HWIDChanger
Back to list
Published on May 8, 2026

How anti-cheats fingerprint your PC (and how to bypass it)

Vanguard, EAC and BattlEye run in kernel mode for a reason — they read SMBIOS, disks and network adapters directly. Here is exactly what they see.

How anti-cheats fingerprint your PC (and how to bypass it)

When an anti-cheat hands out an HWID ban, it doesn't "remember your computer" in some abstract sense. It stores a specific set of hashes derived from real hardware identifiers. To understand what we're changing when we change HWID, you have to understand what these systems actually read.

Where the "fingerprint" comes from

Kernel anti-cheats (Vanguard, EAC, BE) read four main groups of sources:

  • SMBIOS tables — system UUID, motherboard serial, BIOS model and serial. These are values burned into the chipset.
  • Disks — model serial (IDENTIFY DEVICE for SATA, Identify for NVMe), plus the GPT/MBR Disk Signature and the NTFS volume serial from the BPB.
  • Network adapters — permanent (ROM) MAC of physical interfaces, plus the PnP instance ID.
  • CPU — brand string from CPUID, microcode revision, sometimes a serial (older architectures).

All of these are hashed together to form the hardware fingerprint. If at least half match a banned one — the anti-cheat treats it as the same PC.

What Phase 1 changes, and what it doesn't

The software layer — values that live in the registry and filesystem metadata — is changed directly: MachineGuid, ProductId, SusClientId, NTFS volume serial, MAC via the NetworkAddress registry key. That covers a significant slice of the fingerprint and is enough to bypass most consumer-grade DRM and game anti-cheats up to BattlEye level.

What Phase 1 does not touch: SMBIOS UUID (firmware-resident, needs BIOS reflash or DMI override via driver), real firmware disk serial (needs ATA Security Mode or firmware reflash) and CPU brand string (fully read-only).

How the rest is covered — Phase 2 (hook DLL)

For cases where you need to fool a specific process (not the whole of Windows), an injection DLL with hooks on GetVolumeInformation, GetComputerName, RegQueryValueEx and DeviceIoControl for SMART is the answer. The hooks swap return values only inside the target process.

Upside — Windows activation and drivers keep seeing the real identifiers, your license stays intact, and the game/DRM sees the fake. Downside — kernel anti-cheats (Vanguard) detect the hook immediately and require a driver-level approach.

Practical approach

For EAC/BattlEye/EOS/proprietary games Phase 1 (direct registry edits + volume serial change + MAC change) is enough in 90% of cases. For Vanguard and more aggressive systems you need either a kernel spoofer or a physical hardware swap (new motherboard).

The main advice: always keep a backup before changing, and don't combine HWID change with MAS/HWID Windows activation on the same disk — once the volume serial is rotated, activation will fail.

What anti-cheats read: SMBIOS, disks, MAC, and bypassing HWID bans | HWIDChanger