What Hardware Components Does a Spoofer Randomize?
A 2026 kernel-driver HWID spoofer randomizes 16 categories: SMBIOS (UUID, serial, manufacturer, product, BIOS version, BIOS date), motherboard serial, all SATA + NVMe disk serials, GPT/MBR partition layout, every NIC MAC, GPU UUID and adapter LUID, MachineGuid, Windows Product ID + install date, RAM SPD serials, USB controller IDs, PCI device IDs, and monitor EDID. It cannot randomize TPM endorsement keys, Pluton attestation, or CPU ID via Ring-3.
A modern HWID spoofer covers a specific, finite set of identifiers — not "everything on your PC." Knowing the exact list matters because every anti-cheat reads a different subset, and the spoofer that randomizes the wrong identifiers leaves your real fingerprint exposed where it counts. Here is the complete coverage list as of May 2026.
SMBIOS identifiers (6 separate values)
The System Management BIOS table is the single richest source of hardware identity on a Windows PC. It contains the UUID (a 16-byte machine identifier set by the OEM at manufacture), the chassis serial number, the manufacturer string, the product name, the BIOS version, and the BIOS release date. All six are read by every kernel anti-cheat — EAC, BattlEye, Vanguard, Ricochet, NeacSafe. They are exposed to Windows via the SMBIOS table that the BIOS publishes at boot and accessible via NtQuerySystemInformation class 76. A spoofer hooks the read path and substitutes plausible randomized values drawn from real-world manufacturer + model combinations.
Motherboard and storage
Motherboard serial number is part of SMBIOS Type 2 and is randomized alongside the rest. All SATA and NVMe disk serial numbers are read via IOCTL_STORAGE_QUERY_PROPERTY with the StorageDeviceProperty class or via direct ATA IDENTIFY DEVICE commands. Modern PCs typically have 1-4 drives and the spoofer must randomize every one of them — anti-cheats enumerate the full list and hash all of them into the composite. GPT or MBR partition layout (the GUID Partition Table identifiers) is also tracked by EAC and BattlEye via IOCTL_DISK_GET_DRIVE_LAYOUT_EX. The Windows storage driver reference documents the IOCTL surface that a spoofer must intercept.
Network identifiers
Every NIC's MAC address. This includes onboard wired, onboard wireless, Bluetooth radios that present as network adapters, USB-attached Wi-Fi dongles, and virtual adapters created by VPN clients or Hyper-V. Anti-cheats use GetAdaptersInfo from user mode or hook NDIS callbacks from kernel mode, then read directly from the NetCfgInstanceId registry path. A spoofer randomizes the values returned by all three paths simultaneously — randomizing only the registry without hooking NDIS leaves an exploitable inconsistency that a competent anti-cheat will catch.
GPU and display
GPU device UUID and adapter LUID via DXGI's IDXGIAdapter::GetDesc. Tracked by EAC, Vanguard, NeacSafe. Monitor EDID (Extended Display Identification Data — the panel firmware identity blob) read via EnumDisplayDevices or DDC over the video cable. Vanguard reads EDID at tournament-tier; EAC reads it for Fortnite tournament rules. Most consumer spoofers do not touch EDID because monitor swap is the alternative, but Raw Spoofer randomizes basic EDID fields.
Registry-based identifiers
MachineGuid lives at HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid — a single GUID set by Windows at install. Every anti-cheat reads it. Trivially spoofable via registry hook. Windows Product ID and install date are similar single-value reads from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion. Spoofers handle these as trivial overrides.
RAM, USB, PCI
RAM SPD serials are per-DIMM identifiers stored in the SPD chips on each memory module. They are part of SMBIOS Type 17 and read by Vanguard, Ricochet (Black Ops 7), and BattlEye for Escape from Tarkov. USB controller IDs and PCI device VID/DID are read by EAC at tournament-tier and by Vanguard at all tiers. PCI configuration space scanning is the path BattlEye uses to detect DMA cards per the ACM MATE 2025 BattlEye paper — a spoofer must randomize PCI values without colliding with the sentinel values BattlEye uses to identify Xilinx FPGAs, or you get flagged as DMA hardware while trying to look legitimate.
What a spoofer CANNOT randomize
TPM 2.0 endorsement keys — signed by the TPM chip vendor at manufacture, stored in the chip itself. Microsoft Pluton attestation — chip-to-cloud, computed by the silicon and cross-checked against Microsoft's servers per the Pluton documentation. CPU ID via Ring-3 — privileged read that requires either a hypervisor (which itself becomes a detection signal) or a kernel-level CPUID interception (more risk than benefit at consumer pricing). The registry copy of CPU ID is randomizable but anti-cheats cross-check against the silicon. Only Samuel Tulach's tpm-spoofer proof-of-concept has publicly attempted TPM EK randomization and it is unstable research code, not a product.
The honest summary
16 categories spoofable. 3-4 categories that no commercial spoofer touches. The product that lies about the second list is the product to walk away from. The full per-anti-cheat fingerprint matrix in the HWID Spoofer 2026 Guide maps which AC reads which identifiers, and Raw Spoofer covers the spoofable surface for EAC, BattlEye, NeacSafe, Warden, and Ricochet.
Related Pages
Sources
- EAC reverse-engineering repository — adrianyy / Adrian Yarygin
- Battling The Eye — BattlEye reverse-engineering — ACM MATE Workshop 2025
- Windows Storage Driver Reference — Microsoft
- Microsoft Pluton Security Processor — Microsoft
- tpm-spoofer proof-of-concept — Samuel Tulach
Related Questions
An HWID spoofer loads a signed kernel driver before the anti-cheat does, then hooks the Windows kernel functions and IOCTLs anti-cheats use to read hardware identifiers — SMBIOS via NtQuerySystemInformation, disk serials via IOCTL_STORAGE_QUERY_PROPERTY, MACs via NDIS, MachineGuid from the registry. When the anti-cheat queries, it gets back randomized values instead of your real hardware. Real values restore on reboot.
Raw Spoofer is RawCheats's in-house HWID spoofer — a signed kernel driver that randomizes 16 hardware identifier categories per session against EAC, BattlEye, NeacSafe, Warden, and Ricochet. It runs as an external process (not injected into the game), supports Windows 10 + 11 on Intel and AMD, and costs $4.99 per month. It does not spoof TPM EK, Pluton, or beat Vanguard — and we say so explicitly.
The best HWID spoofer in 2026 is one that hooks at the kernel-driver layer, randomizes 16+ hardware identifiers per session, names the anti-cheats it covers (EAC, BattlEye, NeacSafe, Warden, Ricochet) and explicitly disclaims the ones it does not (Riot Vanguard, Microsoft Pluton, TPM endorsement keys). Raw Spoofer fits that profile at $4.99 and ships from the same in-house engineering team behind the six RawCheats game products.
Volume serial is a 32-bit number Windows generates per-partition at format time and stores in the disk's filesystem metadata — randomized via registry hooks or filesystem driver writes. SMBIOS is the firmware-baked identifier table (UUID, motherboard serial, BIOS strings) read via NtQuerySystemInformation class 76. Volume serial is trivially spoofable from user mode; SMBIOS requires a kernel driver hook. Anti-cheats read both — a spoofer that handles only volume serial is incomplete.
