How Does a HWID Spoofer Work?
An HWID spoofer loads a signed kernel driver before the anti-cheat does, then hooks the Windows kernel functions and IOCTLs anti-cheats use to read hardware identifiers — SMBIOS via NtQuerySystemInformation, disk serials via IOCTL_STORAGE_QUERY_PROPERTY, MACs via NDIS, MachineGuid from the registry. When the anti-cheat queries, it gets back randomized values instead of your real hardware. Real values restore on reboot.
A HWID spoofer is not magic and it is not a registry editor. It is a signed kernel driver that wins the race to load before the anti-cheat's driver, then sits on the read path that anti-cheats use to fingerprint your hardware. When the anti-cheat asks Windows "what is the SMBIOS UUID on this machine," the spoofer answers with a randomized value. The anti-cheat hashes that value into its composite fingerprint and stores something that has no relationship to your real hardware identity.
Layer 1 — driver-level hooking
This is where Raw Spoofer and every credible commercial spoofer operates. A signed driver loads via the Windows service control manager during boot, before any anti-cheat driver has been triggered (anti-cheats typically load when the launcher opens, not at OS boot). The driver installs hooks on NtQuerySystemInformation class 76 (SystemFirmwareTableInformation) which returns the raw SMBIOS table — used by EAC's hardware-read path documented in adrianyy/EACReversing. It hooks IOCTL_STORAGE_QUERY_PROPERTY with StorageDeviceProperty (the disk serial path used by BattlEye per the ACM MATE 2025 paper). It hooks NDIS callbacks for MAC addresses, the DXGI adapter description for GPU UUIDs, the IoWMIOpenBlock path for WMI hardware queries, and the registry read paths for MachineGuid and SCSI device map.
What hooking actually means
A hook is a function pointer redirect. Windows kernel code is structured so that user-mode and kernel-mode callers reach hardware reads through indirect calls. The spoofer driver replaces the target pointer with its own function, which performs whatever filtering or substitution is needed and then either calls the original (for legitimate non-anti-cheat callers) or returns randomized values (for anti-cheat callers). Modern spoofers do not blanket-modify every caller — that breaks Windows licensing and legitimate software. They filter by call context, by process identity, or by which library is on the stack.
Per-session randomization
Every time the spoofer activates, it generates a new randomized fingerprint. The randomization is not pure noise — values must look plausible. An SMBIOS serial of FFFFFFFFFFFFFFFF is a sentinel value that anti-cheats flag instantly. A randomized motherboard manufacturer of "ASUSAMD-X299" with a CPU read of an Intel chip is internally inconsistent and gets flagged. Good spoofers generate values from a curated table of real-world manufacturer + model combinations that anti-cheats have seen across millions of legitimate users.
What the anti-cheat sees
When the anti-cheat's hardware-fingerprint routine fires at session start (for EAC, this is during the kernel driver init phase before the game loads; for Vanguard, it fires at boot via the ELAM mechanism), it reads what it thinks is the raw firmware data and computes a composite hash. With the spoofer running, that hash bears no relationship to your real hardware identity. The anti-cheat's server-side ban list is keyed on these hashes — if your real hardware was previously banned, the new randomized hash is not on the ban list, and you authenticate cleanly.
What happens at reboot
Spoofer driver state is per-boot. If you reboot without running the spoofer first, your real values are returned by the kernel. This is by design — it means Raw Spoofer is reversible. Your legitimate Windows licensing, your Steam library, your banking software, and any account you do not want spoofed continue working normally. The spoofer is an overlay you opt into per session, not a permanent modification to your firmware. Vendors that claim "permanent HWID changes" are either lying or shipping a UEFI NVRAM writer that risks bricking your firmware — neither is what you want.
What spoofers cannot do
A driver-layer spoofer cannot rewrite TPM 2.0 endorsement keys (those are signed by the TPM chip vendor at manufacture and stored in the chip's hardware), cannot bypass Microsoft Pluton's chip-to-cloud attestation, cannot defeat Microsoft Remote Attestation, and cannot fool a hypervisor-based CPUID read. These identifiers come from silicon, not from a Windows API call, and no commercial spoofer in May 2026 credibly addresses them. Riot Vanguard reads TPM EKs by design; that is why we explicitly do not sell Valorant cheats.
For the deeper architectural breakdown, see How HWID spoofers work — driver, UEFI, and TPM techniques. To actually use one against EAC, BattlEye, NeacSafe, Warden, or Ricochet, get Raw Spoofer.
Related Pages
Sources
- EAC reverse-engineering repository — adrianyy / Adrian Yarygin
- Battling The Eye — BattlEye reverse-engineering — ACM MATE Workshop 2025
- Microsoft Pluton Security Processor — Microsoft
- Windows Storage Driver Reference — Microsoft
Related Questions
The best HWID spoofer in 2026 is one that hooks at the kernel-driver layer, randomizes 16+ hardware identifiers per session, names the anti-cheats it covers (EAC, BattlEye, NeacSafe, Warden, Ricochet) and explicitly disclaims the ones it does not (Riot Vanguard, Microsoft Pluton, TPM endorsement keys). Raw Spoofer fits that profile at $4.99 and ships from the same in-house engineering team behind the six RawCheats game products.
A 2026 kernel-driver HWID spoofer randomizes 16 categories: SMBIOS (UUID, serial, manufacturer, product, BIOS version, BIOS date), motherboard serial, all SATA + NVMe disk serials, GPT/MBR partition layout, every NIC MAC, GPU UUID and adapter LUID, MachineGuid, Windows Product ID + install date, RAM SPD serials, USB controller IDs, PCI device IDs, and monitor EDID. It cannot randomize TPM endorsement keys, Pluton attestation, or CPU ID via Ring-3.
Raw Spoofer is RawCheats's in-house HWID spoofer — a signed kernel driver that randomizes 16 hardware identifier categories per session against EAC, BattlEye, NeacSafe, Warden, and Ricochet. It runs as an external process (not injected into the game), supports Windows 10 + 11 on Intel and AMD, and costs $4.99 per month. It does not spoof TPM EK, Pluton, or beat Vanguard — and we say so explicitly.
One session. A 2026 kernel-driver HWID spoofer randomizes per-boot — the spoofed fingerprint persists from spoofer activation until reboot, then real values return. Every cold boot before a play session needs a fresh spoofer activation. UEFI-persistent spoofers exist but carry firmware-bricking risk; Raw Spoofer explicitly does per-session randomization at Layer 1 for safety and reversibility.
