How Do Anti-Cheats Detect HWID Spoofers?

Anti-cheats detect HWID spoofers through cross-source identifier correlation: comparing what user-mode APIs return against what kernel-level reads return, validating against TPM 2.0 endorsement key (EK) certificates that cannot be software-spoofed, checking SMBIOS values against signed BIOS/firmware data, cross-correlating across multiple identifier sources (NIC, disk, GPU, motherboard) for internal consistency, and using behavioral correlation across ban waves to detect when a "new" machine matches the play patterns of a previously-banned account.

What Hardware Components Does a Spoofer Randomize?

A 2026 kernel-driver HWID spoofer randomizes 16 categories: SMBIOS (UUID, serial, manufacturer, product, BIOS version, BIOS date), motherboard serial, all SATA + NVMe disk serials, GPT/MBR partition layout, every NIC MAC, GPU UUID and adapter LUID, MachineGuid, Windows Product ID + install date, RAM SPD serials, USB controller IDs, PCI device IDs, and monitor EDID. It cannot randomize TPM endorsement keys, Pluton attestation, or CPU ID via Ring-3.

How Does a HWID Spoofer Work?

An HWID spoofer loads a signed kernel driver before the anti-cheat does, then hooks the Windows kernel functions and IOCTLs anti-cheats use to read hardware identifiers — SMBIOS via NtQuerySystemInformation, disk serials via IOCTL_STORAGE_QUERY_PROPERTY, MACs via NDIS, MachineGuid from the registry. When the anti-cheat queries, it gets back randomized values instead of your real hardware. Real values restore on reboot.

How Do Anti-Cheats Fingerprint Hardware?

Anti-cheats fingerprint hardware by collecting and hashing identifiers across multiple sources: SMBIOS (motherboard, BIOS, system UUID), NIC MAC addresses, disk serial numbers, GPU device IDs, CPU identifiers (CPUID brand string, microcode revision), TPM 2.0 endorsement key certificate, USB peripheral descriptors, and monitor EDID data. The combined fingerprint becomes the HWID — and the EK certificate plus motherboard SMBIOS are the most durable elements. Riot logged 2.3M+ HWID bans in 2025 alone.

Can a HWID Spoofer Beat TPM 2.0?

No. TPM 2.0 endorsement keys are signed by the TPM chip manufacturer at production and stored inside the chip itself — they cannot be rewritten from software. Anti-cheats that read TPM EK and PCR values (Vanguard, COD: Black Ops 7 via Remote Attestation, FACEIT, Fortnite tournaments) get a cryptographic identity no commercial spoofer can fake. The only public TPM-spoof attempt — Samuel Tulach's tpm-spoofer POC — is unstable research code.

How Anti-Cheats Detect HWID Spoofers — 2026 Guide

HWID spoofer detection is one of the more technically demanding sub-disciplines because a properly-built spoofer can rotate dozens of identifiers, and most consumer ACs have to handle false positives from legitimately new hardware purchases. The detection model has shifted heavily toward hardware-rooted identifiers (TPM EK, Pluton) and behavioral correlation across sessions.

Layer 1 — Cross-source identifier consistency

A simple spoofer changes the values returned by user-mode Windows APIs: GetVolumeInformation for disk serial, GetAdaptersInfo for NIC MAC, GetSystemFirmwareTable for SMBIOS, registry keys for HardwareID strings. A kernel-mode AC reads the same identifiers via the lower-level interfaces (IRP_MJ_DEVICE_CONTROL to disk class drivers, IOCTL_NDIS_QUERY_GLOBAL_STATS for NIC, direct SMBIOS table parsing in physical memory). If user-mode returns "Disk_New_Serial_123" but the underlying kernel-level read returns "Disk_Original_Serial_ABC," the spoofer is detected by inconsistency.

This is the foundational test, and it''s why a proper spoofer (kernel-driver-based, hooking at the lowest possible layer) is structurally stronger than a user-mode spoofer that only patches API returns. See our HWID Spoofer Complete 2026 Guide for the layered architecture and our Raw Spoofer page.

Layer 2 — TPM 2.0 endorsement key validation

The TPM 2.0 EK is the most powerful HWID anchor available to anti-cheats. The EK is signed by the TPM vendor''s CA chain, cannot be software-spoofed, and persists across OS reinstalls. An AC that reads and hashes the EK certificate has an identifier no software spoofer can rotate.

The Linux-method TPM "spoof" pattern (clear TPM, regenerate primary keys) rotates derived key material but does not change the EK certificate itself. An AC that hashes the EK cert directly sees the same value before and after the "spoof." An AC that hashes a primary-key-derived value sees different output after the spoof — which is the technical leak the late-2025 Linux-method TPM tricks exploited. The cat-and-mouse: ACs are moving toward direct EK-cert checks (which are fully spoof-resistant); spoofers are working in the narrower window of ACs that still check derived material.

Layer 3 — Internal cross-consistency

A spoofer that rotates disk serial but doesn''t rotate the matching SMBIOS values, or rotates the SMBIOS motherboard model but leaves the GPU device ID hard-coded, produces internally inconsistent hardware profiles. AC detection asks: "is this hardware profile self-consistent?" An ASUS motherboard SMBIOS with an MSI GPU device ID and a Gigabyte BIOS vendor string is improbable for genuine retail hardware. A spoofer that''s sloppy on cross-identifier consistency leaves a fingerprint of "spoofer behavior" rather than "real hardware behavior."

Layer 4 — Behavioral cross-session correlation

The most subtle layer: even if the spoofer rotates every identifier perfectly, the same person plays the same way. Mouse-input distributions, weapon preferences, peak hours, session lengths, friend-network connections — these don''t change when the HWID changes. AC backends correlate these signals across ban-wave cohorts. A "new" account that plays exactly like a known banned account, at the same hours, with the same friends, on similar settings — gets correlated and gets banned. This is why "I bought a spoofer, I''m safe" is naive: HWID is one of many detection layers, not the only one. See Should I use a separate account for cheating.

Layer 5 — Peripheral fingerprinting

Mouse/keyboard USB descriptors, polling rate signatures, input timing characteristics. Overwatch''s Peripheral Vision is the public example. The peripheral signal travels with the user, not with the rotated HWID — and a "new" machine using the same mouse with the same polling characteristics tells the AC something.

What spoofers reliably defeat

A properly-built spoofer (kernel-driver layer, internally consistent profile, rotating SMBIOS / NIC / disk / GPU IDs together) reliably defeats: SMBIOS-only HWID checks, simple disk-serial bans, NIC-MAC bans, and the registry-string fingerprints most consumer ACs check. This is enough to break out of most ban-wave HWID correlation, especially for ACs that don''t enforce TPM EK validation. RawCheats'' Raw Spoofer targets this layer specifically and is updated to track AC changes.

What spoofers structurally cannot defeat

TPM 2.0 EK certificate validation. Pluton EK certificate validation. Hardware-rooted attestation flows that validate the full vendor CA chain. These require physical hardware replacement (TPM chip swap if available, CPU swap if Pluton is on-die) — and that''s the structural floor of the "what can a spoofer do" question.

Forward look

HWID spoofer detection in 2027 will be: TPM/Pluton attestation as the primary anchor, behavioral cross-correlation as secondary, peripheral fingerprinting as tertiary, and conventional SMBIOS/disk/NIC checks as a backstop. The cheap end of HWID spoofing is in long-term decline. The future is dedicated cheating hardware on machines without prior bans, with disciplined behavioral isolation and a clear understanding that no spoofer is invincible against attestation.