RAW
RAWCHEATS
All Answers
hardware_spoofer

Should I Run My HWID Spoofer on Cold Boot?

Yes. A cold boot is mandatory before activating Raw Spoofer or any kernel-driver HWID spoofer. The anti-cheat reads hardware identifiers when its driver loads — which is typically at game launcher startup, not at OS boot. If you spoof AFTER opening Steam, Epic, Riot Client, or Battle.net, the anti-cheat has already captured your real fingerprint. Cold boot first, spoofer activate, then launcher. No exceptions.

RawCheats Anti-Cheat Research Team — Anti-Cheat Research TeamUpdated May 12, 2026

This is the single most common spoofer setup mistake. The whole point of a spoofer is to win the race against the anti-cheat's hardware read. Lose that race and you have spent $5 on a process that produces no protection. The cold-boot requirement is not optional and the reason has to do with how anti-cheat drivers actually fingerprint your machine.

When the anti-cheat reads hardware

Anti-cheats do not read hardware at OS boot in most cases. They read it when their kernel driver activates — which is when the publisher's launcher opens (Steam loads EasyAntiCheat.sys when an EAC-protected title launches, Epic loads it via the Epic Games Launcher, Riot loads vgk.sys at OS boot because Vanguard is ELAM but the EK read fires at session start). The first hardware-fingerprint capture typically happens in the first 1-3 seconds after the launcher process starts. If your spoofer is not active before that window, the AC reads your real values.

The mistake everyone makes

Boot PC. Open Steam. Notice game is not launching for some reason. Launch spoofer. Try again. The anti-cheat has already captured your real fingerprint from the first launch attempt. Even if the spoofer activates now and randomizes everything, the AC's session has already seen your real hardware. Worse — the AC may have already submitted that real fingerprint to its server-side ban check. If the real fingerprint is on the ban list, your account is locked before the spoofer becomes relevant.

Why "warm reboot" is not enough

A warm reboot (Windows restart without full power cycle) goes through the OS shutdown and reload but does not re-initialize the spoofer driver — and crucially, anti-cheat services may persist some state across warm reboots. A cold boot guarantees the kernel is in a known-clean state with no anti-cheat services running and no captured hardware values lingering in service caches. Power off completely, wait 10-15 seconds, power on. Then activate the spoofer before any launcher opens.

The mandatory order of operations

  1. Cold boot the PC (full power cycle).
  2. Wait for Windows desktop. Do not open Steam, Epic, Battle.net, Riot Client, or any launcher. Do not open Discord with the cheating account active.
  3. Run the Raw Spoofer loader as administrator. Allow Windows Defender / antivirus prompts.
  4. Enter your license key. Click Activate. Wait for the spoofer to confirm randomization of all 16 identifier categories.
  5. Now open your publisher launcher and your game normally.
  6. Play.

Skipping step 1 (using a warm reboot) is the second-most-common mistake. Skipping step 2 (opening the launcher first to "check if it works without the spoofer") is the most common. Both produce the same outcome: anti-cheat captures real fingerprint, spoofer is useless for that session.

Why this matters for ban-wave protection

Anti-cheats roll up flagged fingerprints into bulk waves. Riot's January 2026 wave took down 340,000 Valorant accounts in 5 days. Activision's Ricochet has issued 800,000+ HWID bans across modern COD and Warzone. Every session where the anti-cheat captures your real fingerprint adds a record to the publisher's hardware-tracking database — even if no immediate ban fires. A ban wave running three weeks later can roll up sessions you did not realize were flagged. Cold-boot activation means the AC never sees your real hardware in any session, so no wave can ever roll up a real fingerprint that was never captured.

What about resuming from sleep / hibernate?

Sleep and hibernate are not equivalent to a cold boot. Sleep keeps RAM powered and Windows state in memory — anti-cheat drivers and any service caches persist. Hibernate dumps RAM to disk and restores it on resume — again, no fresh kernel init. Both can result in the spoofer driver being in an indeterminate state and the anti-cheat being able to query whichever kernel state existed before the suspend. Always do a full shutdown plus cold boot before activating the spoofer. The HWID Spoofer Guide setup section covers this with the full pre-flight checklist.

What about the spoofer's recommendation if I am already in-game?

If you are mid-session without the spoofer running, do not try to activate it during play. The anti-cheat has already captured real values; activating now creates an internally inconsistent state (driver hooks installed but anti-cheat already cached real values) that may trigger detection on the inconsistency. Close the game, close the launcher, reboot cold, activate spoofer, then return to play. The 5-minute hit beats a ban.

The Tarkov / Vanguard exception

For BattlEye Tarkov and any Vanguard-based scenario, an additional consideration applies: those anti-cheats fingerprint hardware at OS boot via early-load drivers. For Tarkov specifically, BattlEye's BEDaisy.sys reads via the path documented in the ACM MATE 2025 paper very early in the OS lifecycle. The spoofer must load even earlier — which is why Raw Spoofer's boot-order priority is configured to win that race. Vanguard is out of scope for Raw Spoofer, period.

For the deeper setup walkthrough with screenshots, see the Raw Spoofer product page setup section.

Related Pages

Sources

  1. Riot Vanguard official documentationRiot Games
  2. Ricochet Anti-Cheat Progress ReportActivision
  3. Battling The Eye — BattlEye reverse-engineeringACM MATE Workshop 2025
  4. EAC reverse-engineering repositoryadrianyy / Adrian Yarygin

Related Questions

How Does a HWID Spoofer Work?

An HWID spoofer loads a signed kernel driver before the anti-cheat does, then hooks the Windows kernel functions and IOCTLs anti-cheats use to read hardware identifiers — SMBIOS via NtQuerySystemInformation, disk serials via IOCTL_STORAGE_QUERY_PROPERTY, MACs via NDIS, MachineGuid from the registry. When the anti-cheat queries, it gets back randomized values instead of your real hardware. Real values restore on reboot.

What Is Raw Spoofer?

Raw Spoofer is RawCheats's in-house HWID spoofer — a signed kernel driver that randomizes 16 hardware identifier categories per session against EAC, BattlEye, NeacSafe, Warden, and Ricochet. It runs as an external process (not injected into the game), supports Windows 10 + 11 on Intel and AMD, and costs $4.99 per month. It does not spoof TPM EK, Pluton, or beat Vanguard — and we say so explicitly.

How Long Does a HWID Spoof Last?

One session. A 2026 kernel-driver HWID spoofer randomizes per-boot — the spoofed fingerprint persists from spoofer activation until reboot, then real values return. Every cold boot before a play session needs a fresh spoofer activation. UEFI-persistent spoofers exist but carry firmware-bricking risk; Raw Spoofer explicitly does per-session randomization at Layer 1 for safety and reversibility.

Should I Run a Spoofer Before Every Session?

Yes, every session if you have ever been hardware-flagged, and as cheap insurance even if you haven''t. Cold boot Windows, run Raw Spoofer as administrator before opening Steam, Epic, Battle.net, or NetEase. The spoof persists until reboot. Skipping the spoofer means one signature detection bans your hardware permanently across every account on that machine. The 4-second spoof time per session is the cheapest insurance in the cheat workflow.

Raw Fortnite
Live purchase·5m ago
dezz from US bought Raw Fortnite