft (or any other) account, honestly I can't understand why anyone would be using a microsoft OS at this point so meh
Most people, as we know, do not care or even consider the implications of the OS or device they use, the same people who upload their entire lives to social media every second of the day. We, the few, who know better have moved away as much as we can!
 
you can do some things about it ... comes with trade offs I guess.. and who knows if M$ breaks this with an update soon are not?

https://github.com/Korben00/no-gdid

What we proved (and what doesn't work)​


  • Reading your GDID works. It's right there in the registry.
  • Deleting it is cosmetic. Remove the key, restart wlidsvc, touch any Microsoftapp — it comes back identical from the server. It's anchored to your account.
  • Turning off "telemetry" (DiagTrack) does nothing. The GDID rides CDP/DeliveryOptimization, not classic telemetry. That common advice is wrong.
  • You can silence the reporting without signing out. Disable the CDP/DO services andblackhole their endpoints; the chain goes quiet while your Microsoft Account keepsworking. Caveat: DoSvc refuses Set-Service even as admin — it's disabled via theregistry Start=4 (see the write-up).
  • The past is gone. The PUID already exists server-side. Blocking reduces futurecorrelation; it doesn't retract what was sent.

Trade-offs​


Disabling these services breaks Delivery Optimization peer caching, Phone Link /"Continue on PC", and nearby sharing. wlidsvc and login.live.com are left alone soMicrosoft Account sign-in keeps working.
 
I'm not sure what the ramifications are but if you use microsoft sandbox it gets assigned a separate gdid than the host... which also seems to change if you close the sandbox and start another one.... 1st screen shot is host, 2nd is Sandbox instance 1 and the 3rd is after closing and resarting windows sandbox..


1783961750801.png
1783961668865.png
1783961931301.png
 

Attachments

  • 1783961720031.png
    1783961720031.png
    42.6 KB · Views: 0
While adopting technical adaptations (within reason and threat model for your usage ) ideologically motivated to push back against such tracking, create high amounts of "noise" in the signal to noise ratio for those mining such data, and other facets are worthy, it is going to take a regulatory and/or legislative solution to actually make changes.

I've often said that our privacy laws are 30 years out of date. Years ago everyone 'knew' that the NSA had the capability to do all manner of monitoring, but the threshold for them to deploy it on a target was relatively high. Over the years we've seen the bar lower immensely to both what circumstances state level actors are allowed to "help" and pass information to other agencies for increasingly spurious reasons (ie local police, DEA etc) while explaining throiugh parallel construction fables, loopholes in foreign "you spy on mine, I spy on yours, we compare notes" Five/Nine/Fourteen Eyes nonsense, and worse the increasingly invasive actions of monied private actors both independently and sharing with others. We could put an end to this if we were really motivated ,but its going to take a political campaign that will be assaulted by all sides (ie nothing to hide nothign to fear, won't someone think of the children, something something terrrorist something something pedophile, something something 'bad' political or ideological group etc..) and required a unity of purpose among those who may in other ways differ politically. Its only going to get worse with the massive increate of information out there if any of the KOSA / Proof-of-Age bills pass (never forget its the same people behind it stand to make profiteering gains from acting as middlemen or just vacuuming up all that data - https://github.com/upper-up/meta-lobbying-and-other-findings ) among other forms of enshittification - https://keepandroidopen.org/ - close in.

This does not mean the technical solutions are not helpful, but the level of time, effort, and energy will continue to advance and the compromises will continue to stack up unless we align ourselves to fight along the regulatory/legislative axis as well.
 
Back
Top