HeadlinesBriefing favicon HeadlinesBriefing.com

Windows GDID Reverse Engineering Reveals 64-Bit MSA Device PUID

Hacker News •
×

A full reverse engineering of Windows' Global Device Identifier (GDID) exposes how Microsoft's persistent device fingerprint actually works. Named in the July 2026 DOJ complaint against alleged Scattered Spider member Peter Stokes, the GDID appears as g:6755467234350028 — a 64-bit decimal value, not the 128-bit hardware-derived identifier viral posts claimed. The court record explicitly states a Windows reinstall generates a new GDID, ruling out derivation from fixed hardware serials like GPU or motherboard identifiers.

The identifier originates in wlidsvc (Microsoft Account service), which provisions the device with login.live.com and receives a Device PUID — a Passport Unique ID assigned to the Windows installation. This value lands in the registry, then flows to the Connected Devices Platform (cdp.dll / CDPSvc), which registers it into Microsoft's Device Directory Service (DDS) graph behind Phone Link, cloud clipboard, and Nearby Share. CDP does not compute the ID; it consumes it as an opaque string from the identity stack via COM callbacks, storing it without transformation.

Delivery Optimization surfaces the GDID publicly in its UCDOStatus telemetry table alongside ISP, city, and country data — the only Microsoft documentation naming the value. The researcher reproduced the full registration handshake on Windows 11 build 26200 using public symbols and ETW captures, confirming the g:<decimal> format maps to a 0x0018 high-word namespace. Any Windows installation, even local-account machines, receives a GDID through CDP's anonymous device path.

The practical takeaway: GDID is a cloud-minted account identifier, not a hardware fingerprint. Users can read their own GDID from a single registry key. For privacy-conscious deployments, blocking CDPSvc's DDS endpoints (dds.microsoft.com, fd.dds.microsoft.com) prevents registration, though this breaks cross-device features. The research demonstrates that Microsoft's own court testimony aligns with the technical reality: GDID persistence survives updates but not reinstalls, making it a session-bound account token rather than a permanent device serial.