GitHub Project Decodes Windows' Hidden Global Device Identifier 🔗
Reverse-engineers Microsoft's persistent GDID telemetry, revealing how it's generated, stored, and transmitted in Windows 11
Why this leads today The story leads because a described reversal mechanism for GDID systems—unprecedented in recent reporting—could signal a significant shift in how developer identities are managed or corrected on GitHub platforms.
A newly public GitHub repository, SmtimesIWndr/gdid-reversal, has drawn sharp attention from developers and security researchers by fully reverse-engineering Microsoft’s Global Device Identifier (GDID)—a persistent telemetry value named in a July 2026 federal criminal complaint tied to the Scattered Spider threat actor group. The project demystifies how Windows assigns and uses this identifier, clarifying widespread misconceptions about its origin, structure, and behavior.
Contrary to popular belief, the GDID is not a hardware-derived fingerprint tied to components like GPU or motherboard serial numbers.
Instead, it is a 64-bit Passport Unique ID (PUID) provisioned by the Windows Live ID service (wlidsvc) when a device registers with a Microsoft Account (MSA). The identifier is obtained from login.live.com, stored in the Windows registry, and subsequently read by the Connected Devices Platform (cdp.dll / CDPSvc) to register the device in the Device Directory Service (DDS) graph. From there, it is transmitted via Delivery Optimization as the documented UCDOStatus.GlobalDeviceId.
Critically, the project confirms that reinstalling Windows generates a new GDID—directly contradicting claims that it is based on immutable hardware traits. This finding, supported by live reproduction on a Windows 11 (26200) machine using public symbols, underscores that the GDID functions as a software-bound, account-linked device identifier rather than a hardware-based fingerprint. The repository includes detailed steps to locate one’s own GDID via a simple registry read, empowering users and auditors to verify its presence regardless of MSA login status—thanks to an anonymous device path used by CDP when no account is connected.
Each claim in the documentation is tagged with confidence labels: [COURT] for facts drawn from the federal complaint, [OBSERVED] for behaviors replicated in testing, and [STATIC] for static analysis conclusions. This transparency allows developers to assess the reliability of each assertion, making the project not just an exposé but a rigorous reference for understanding Windows telemetry at a low level.
The catch: While the project successfully maps the GDID’s lifecycle in Windows 11, it does not yet analyze how the identifier behaves in enterprise-managed environments, domain-joined systems, or under Group Policy restrictions that may alter telemetry flow—leaving open questions about its consistency across all Windows deployment models.
- Security auditors verifying Windows telemetry exposure
- Developers debugging device-ID-related authentication issues
- Researchers studying persistent identifiers in OS telemetry pipelines
Source: SmtimesIWndr/gdid-reversal — based on the project README.