Windows GDID: What You Need to Know Before Your Next Security Review
The Scattered Spider complaint (July 2026) introduced something to public record: Microsoft’s Global Device Identifier, cited as g:6755467234350028 - a persistent, device-level identifier the FBI used to tie a suspect to a Windows installation across IPs and browsing history. A Microsoft representative described it as “a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device (e.g., a mobile phone or laptop) or virtual machine, across certain Microsoft services and scenarios.”
The viral takes got it wrong (128-bit? hardware-derived?). The researcher who actually traced the packets and read the binaries got it right. This is the CISO briefing. The full debunk with every ETW capture, SOAP response, and registry path is linked below.
What It Actually Is
64-bit MSA Device PUID. A Passport Unique ID assigned by login.live.com when Windows provisions a Microsoft Account. Not derived from hardware - a reinstall gives you a new one, which is how you know it’s not a serial number hash.
The full provisioning chain runs through wlidsvc.dll, which sends a Passport PPCRL SOAP request to Microsoft’s identity servers. The server responds with a <ps:DevicePUID> value parsed from the HWPUIDFlipped response field. The client stores it in cleartext at:
HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties\LID
The Connected Devices Platform (cdp.dll / CDPSvc) reads it via GetStableDeviceIdFromProvider and registers it into Microsoft’s Device Directory Service (DDS) - the graph behind Phone Link, cloud clipboard, and activity sync. Delivery Optimization surfaces it as UCDOStatus.GlobalDeviceId in Azure Monitor, described as “Microsoft global device identifier… used by Microsoft internally.”
Find yours in one command, no admin needed:
$hex = (Get-ItemProperty 'HKCU:\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties').LID
"g:$([Convert]::ToUInt64($hex,16))"
Don’t post the output. Your device PUID plus your account CID (0003...) plus your user SID is enough to de-anonymize you. The only safe value to quote is the court’s - g:6755467234350028, hex 0x0018000FCB8CB93CC, already public record.
The Part the Researcher Got Wrong (and Fixed)
The original analysis assumed the GDID required a Microsoft Account. The author publicly corrected this: “CDP has an anonymous device path that is used if no MSA has been connected.” This means even air-gapped-ish machines or local-account-only deployments still generate GDIDs through CDP’s fallback registration.
What You Can Do
- Kill CDPSvc and CDPUserSvc - stops the graph sync and activity uploads. Settings → Privacy → Activity History → toggle off.
- Deleting
%LOCALAPPDATA%\ConnectedDevicesPlatformalone won’t help - the PUID comes back from the identity store atHKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties. - A reinstall gives you a new GDID - the complaint says so. But it gets a fresh one the moment it registers again.
- Local account doesn’t avoid it - CDP’s anonymous path means even offline-first setups generate GDIDs.
What This Means for Your Org
This is not a novel vulnerability. It’s a structural identifier baked into how Windows talks to Microsoft’s cloud. The Connected Devices Platform protocol - designed for cross-device scenarios - is the transport. The MSA identity stack is the source. The whole thing is documented in Azure Monitor as a regular telemetry column.
For context: Meta pulled off something more aggressive. Between September 2024 and June 2025, Facebook and Instagram silently listened on fixed localhost ports on Android. When a user browsed any site containing a Meta Pixel - even in incognito mode or behind a VPN - the Pixel sent tracking data to localhost, where the app was waiting. The EFF called it “an egregious new tracking technique.” A class action lawsuit (Rose v. Meta) survived a motion to dismiss in May 2026 with potential damages estimated at $32 billion. Separately, Meta’s Pixel was found exfiltrating patient data from hospital websites - appointment details, medication names, doctor names - triggering the In re Meta Pixel Healthcare Litigation class action. Meta has faced over €1.2 billion in GDPR fines for related data handling issues.
Microsoft’s GDID is less brazen and more foundational. It doesn’t exfiltrate data actively - it’s a registration token that authenticates device graph endpoints. But it’s a court-admissible persistent link between a Windows installation and a Microsoft Account. The FBI has now demonstrated exactly how to use it.
The Full Debunk
The original writeup traces the complete chain: wlidsvc.dll provisioning the device with login.live.com, the SOAP response parsing (HWPUIDFlipped), the registry store, the CDP registration into DDS, and the Delivery Optimization reporting surface. Every claim confidence-tagged ([COURT], [OBSERVED], [STATIC], [ASSESSED]). Public PDBs, live ETW capture on Windows 11 build 26200, reproducible methodology.
Go read it if you need the evidence for your board or your legal team. It’s the source document for everything above.
One More Thing
I once demoed a robust air-gapped audit system - using LLMs and small language models to automate security auditing, completely offline, no network egress, for a well-known government organization. Their response: “We’re concerned this system could have backdoors.”
That organization runs 100% of its estate on Microsoft Windows. Every user. Every laptop. Every desktop.
Every single one has a GDID.
TL;DR
- GDID = 64-bit MSA Device PUID, server-assigned by
login.live.com, not hardware-derived. Source (Tom’s Hardware) - Lives in your registry at
HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties\LID. Source (researcher writeup) - Not fully opt-outable - CDP has an anonymous path even without a Microsoft Account. Source (same)
- Already used in federal court to attribute activity to a device across IPs and reinstalls. Source (iTnews)
- Meta parallel - same class of persistent identifier problem, different surface area. Meta’s localhost tracking faced a $32B class action and their Pixel triggered healthcare data litigation.
- Full technical breakdown with sources at github.com/SmtimesIWndr/gdid-reversal
The viral takes were wrong. The researcher who actually traced the packets and read the binaries got it right.
#En #Microsoft #Windows #Privacy #Security #Compliance #GDPR