How Do Anti-Cheats Fingerprint Hardware?

Anti-cheats fingerprint hardware by collecting and hashing identifiers across multiple sources: SMBIOS (motherboard, BIOS, system UUID), NIC MAC addresses, disk serial numbers, GPU device IDs, CPU identifiers (CPUID brand string, microcode revision), TPM 2.0 endorsement key certificate, USB peripheral descriptors, and monitor EDID data. The combined fingerprint becomes the HWID — and the EK certificate plus motherboard SMBIOS are the most durable elements. Riot logged 2.3M+ HWID bans in 2025 alone.

How Do Anti-Cheats Detect HWID Spoofers?

Anti-cheats detect HWID spoofers through cross-source identifier correlation: comparing what user-mode APIs return against what kernel-level reads return, validating against TPM 2.0 endorsement key (EK) certificates that cannot be software-spoofed, checking SMBIOS values against signed BIOS/firmware data, cross-correlating across multiple identifier sources (NIC, disk, GPU, motherboard) for internal consistency, and using behavioral correlation across ban waves to detect when a "new" machine matches the play patterns of a previously-banned account.

How Does a HWID Spoofer Work?

An HWID spoofer loads a signed kernel driver before the anti-cheat does, then hooks the Windows kernel functions and IOCTLs anti-cheats use to read hardware identifiers — SMBIOS via NtQuerySystemInformation, disk serials via IOCTL_STORAGE_QUERY_PROPERTY, MACs via NDIS, MachineGuid from the registry. When the anti-cheat queries, it gets back randomized values instead of your real hardware. Real values restore on reboot.

What Hardware Components Does a Spoofer Randomize?

A 2026 kernel-driver HWID spoofer randomizes 16 categories: SMBIOS (UUID, serial, manufacturer, product, BIOS version, BIOS date), motherboard serial, all SATA + NVMe disk serials, GPT/MBR partition layout, every NIC MAC, GPU UUID and adapter LUID, MachineGuid, Windows Product ID + install date, RAM SPD serials, USB controller IDs, PCI device IDs, and monitor EDID. It cannot randomize TPM endorsement keys, Pluton attestation, or CPU ID via Ring-3.

What Hardware Identifiers Do Anti-Cheats Track?

Modern anti-cheats fingerprint a composite of 16+ identifiers: SMBIOS UUID, motherboard serial, all disk serials (SATA + NVMe), every NIC''s MAC address, GPU UUID, MachineGuid (Windows registry), Windows Product ID, Windows install date, RAM SPD strings, USB controller IDs, PCI device IDs, monitor EDID, BIOS strings, TPM 2.0 endorsement key (unspoofable from user-mode), CPU ID, and Microsoft Remote Attestation. Raw Spoofer randomizes 13 of these; TPM EK and Pluton are firmware-baked and out of reach.

How Anti-Cheats Fingerprint Hardware — 2026 Deep Dive

Hardware fingerprinting is the foundation of the modern HWID ban system. Modern AAA anti-cheats don''t rely on a single identifier — they combine dozens of signals into a composite fingerprint, weighted so that no individual identifier rotation defeats the ban. Understanding the full fingerprint stack is essential for understanding why naive single-source spoofing doesn''t work.

The full hardware fingerprint stack

A comprehensive AC HWID fingerprint includes:

Motherboard / firmware sources:

SMBIOS structures (Type 0 BIOS, Type 1 System, Type 2 Baseboard, Type 4 Processor)
BIOS vendor and version string
System UUID (Type 1 SMBIOS, often the strongest motherboard identifier)
Motherboard serial number
Baseboard manufacturer and product
BIOS release date

TPM / platform:

TPM 2.0 Endorsement Key (EK) public key hash and EK certificate chain
Platform Configuration Register (PCR) values measuring boot state
TPM manufacturer string

Storage:

Disk serial numbers (IDE/SATA/NVMe queried via SCSI / NVMe identify commands)
Disk model strings
Disk firmware revision
Volume serial numbers (filesystem-level, much weaker than disk-level)

Network:

NIC MAC addresses (all installed adapters)
NIC manufacturer/model strings
NIC firmware versions where readable

GPU / Display:

GPU device IDs (PCI vendor:device:subsystem)
GPU serial numbers (where exposed, NVIDIA''s nvapi exposes some)
Monitor EDID (Extended Display Identification Data) for connected monitors
DisplayPort/HDMI link-layer identifiers

CPU:

CPUID processor brand string
CPUID feature set
CPUID stepping/family/model
Microcode revision (which can change across BIOS updates, so weighted accordingly)

Peripheral:

USB device descriptors for connected mice/keyboards
HID polling rates and report intervals
Bluetooth adapter identifiers if present
Audio device GUIDs

Software-derived signals (less durable but still tracked):

Windows install GUID
Active Directory machine SID (rare in consumer)
Hardware Hash from Windows Autopilot (enterprise-derived)
TPM-sealed BitLocker recovery key (when present)

How the fingerprint is computed

The AC backend doesn''t just store the raw identifiers — it computes a weighted composite fingerprint that''s tolerant of some identifier changes while still strong against ban-evasion attempts. The exact algorithm varies per vendor and is generally undisclosed, but the rough pattern:

Core identifiers (EK cert, motherboard UUID, motherboard SMBIOS) weighted heavily — must match for the fingerprint to be "the same machine"
Secondary identifiers (disk serials, MACs, GPU IDs) weighted medium — partial matches still produce HWID correlation hits
Tertiary identifiers (volume serials, software-derived, peripheral details) weighted low — used for cross-correlation rather than primary identity

Result: rotating one or two identifiers doesn''t produce a "new machine" — the composite still correlates back to the banned fingerprint. Rotating all identifiers convincingly (real spoofer behavior) produces a new fingerprint. Hashing the EK certificate directly produces an identifier that no software spoofer can rotate.

What''s most durable

TPM 2.0 EK certificate — physically non-spoofable, vendor-signed, survives all software changes
Motherboard SMBIOS — durable across OS reinstalls (firmware-level), spoofable but the spoofer needs to be persistent across boots
CPU identifiers — durable but rotate naturally with CPU swaps
Disk serials at the SCSI/NVMe level — durable, but rotate naturally with drive swaps

What''s less durable

Volume serial numbers — filesystem-level, change on reformat
Windows install GUID — changes on Windows reinstall
NIC MACs — software-modifiable, sometimes randomized by default
Peripheral USB descriptors — change when you plug different devices

How spoofers fight fingerprinting

A properly-built spoofer (see Raw Spoofer) operates at the kernel-driver layer to hook the lower-level reads of these identifiers — disk SCSI ioctl, NIC NDIS ioctls, SMBIOS firmware-table reads, GPU device-info APIs, USB descriptor queries. By controlling what each query returns and ensuring internal consistency across all identifier sources, the spoofer produces a self-consistent "new machine" fingerprint. The TPM EK is the wall — software-level spoofing can rotate primary-key-derived hashes (the Linux-method "TPM spoof"), but cannot rotate the EK cert itself.

What you cannot rotate

TPM 2.0 EK certificate (signed by vendor CA, private key in hardware)
Pluton EK certificate (signed by Microsoft + CPU vendor CA, integrated in CPU silicon)
Boot-state PCRs when attestation is mandatory
Behavioral fingerprints (input patterns, gameplay style) — these travel with the human

Practical impact and forward look

The full-fingerprint stack is what makes the 2026 HWID ban landscape unforgiving. Riot''s 2.3M+ 2025 HWID bans aren''t "one identifier got blacklisted" — they''re composite-fingerprint hits weighted by EK + motherboard + disk + behavioral signals. Surviving requires comprehensive spoofing at the kernel layer plus account isolation plus behavioral discipline. See our HWID Spoofer 2026 Guide, What hardware identifiers do AC track, and How do AC detect HWID spoofers for the full operational picture.

The trajectory: more identifier sources, tighter weighting on TPM-rooted hashes, attestation as a gating layer. The fingerprinting fight gets harder, not easier, through 2027.