微软确认 Windows GDID 设备标识符无法禁用
Microsoft Confirms Windows GDID Device Identifier That Cannot Be Disabled

原始链接: https://www.ghacks.net/2026/07/12/microsoft-confirms-windows-gdid-device-identifier-that-cannot-be-disabled-documented-in-fbi-case-filing/

微软已承认使用“全局设备标识符”(GDID)。这是一个分配给关联了微软账户的 Windows 安装系统的持久性、设备特定 ID。在涉及黑客组织“Scattered Spider”的一起联邦案件中,该标识符被披露:它通过向微软服务器报告设备活动,在用户切换网络(包括使用 VPN 和代理)时对其进行追踪。 与 iOS 或 Android 上的追踪标识符不同,GDID 缺乏面向用户的控制选项、退出机制或明确的文档说明。它是 Windows 激活和微软商店功能运行所必需的,这意味着若将其禁用,将导致核心系统功能无法使用。虽然重新安装系统会生成新的 GDID,但再次登录同一个微软账户,即可让微软将之前的活动关联到新的 ID 上。 隐私研究人员批评了这种缺乏透明度的做法,一些人将其称为“监视”。尽管微软尚未宣布赋予用户对此标识符的控制权,但注重隐私的用户可以通过使用本地 Windows 账户、禁用遥测设置,或在进行敏感操作时选用 Linux 等注重隐私的操作系统来减轻追踪风险。

微软已证实 Windows 中存在一个无法禁用的持久性“GDID”(全局设备标识符)。Hacker News 上的讨论引发了人们对用户隐私和追踪问题的担忧,因为无论用户是使用微软账户登录还是使用本地账户,该标识符都会在 Windows 设置过程中自动生成。 评论者们就该标识符如何助长追踪行为展开了讨论。虽然一些人推测 GDID 可能通过 IP 地址与物理位置或用户活动相关联,但另一些人则认为,这种追踪很可能是通过 Microsoft Edge 的数据同步功能来实现的。Edge 中的相关设置(如允许微软存储浏览历史、收藏夹和使用数据以“改进”服务)在如何利用此类标识符方面可能起到了关键作用。此次讨论凸显了人们对现代 Windows 环境中遥测技术广泛应用的持续焦虑,以及在使用微软生态系统时保持匿名性的难度。
相关文章

原文

Microsoft has publicly acknowledged the existence of the Global Device Identifier (GDID), a device-specific ID assigned to Windows installations, in a federal complaint filed by US prosecutors against an alleged member of the Scattered Spider hacking group.

The ID is generated when Windows is set up with a Microsoft Account, persists through Windows updates, and cannot be disabled without affecting Windows activation and Microsoft Store apps.

Microsoft briefly mentioned GDID in the Azure Monitor documentation, describing it only as "an identifier used by Microsoft internally." The complaint cites a Microsoft representative describing GDID as "a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device such as a mobile phone or laptop or a virtual machine, across certain Microsoft services and scenarios."

What the Windows Global Device Identifier Is and How the FBI Used It

The Global Device Identifier (GDID) is a permanent ID assigned when Windows provisions against a Microsoft Account. It is generated by a chain of Windows services.

The wlidsvc service requests a Device PUID from login.live.com, which is then registered into Microsoft's Device Directory Service by the Connected Devices Platform.

Delivery Optimization reports the GDID back to Microsoft when the PC shares or downloads updates. This identifier is stored in the Windows registry under HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties and formatted with a lowercase "g" prefix followed by a decimal number.

It is reported to Microsoft servers and remains persistent across Windows updates, but it is not retained after a clean reinstall. Microsoft has acknowledged that one user can have multiple GDIDs linked through their account, OneDrive, and activation history.

The FBI used the GDID to track Peter Stokes, alleged member of Scattered Spider, across VPN connections, proxy servers, and through four countries over roughly eight months.

According to the complaint, the GDID g:6755467234350028 was recorded visiting the ngrok signup page at the same time an account used in the attack was created via a Tzulo VPN proxy. Three hours later, the same GDID accessed a victim retailer's website through the same proxy.

The device was cross-referenced with IP addresses linked to Stokes's accounts on Snapchat, Facebook, Apple, and Ubisoft across Estonia, New York, Thailand, and other locations. Stokes's public Snapchat photos matched hotel bookings, locations, and travel timelines associated with the GDID.

The persistent nature of the GDID across VPN sessions proved a key investigative asset. While VPN IP addresses change frequently, the underlying Windows installation continued reporting the same identifier, aiding investigators in their tracking efforts.

Why Privacy Researchers Are Concerned and What Users Can Do

Multiple security researchers have raised concerns about the visibility and control users have over GDID:

  • There is no consent screen when GDID is assigned. Apple's advertising identifier requires an App Tracking Transparency prompt with a visible reset. Android provides similar controls. GDID has neither.
  • Activation dependence. Massgrave, the group behind Microsoft Activation Scripts, has noted that Windows setup sends hardware info to Microsoft and receives identifiers back that are later used for Store access and licensing. Blocking GDID assignment breaks both activation and UWP apps.
  • Reinstalling Windows produces a new GDID, but signing back into the same Microsoft Account gives Microsoft a clear path to link the new identifier to previous activity.
  • Microsoft's public documentation of the identifier consists of one sentence in an Azure Monitor reference table for enterprise IT administrators.

Security researcher Matthew Hickey has characterized Windows as "surveillance software" in response to the case. Costin Raiu asked on the Three Buddy Problem podcast how much similar functionality exists on other platforms.

Users concerned about GDID have limited direct options because the identifier cannot be turned off without breaking core Windows functionality. Practical steps that reduce related tracking include:

  1. Use a local account instead of a Microsoft Account when possible. Windows 11 has made this harder in recent versions, but the option is still available during setup for users who know how to reach it.
  2. Turn off optional diagnostic data through Settings, Privacy and security, Diagnostics and feedback.
  3. Disable personalized ads and launch tracking under Privacy and security, Recommendations and offers.
  4. Turn off Cloud Content Search under Privacy and security, Search, to stop local searches from sending data to Bing.
  5. Review and disable Activity History and other telemetry options in Privacy and security settings.
  6. For journalism, activism, or domestic abuse situations where identifier persistence poses a threat, use Linux routed through Tor rather than relying on a commercial VPN with a Windows PC.

Users who reinstall Windows to obtain a new GDID should be aware that signing back into the same Microsoft Account provides Microsoft with data linking the new identifier to previous activity.

What GDID Means for Windows Users and How Widely It’s Deployed

For the approximately 1.6 billion Windows users worldwide, GDID has been operating quietly in the background without any public disclosure or user controls. The recent complaint revealed the existence of this identifier, but Microsoft has not committed to providing user-facing controls or documentation for regular users.

Users concerned about device-level tracking should be aware that the identifier is attached to the account, not the device, meaning reinstalling the OS does not break the link.

Most major operating systems maintain some form of persistent device identity for purposes like licensing and security checks, but Windows differs from platforms like Apple and Google by not offering visible controls.

Legal requests, such as subpoenas, can compel Microsoft to share GDID activity data with law enforcement, as exemplified by the Scattered Spider case. GDID is present on all Windows installations linked to a Microsoft Account.

Users cannot view their own GDID through standard Windows interfaces; it is stored in the registry at HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties under the LID key. Microsoft has not indicated any changes to how GDID is generated, stored, or reported.

The only public reference outside of the federal complaint is a brief note in Azure Monitor documentation. Users can monitor Microsoft's privacy updates, but the company has not signaled plans to provide more public information about GDID.

The Scattered Spider case is progressing through the US federal court system. For those interested in the technical details, reviewing the complaint's discussion of Microsoft telemetry offers the clearest public explanation of how GDID operates to date.

联系我们 contact @ memedata.com