In July 2026, the US Department of Justice made public a 39-page criminal indictment. The defendant was 19-year-old Peter Stokes, accused of hacking a US luxury jeweler in May 2025 and extorting $8 million. Stokes used VPNs, proxy servers, and circumvention tools, with IP addresses spanning four countries — Estonia, New York, Thailand, and others. By the usual logic, tracking someone on the internet breaks the moment the IP address changes.
But the FBI still found him. The decisive evidence was a string of digits auto-generated by Microsoft in his computer — g:6755467234350028.
That string is called GDID, short for Global Device Identifier. Before this indictment was made public, the vast majority of Windows users had never heard the name. The only place Microsoft publicly mentioned it was a single sentence, buried in Azure Monitor’s enterprise technical documentation.
Image: GDID is a permanent device identifier built into Windows. Source: Ghacks
What It Is: Your Computer’s “ID Number”
In the simplest terms: GDID is a permanent number Microsoft automatically assigns to your computer. The moment you install Windows, or sign in with a Microsoft account, this number is generated.
It isn’t a hardware code — hardware can be swapped. It isn’t an IP address — IPs can change. It’s an identity number “issued” to your machine by Microsoft’s servers, and once created, it stays bound to that computer’s Windows system forever, surviving system updates and network changes alike.
What does it look like? Usually a string of digits prefixed with “g:” — for example g:6755467234350028 — stored deep in the Windows registry, invisible to ordinary users. It runs silently in the background, periodically sent back to Microsoft’s servers alongside normal operations like Windows Updates, Store usage, and system-data reporting.
If the words “sent back to Microsoft’s servers” make you uneasy — that’s normal. You’re not alone.
How It Works: An Invisible Pipeline
GDID’s generation and reporting is like a fully automated pipeline, with zero room for user intervention.
Step one: when you sign in to Windows with a Microsoft account, a background service (called wlidsvc) automatically contacts Microsoft’s login server, login.live.com, and requests a device-specific identity number. The number is issued directly by Microsoft’s servers and handed to your computer.
Step two: the number is written into the Windows registry — at a location called HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties. It’s like a filing cabinet hidden deep in the system; on the surface, nothing shows.
Step three: several background services in Windows read this number. Features you use daily — “Phone Link,” “Cloud Clipboard,” “Nearby Sharing” — all call it. These services register the number into Microsoft’s “device directory service,” forming a complete device-identity graph.
Step four, the most critical: Windows’ “Delivery Optimization” feature — the one that helps you download updates quickly from other PCs on your LAN — reports the GDID number, along with your IP address and timestamp, to Microsoft’s servers every time it runs.
In other words, Microsoft knows not only that you have this number, but also which IP it used and when. String that information together and you get a complete device activity timeline.
How the FBI Used It to Catch Someone
Stokes thought he was clever. He hid his real IP with a VPN, relayed traffic through proxy servers, and even switched network identities across multiple countries. But he forgot one thing: no matter how the IP changed, the Windows system in his computer never changed.
According to the indictment, the FBI’s investigative path went roughly like this:
First, the victim jeweler’s website recorded the attacker’s IP address — belonging to a VPN provider called Tzulo. At the same time, investigators found the attacker had registered an account on ngrok (a network-tunneling tool) for the attack. The registration time and IP lined up.
Next, the FBI requested data from Microsoft: at this time, using this IP address, what was the device’s GDID number? The answer came back: g:6755467234350028.
Then the FBI queried in reverse: what other IP addresses had this GDID used? Microsoft’s records showed the same GDID appearing across Estonia, New York, Thailand, and more over eight months, each time connecting through a different VPN node.
Final step: the FBI cross-referenced these IPs with Stokes’ login records on Snapchat, Facebook, his Apple account, and the Ubisoft gaming platform — times matched, locations matched. Public photos he posted on Snapchat lined up perfectly with the travel timeline GDID recorded.
In April 2026, Stokes was intercepted by Finnish police at Helsinki airport as he prepared to fly to Japan. An Interpol red notice kept him off that plane.
Image: The FBI used GDID to track a suspect across VPNs and multiple countries. Source: WindowsLatest
Why This Is Unnerving
The controversy over GDID’s existence hinges on one fact: you can’t turn it off.
Apple’s phone advertising identifier can be reset by the user. Android offers similar controls. Apple even requires apps to pop up a consent prompt before tracking users — that “Allow app to request tracking” message.
GDID has none of that. No pop-up asking for consent. No toggle to turn it off. No button to reset it. Security researcher Matthew Hickey, commenting on the case, flatly called Windows “surveillance software.”
Even more uncomfortable is the transparency problem. Microsoft’s public description of this number is a single sentence in the entire Azure Monitor documentation: “Microsoft global device identifier. This is an identifier used internally by Microsoft.” One sentence, a dozen-odd English words. How it’s generated, how it’s transmitted, how long it’s stored, who can access it — none of it is explained.
Independent security researchers had to reverse-engineer GDID to understand how it works. They found: if you forcibly block GDID’s generation, Windows activation breaks and Store apps stop working properly. GDID is deeply bound to Windows’ core functions and can’t be unplugged on its own.
One more detail worth noting: in a footnote to the indictment, Microsoft admitted that a single Microsoft account can be linked to multiple GDIDs. That means even if you reinstall the system and get a new number, Microsoft can still tie the old and new numbers together via your account, OneDrive, activation records, and so on.
Every Side’s Position: No Single Answer
This isn’t a simple good-versus-bad story. Each party, from its own angle, sees a completely different picture.
From law enforcement’s perspective, GDID is a powerful forensic tool. In Stokes’ case, without GDID as a tracking anchor that pierces the VPN, the investigation might have stalled at a pile of unlinkable VPN IP addresses. GDID lets law enforcement penetrate the anonymity layer and tie criminal acts to a specific device. For criminals who hide behind technical means, it’s an effective check.
From a privacy-protection perspective, a permanent device identifier that can’t be disabled and requires no user consent is, by any standard, a design red flag. Its problem is that it is “theoretically usable for any purpose.” Today it’s the FBI’s criminal investigation; tomorrow it could be something else — ad networks? Insurance companies? Political surveillance? A system that reserves this tracking capability at the design stage won’t always be wielded by “the good guys.”
From Microsoft’s perspective, GDID’s original design goal wasn’t to track users — it’s mainly for managing software licensing, keeping the app store running, and supporting cross-device collaboration. But the problem is, once an identifier at this “infrastructure” level exists, it gets embedded into too many system components; removing it would mean rewriting Windows’ core architecture.
In the Lobsters discussion, one comment kept getting pushed back to the top: “If this doesn’t raise more people’s awareness, next time it won’t be about catching hackers.” Someone else said: “The real solution is to switch operating systems.” But switching operating systems isn’t a light decision for 1.6 billion Windows users.
Image: In Windows 11’s privacy settings, you’ll find no control option for GDID. Source: WindowsLatest
What You Can Do
Frankly, for ordinary users already deep in the Microsoft ecosystem, the available responses are quite limited. What I’ve compiled here are steps that, under current conditions, can reduce the related risk:
First, use a local account rather than a Microsoft account wherever possible. Windows 11 has narrowed the entry point for creating local accounts in recent versions, but skipping the internet-connect step during install, or finding “switch to local account” in settings, is still a viable path. GDID’s generation is deeply tied to the Microsoft account, so a local account is an indirect isolation measure.
Second, turn off non-essential diagnostic-data reporting. Path: Settings → Privacy & security → Diagnostics & feedback → turn off “Optional diagnostic data.” This won’t make GDID disappear, but it reduces the other information reported alongside it.
Third, turn off personalized ads and activity tracking. In “Privacy & security” → “Recommended and offers,” turn off all options. In “Search permissions,” disable “Cloud content search” to keep local search content from being sent to Microsoft’s servers.
Fourth, periodically review your activity history. In privacy settings, check “Activity history” and turn off sync options you don’t need. These won’t touch GDID itself, but they reduce the chance your behavioral data gets linked across the Microsoft ecosystem.
The fifth point may be a bit extreme, but it’s worth mentioning: if you have high privacy requirements and can accept a learning curve, transitioning to an OS that doesn’t build in this kind of tracking (certain Linux distributions, for example) is a long-term option worth considering. This isn’t one-size-fits-all advice — it won’t suit everyone or every scenario. But it is an option that exists.
A Bigger Question
The GDID affair matters beyond “yet another tech-news story” because it touches an increasingly sharp contradiction: when your operating system is also your service provider, whose side should its loyalty be on?
Windows is long past being just a system on your hard drive. It’s tied to Microsoft’s cloud, Microsoft’s account system, Microsoft’s app store, Microsoft’s AI assistant. Its business model is shifting from “selling software” to “selling services” — and in the world of services, user data is the base currency.
GDID is a reminder: in the age of cloud computing and AI, the deepest “system” in your computer may no longer be a mere tool. It’s also a sensor, a recorder, an identity anchor.
And which side it defaults to standing on — that’s a question Microsoft has yet to answer in a way that puts everyone at ease.
References:
- Ghacks: Microsoft Confirms Windows GDID Device Identifier That Cannot Be Disabled, Documented in FBI Case Filing
- PCMag: A Hacker’s Arrest Reveals Microsoft Can Track Users Via a Windows Device ID
- WindowsLatest: Microsoft admits Windows 11 has a GDID tracker with no off switch
- Cybernews: Windows telemetry backlash — GDID tracking exposes Scattered Spider hacker
- Lobsters discussion (s/agkcmz)