It makes it easier for Microsoft to know where to push that very special Windows Update that installs whatever the NSA wants installed in the computer of some journalist, foreign politician, syndicalist, high level manager on a foreign company that competes with an American company and other such "extremists".
Privacy
Icon base by Lorc under CC BY 3.0 with modifications to add a gradient
Now for the version in plain English: Sign into Windows with a Microsoft Account, and a server assigns your installation a permanent ID number. Windows stores it locally, several background services read it, and it gets stamped onto activity your PC reports back to Microsoft.
Wait. I understand that this ID is used for Windows <> Microsoft communications. How did it escalate them to knowing that this ID was used to visit ngrok and the retailer's website? Does Windows report website visits? Does it append this ID to HTTP requests? Or what's the connection here?
My guess is oauth. He basically used fake Microsoft account to access services during the hack and them used his actual microsoft account to access something else. He used VPN for the hack but he connected from his actual IP to the second service. The only thing linking those was the GID. So they figured out his actual IP address and checked other logins from this IP around the same time and found out his other accounts.
The connection is that Windows records everything you do. So the FBI asks for every Windows user who accessed a specific site around a date/time and Microsoft can provide that.
You accessed a site over VPN? Your ISP has no idea it was you, , and the VPN didn't keep records, but Windows recorded that and sent it back to the mothership with your unique identifier.
glad i ditched window for home use around 1995
my guess is it's either of two things: edge history synced to ms account
Exactly it, and their claim that it is stored with bitlocker level encryption is obviously meaningless if they have the keys.
Fun fact, windows 11 backs up your bitlocker private key with Microsoft if you sign in with a Microsoft Account.
There’s a database somewhere with every bitlocker key to almost every Windows 11 device on earth.
I’m sure they let the NSA and the FBI right in. The CIA probably has sleeper agents working devops at Microsoft so they don’t even need to access it procedurally. $10 says Israel can access it too, because why the fuck not.
Take from the article: do these 20 steps to avoid
My take; use linux.
This is enough to never use Windows as your primary device.
stallmanwasright.jpg
notaboutthekiddiddling.jpg
fairpoint.jpg
Ok, that's enough. Bye Windows.
When Windows provisions a device against a Microsoft Account, a system service called wlidsvc talks to
login.live.comand gets back what Microsoft calls a Device PUID, a Passport Unique ID, inside the server’s SOAP response. Server assigned. Windows never computes it locally from anything on your PC. It receives a string and stores it.The PUID lands in your own registry hive, in plain text, at
HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedPropertiesunder a value named LID. From there, the Connected Devices Platform, the same background service (cdp.dll, running as CDPSvc) that powers Phone Link, cloud clipboard, and Nearby Share, reads that PUID and registers it into Microsoft’s Device Directory Service, which is the identity graph behind all of Microsoft’s cross device features. There, the number gets a lowercase g stuck in front and gets written as g:decimal. Delivery Optimization then reports that same value back to Microsoft’s servers as UCDOStatus.GlobalDeviceId every time your PC shares or downloads update data peer to peer.
It likely uses the motherboard's burned-in TPM module API to generate the unique hardware ID on, and associate with the account/license.
It's quite interesting to compare the percent these civilian-scoped features are actually helping and not used for tracking and control of masses, since every accountable fraudster/killer/thief/professional knows about these and could not care less about it.
Yes, it may help for telemetry, and is great to have for an accountable business, which is understandable, but there's a hope these are not used against the civilian, too, respecting the personal lives and the right of human choice out there...
Ave Linux, the transparency, indeed...
The following is a related piece of information, yet I am sorry, but I am not sure about the accountability and accuracy of the paper, since it was written by the sorrowful LLM Claude:
- https://github.com/SmtimesIWndr/gdid-reversal
When Windows provisions a device against a Microsoft Account, a system service called wlidsvc talks to
login.live.comand gets back what Microsoft calls a Device PUID, a Passport Unique ID, inside the server’s SOAP response. Server assigned. Windows never computes it locally from anything on your PC. It receives a string and stores it.
It likely uses the motherboard's burned-in TPM module API to generate the unique hardware ID on, and associate with the account/license.
Bruv... it literally says exactly on the statement you quoted that the ID is generated by Microsoft, and explicitly that its not generated on the device. Why would you then go on to speculate that its generated on device by the TPM...?
AFAIK the TPM doesn't generate anything, its role is for storing cryptographic information - not creating it.
Motherboard TPM sends a cryptographically verifiable serial number ID to Microsoft -> Microsoft generates a Device PUID (this ensures all DPUIDs are in the same format) -> Microsoft send generated DPUID back to the device which is stored within the TPM and is cryptographically verifiable to applications which wish to access and know it, and ensure it is genuine and authentic.
TPMs all have a unique identifier burned into them.
Please do consider checking out how TPM is actually used.
SOAP in 2026? I need a REST.
I have terrible news for you about most payment processors and banks...
Everything after CORBA was a step backwards.
Microsoft being microsoft. Cancel Bill Gates, Windows is a trojan. Use linux.
If you're a hacker and use Windows, you deserve to get caught tbh
I'm more worried about other "enemies" of the American Regime, such as journalists, syndicalists, foreign politicians (including in "allied" nations) and even just people who have access to things as simple as internal strategical information in companies that compete with American companies.
I mean, once you have access to it thanks to things like the Cloud Act and the Patriot Act, it's not exactly hard to use internal access to Microsoft and LinkedIn systems to automate mass industrial espionage by linking people to certain positions in companies competing with American companies and specific computers to those people and then push a special Windows Update to track what they're doing and documents that pass through them (though with Windows 11 I bet the eavesdropping part is already done by default on all computers with the data sent to MS).
More so that they used the same Windows machine where they were signed in with their real personal Microsoft account as the machine they used for their illicit actions.
VPN only masks your source IP, not any of the other identifiers, of which we now know a new one.
So it's a unique id "stamped" to your Windows install during setup when you sign into a Microsoft account during the OOB setup experience. It gets stored in the machine's registry, and is used for uniquely identifying your hardware and tying it to a Microsoft account for licensing purposes.
It does not persist between reinstalls, and it is in a known registry location so therefore viewable and editable now that we know it's there. We don't yet know the exact effects of editing it, or how exactly they correlated it in this case with the person's network activity.
I expect we'll have some mitigation plan in the next few months. Obviously starting with the recommendations in the article.
Completely pulling this from my ass:
- There should be some ways for researchers to watch what accesses that registry key and when.
- Hypothetically, one could just randomize their GDID.
- Could target specific known ones to flood the data collected (everyone uses all zeros)
- Forge evidence against specific targets (collect the GDID off a target's machine, then set a VM to that and go nuts)
- or just randomly generate 1000 then activate Windows on all of them using MASgrave and rotate through them. Would probably need to randomly space out the activations, use generic hardware, and randomly shuffle the ones you used. Would also help to have multiple in use at once generating fake cover data to hide the real stuff in.
At this point it's probably easier to just go off grid than to try and make Windows "private".
Thats called ProcMon
Soooo, what does it stop Google or Meta from using same thing that Windows already offers to track users? Because as we all know, shit like this is NEVER only used by the good guys only.
Google has been tracking you for over 15 years, what you mean?
Not if you're not using any of their shit and actively blocking their garbage. But if they can just tap into the OS global ID that Microsoft slapped into the OS that's an issue.
What about Windows in a VM?
Switch SYSTEM and RESTRICTED permissions on the registry key to DENY. It might stop even RO access to that LID value.