What is a HWID Spoofer?

A HWID spoofer is the engineering response to the modern hardware ban. When Riot Vanguard, Easy Anti-Cheat, BattlEye, or Activision Ricochet detect a cheater, they don't just ban the account — they record a fingerprint of the underlying machine and ban that fingerprint at the platform level, blocking the player from creating new accounts on the same hardware. A HWID spoofer's job is to change every identifier in that fingerprint so the next account creation reads as a different machine entirely.

What identifiers a HWID spoofer touches

A complete 2026 spoofer randomizes the following surface:

• SMBIOS data — manufacturer name, product name, BIOS version, serial number, system UUID, baseboard manufacturer/product/serial, chassis serial. Read via WMI Win32_BIOS, Win32_BaseBoard, Win32_ComputerSystemProduct.
• Disk identifiers — volume serial numbers, disk drive serial numbers, partition GUIDs. Read via IOCTL_STORAGE_QUERY_PROPERTY, DeviceIoControl, NTFS volume metadata.
• Network identifiers — MAC addresses on all physical and virtual adapters, NIC GUIDs.
• CPU identifiers — CPUID brand string, hypervisor present flag, microcode revision.
• GPU identifiers — adapter LUID, GPU device ID, driver registry serial.
• Display identifiers — EDID monitor serial, monitor manufacturer codes.
• TPM 2.0 / Pluton — endorsement key hash, attestation identity (the highest-difficulty target; covered in can a spoofer beat TPM 2)

How HWID spoofers work

The simplest spoofers patch user-mode WMI query results — they intercept the call site where anti-cheats fetch identifiers and return modified values. This approach is trivially detectable because the actual identifiers in memory and on disk remain unchanged. Modern spoofers run a signed kernel driver that intercepts identifier-fetching operations at the IRP level, modifying IOCTL_STORAGE_QUERY_PROPERTY responses, IOCTL_DISK_GET_DRIVE_LAYOUT_EX responses, and ACPI table reads for SMBIOS. The kernel driver runs before the anti-cheat scanner so the anti-cheat sees the spoofed values rather than the originals. Many spoofers also persist randomized values into bootloader registers or use ACPI table overlays to survive a reboot. We cover the full architecture in our HWID spoofer pillar.

Why HWID spoofers exist

Hardware bans are now standard. Riot reported 2.3 million HWID bans across Valorant and League of Legends in 2025; a five-day wave in January 2026 produced 340,000 additional Valorant HWID bans. Activision Ricochet, BattlEye, and Easy Anti-Cheat all implement equivalent hardware-level ban lists. Without a spoofer, a banned user has two options: buy a new motherboard plus a new GPU (the two highest-weighted fingerprint sources), or stop playing. A working HWID spoofer is cheaper than a new motherboard and resets the fingerprint in software.

Limitations and detection

HWID spoofers fail in three ways. First, signature-based detection: anti-cheats reverse-engineer popular spoofer drivers and add their signatures to scan lists, burning specific spoofer products. Second, TPM 2.0 attestation: the TPM signs a hardware identity at the chip level and a software spoofer cannot forge a TPM-signed report. Microsoft Pluton extends this. Third, hypervisor-level identifier read: an anti-cheat that runs above the operating system in a hypervisor (the direction Vanguard is moving) reads identifiers before the spoofer driver can intercept. For more on the TPM problem see what is TPM 2 and how does it affect cheating.

RawCheats positioning

Raw Spoofer is RawCheats' dedicated HWID spoofer product, kept current against the major kernel anti-cheats listed above. See Raw Spoofer for the product page and our HWID spoofer pillar for the architecture deep-dive.