This is why I was saying you can't be using Windows

CaptainTrouble

Well-Known Member

Summary: Using a VPN + Windows defeats the VPN because Windows has its own Personal Identifier that a VPN doesn't protect from.​

Microsoft GDID Tracking: How Windows Caught a Hacker​


On July 1, 2026, the US Department of Justice and the FBI announced the extradition of a 19-year-old hacker. The US-Estonian citizen, Peter Stokes, was extradited from Finland to face trial in a Chicago federal court. Authorities accuse Stokes of joining the notorious “Scattered Spider” hacking syndicate. He allegedly participated in numerous cyberattacks. Furthermore, Stokes was arrested on April 10 at Helsinki Airport while attempting to travel to Japan. At that time, the United States had already issued an international arrest warrant.

Microsoft Aids Law Enforcement Through GDID​

Currently, the cybersecurity community is intensely debating this revelation. Documents released by the Department of Justice explicitly mention this tracking method. Microsoft utilizes the Global Device Identifier (GDID) to trace specific Windows devices. The GDID is a unique string generated during the initial Windows installation. Consequently, this identifier remains constant unless the user completely wipes the drive and reinstalls the operating system.

How Windows Telemetry Transmits Data​

The GDID transmits device activity through telemetry and Azure monitoring logs. Specifically, Microsoft can potentially link the GDID to precise web browsing activities. It also tracks IP address history, which persists even if the user activates a VPN. Furthermore, it reveals overall internet usage patterns. However, this topic remains controversial. Experts cannot yet confirm the exact scope of data Microsoft ultimately collects.

Tracking Scattered Spider Across the Globe​

As early as 2022, Microsoft had already identified Stokes. The GDID precisely matched the same Windows device across multiple global locations. These locations notably included Estonia, New York, and Thailand. Therefore, this telemetry perfectly aligned with the timeline of the criminal offenses. The device fingerprint allowed for precise identification and continuous tracking. This remained true even when the hacker utilized a VPN or relocated. By October 2024, Microsoft could positively identify Stokes. This breakthrough conclusively completed the attribution process.

The Hidden Power of Windows Analytics​

Microsoft rarely mentions the GDID in its public MSDN documentation. The company primarily utilizes this identifier for internal analytics. Nevertheless, this case highlights the formidable attribution capabilities of device-level telemetry. For instance, the cybersecurity account vx-underground remarked that Windows essentially betrayed Stokes. In a follow-up post, they further discussed the severe implications of this tracking.

A Looming Debate over Privacy and Surveillance​

Many professional users and security researchers previously remained unaware of the GDID identifier. They certainly did not realize Microsoft could persistently track specific Windows devices. The Peter Stokes case likely represents the first large-scale public revelation of this capability. It clearly demonstrates the immense power of Windows telemetry in real-world law enforcement scenarios. Undeniably, this represents a massive victory for cyber attribution technology. Yet, it also serves as a sobering mirror. It reminds us that digital convenience constantly shifts our privacy boundaries.

Hardware Tracking Beyond the Hard Drive​

Notably, discussions within the security community reveal further concerns. A security researcher recently suggested that Microsoft also tracks users via TPM (Trusted Platform Module) chips. This implies that completely erasing a hard drive might be insufficient. Unless the user physically replaces the TPM chip, tracking could theoretically persist. Consequently, relying on a VPN or the Tor network would prove entirely futile. At the very least, Microsoft likely possesses the technical capability to achieve such tracking. However, no public documentation currently confirms this TPM-based surveillance method.

 
Upvote 6
Turth to be told there's always Linux. It's becoming more and more adopted everyday. Getting easier and easier to install and use.

Honestly for what 90% of people do on the computer documents, maybe some business watching online videos, email Linux is fine.
 
If you're trying to disable GDID (Global Device Identifier) in Windows 11, the short answer is: you can't.


GDID is a unique identifier that Windows assigns to each installation. Microsoft uses it internally for diagnostic telemetry, fraud detection, licensing, and security. There is no setting, registry edit, or Group Policy that disables or removes the GDID itself.


What you can do is reduce the amount of data associated with it:


  1. Settings → Privacy & security → Diagnostics & feedback
    • Turn off Send optional diagnostic data.
    • Turn off Tailored experiences.
    • Click Delete diagnostic data.
  2. Settings → Privacy & security → General (or Recommendations & offers on newer builds)
    • Turn off Personalized ads (Advertising ID).
    • Turn off App launch tracking.
    • Turn off Suggested content.

If you're asking because you saw the recent news that Microsoft used GDID information to help identify an alleged cybercriminal, that's referring to this internal Windows identifier. While you can minimize Windows telemetry, GDID itself cannot currently be disabled on Windows 11.


If your goal is maximum privacy, I can also show you the additional Group Policy settings and firewall rules that reduce Windows telemetry even further.
 
No serious hacker is using Windows. This guy was obviously in over his head.

This wouldn't be the reason to not use Windows, however. Whatever the OS, there is no good reason to be doing illegal shit like this. The OS to select depends on the type of work that you do. Windows is fine when you need maximum compatibility; MacOS is good for something solid/idiot proof for those that price isn't a concern; Linux is good for the slightly tech inclined to the real advanced users.

The reason this tracking thing is concerning is not because the idiot got busted, but for other legal and moral concerns. For example, let's say you had a whistleblower who leaked a bunch of government corruption, potentially the corrupt government can get this type of tracked details to expose and retaliate against the person. Another example would be having the tracking used to target political rivals. The danger is really more in what the state can do with the information more than the tech companies themselves.

This is why Internet anonymity is important and should be fought for. It's not for the stupid illegal shit. It's important also for places like this forum. Everything discussed here is legal, but it goes against the propaganda the Canadian government pushes. They have no right to know who operates or posts on this forum.
 
Back
Top