Microsoft has publicly acknowledged the existence of the Global Device Identifier (GDID), a device-specific ID assigned to Windows installations, in a federal complaint filed by US prosecutors against an alleged member of the Scattered Spider hacking group.
The ID is generated when Windows is set up with a Microsoft Account, persists through Windows updates, and cannot be disabled without affecting Windows activation and Microsoft Store apps.
Microsoft briefly mentioned GDID in the Azure Monitor documentation, describing it only as "an identifier used by Microsoft internally." The complaint cites a Microsoft representative describing GDID as "a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device such as a mobile phone or laptop or a virtual machine, across certain Microsoft services and scenarios."
What the Windows Global Device Identifier Is and How the FBI Used It
The Global Device Identifier (GDID) is a permanent ID assigned when Windows provisions against a Microsoft Account. It is generated by a chain of Windows services.
The wlidsvc service requests a Device PUID from login.live.com, which is then registered into Microsoft's Device Directory Service by the Connected Devices Platform.
Delivery Optimization reports the GDID back to Microsoft when the PC shares or downloads updates. This identifier is stored in the Windows registry under HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties and formatted with a lowercase "g" prefix followed by a decimal number.
It is reported to Microsoft servers and remains persistent across Windows updates, but it is not retained after a clean reinstall. Microsoft has acknowledged that one user can have multiple GDIDs linked through their account, OneDrive, and activation history.
The FBI used the GDID to track Peter Stokes, alleged member of Scattered Spider, across VPN connections, proxy servers, and through four countries over roughly eight months.
According to the complaint, the GDID g:6755467234350028 was recorded visiting the ngrok signup page at the same time an account used in the attack was created via a Tzulo VPN proxy. Three hours later, the same GDID accessed a victim retailer's website through the same proxy.
... continue reading