NOTE* this FAQ is under a heavy consturction, so excuse the mess, please. I am trying to make into a coherent readable form using info from several sources.

You didn't know you were being marked, did you? (WHAT GUID numbers???)


GUID stands for short for Globally Unique Identifier. Yes, the word "global" SHOULD bother you. This FAQ is the continuation for the WIRED article on GUID numbers, so some of the info will be repeted. For a lame explanation of what GUIDS are you could vist the offical GUID site , or the offical Micro$oft GUID site but unfortunatly, neither offers much there. I have compiled info from several siyes on what GUID is so this FAQ is a work in progress and I will be adding MORE info as I myself learn more.

It appears there are many diff kinds of GUIDs -

  • UUDIS (Universally Unique IDentifier),
  • ALL NICs (Network Interface cards) have a MACs (stands for "Media Access Control", whatever that means!),
  • MSID(Microsoft ID?) (used to identify a PC running Win98),
  • HWID(used to identify the user of a PC),
    .
  • Some of them are used for identifying your Ethernet adapter,
  • others in the software we use every day, software that includes numerous Micro$oft products like Office 97, Excel,Wordpad, or freeware like Real Player, Microsoft Windows Player,ets, ets,
  • seems EVEN cookies, carry GUIDs, so really, there is no end to where GUIDs can be found.They can be either 48 bit, 128 bit, 256 bit, ets bits number.

    The GUIDs can then be used just like an electronic fingerprint, identifying the exact computer on which copy of a particular software is installed, or a document is created, much like a Vehicle Identification Number can be used to identify automobile parts.

    Originally, GUIDs were designed to be used with ActiveX controls, but can beused for any purpose that requires a unique serial number. The Windowssystem calls "UuidCreate" or "CoCreateGuid" are used to make new GUIDs.The 128 bit GUID is mostly used in Windows to identify ActiveX controls. The low 48-bits of a GUID are usually the Ethernet adapter address. Because no 2 machines should have the same Ethernet adapter address, a GUID generated on one computer should not be duplicated on any other computer.

    Ethernet cards, NIC cards, and the MAC:

    NOTE* Technically, a modem PPP connection doesnt have and Ethernet adapter, so Windows seems to use a pseudo-Ethernet address from a modem PPP connection. On several diff computers that I checked, this address is the same number, 44-45-53-54-00-00. (To look it up yourself read bellow) Unlike the most business computer users, the typical home user probably does not don't have an Ethernet adapter (NIC card) in their computer-YET. But if you DO,then you show know that each NIC card has a BUILD-IN unique, identifiable addresss called network adress-i.e MAC.Without one, your Word and Excel documents will not be marked with a traceable GUID. However as MORE people switch over to using cable modems and ADSL modems for their Internet access, fingerprinting of documents will become much more likely even for the home user.


    You should also know that the majority of your .DOC and Excel files have your Ethernet address in them. In the few files that don't, you will found the PPP pseudo address, Microsoft has confirmed that the GUID's are being putting in Excel and Word files, but it is still unclear for what purpose. However, both programs seem to generate a new GUID when a file is saved to disk. I've only tested files produced by Office 97 for Windows. I'm unsure if the problem also exists for Office 95 files or Mac Office files. Another distirbing development is that the cookies the Web sites place on your PC also have GUIDs inbedded with in them cookies. You cando a quick scan yourself to confurm thata number of websites that were indeed using GUIDs for identification purposes.The cookie version of GUIDs are usually a 6 digit number thats a combination of your IP number, an ID number, the time of the day, month, exparation date, ets.


    To understand the issues, I will list a few places where the GUID number can be found along with a few fun experiments.

  • To see your MACwith Windows 9x, go to START, RUN and type "winipcfg" from the Run box. It should load with a dropdown that says 'PPP Adapter'. Change the drop downto the name of your hardware adapter. The Adapter Address field will saysomething like 00-70-06-9A-8E-43. That's your MAC. Each byte is presentedas two hexdigits (0 through 9 or A-F) for a 12 character ASCII string whichis what Microsoft uses. With Windows NT, run instead winmsd, go to the Network tab and pick Transports and you'll get the MAC.

  • Next, you might want to search your Registry for your MAC as a string. I foundmine numerous times - two in suspicious places viz a viz Microsoft. It'spart of a key for Media Player called Client ID (is this passed on to the Media Player servers?) and as part of a key HKCU\Identities that seems to be connected with Outlook Express 5.0.
    Next, go to your cookies directory look for a text file whose name is your login name. In it you'll find a string called GUID that includes your MAC. This cookie is sent to www.microsoft.com every time you visit that site. You may have realized they were making a cookie when you registered their site but I bet you didn't realize they were adding hardware information without your permission. (Actually the Win98 Registration Wizard made the cookie before you went to the Microsoft site.)

  • For the next experiment, you'll need to look at a Word 97 document in textmode. You can't do this with Word. If you have Quick View Plus (plainQuick View on't do), open a Word doc in QVP, go to the View menu andpickView as Text. Or make a small Word doc, save it and rename it to a .txt extension and open it in Notepad. Now search for the string PID. You should find _PID_ GUID and shortly afterwards, a long hex string insidebraces such as {F96EB3B9-C9F1-11D2-95EB-0060089BB2DA}. Those 12 hex digitsat the end will be your MAC. Yup, every Word doc, every Excel spreadsheetand every Power Point presentation is branded with an identifier showingthe PC it came from. shecould determine they were made on the same machine. (Of course, if youaren't careful, the document includes an author name and if anycorrections were made, it may say who made the corrections.

  • To run the next experiments, you'll need Windows 98 , so I'll tell you what happens so you can follow along in any event. In your Windows directory, you'll find a file called reginfo.txt. Open it in Notepad and look for aline called HWID; it ends with your GUID or MAC. This file is created when you install Windows and is transmitted to Microsoft when you register. And here's the clincher: even if you check the box not to send hardware information, this data is sent. And it's even worse - the data collect ioncode is in an ActiveX control that can be used by any Internet site outthere. Pharlap has a demo to illustrate this: go there and it displays your MAC on screen. Any site knowing of this control could track MACs of all Windows 98 visitors to their sites. There is also a demo anddiscussion at Windows Magazine. By the way, this ActiveX control is also in the Windows 2000 beta so if Microsoft hadn't been found out, NT users would have been hit next.
    According to a recent report in The Seattle Weekly, Microsoft has also embedded the GUID into its Windows Media Player, which in theory would allow Web site operators to track everyone who downloads a streaming audio or video file. By know we ALL know that Real Networks, whose Real Player software is the main rival to Windows' Media Player, also packs a GUID Real Networks is being sued over the GUID at the moment. Microsoft promises that the notorious GUID is not included in the Office2000 upgrade that it began shipping recently to its largest corporate customers. Hackers will have eight weeks to verify the claim before retail versions of the popular application suite go on sale on June 10 1999.
    But wait, it gets better. According to the Interception Capabilities www.aci.net/kalliste 2000 report, Lotusbuilt in an NSA "help information" trapdoor to its Notes system, as the Swedish government discovered to its embarrassment in 1997. By then, the system was in daily use for confidential mail by Swedish MPs, 15,000 tax agency staff and 400,000 to 500,000 citizens. (section 43) The report goes on to describe a feature called a "workfactor reduction field" that is built into Notes and incorporated into all email sent by non-US users ofthe system. The feature "broadcasts 24 of the 64 bits of the key used for each communication", and relies on a public key system that can only be read by the NSA.
    So much for your anonymity online! Richard Smith of PharLap who was the first in the world to discover the first place where Microsoft had put GUID-in the Office 97 documents. It came embedded into the header of every document. According to THEM, this technology dates from the days when Microsoft created a linking technology to bring together a variety of data files into a single document, so the identifier was a safety precaution to find documents whose links had been broken. Yet, the GUID also includes a variety of PC-specific information, such as the Ethernet adapter address, which can uniquely identify the particular PC on which document was created. After Smith generated interest in the issue, privacy experts warned that GUIDs might put an end to the anonymity Internet users enjoy, since documents could always be traced back to the machines they were reated on. and what can stop Microsoft from building a database of these numbers? Smith said he was able to uncover the unique Ethernet adapter address and manufacturer's ID from the GUID left in the document and two other indentifiers left in the macro itself. Knowing this, Smith found the GUID embedded in the Melissa virus, and was later able to match it to a GUID from another virus reportedly written by VicodinES. The evidence is not full-proof, however. Since virus writers often copy and build off each other's work, it's possible the initial document which served as the foundation for the Melissa virus was created on one machine, but the actual culprit did his or her work on another machine. In that case, the GUID would point to the wrong suspect In Microsoft's case, the GUID was not intended to track people at all, said Smith -- it's ability to do so was just a side effect. Smith said he was able to uncover the unique Ethernet adapter address and manufacturer's ID from the GUID left in the document and two other indentifiers left in the macro itself. Things get much worse. Turns out there are number of other places that Microsoft has been using these GUID or MACs in Windows 98 IDs, in Office 97 documents in Windows 98 registery and in the microsoft.com cookies. We all know about the inclusion of hardware IDs in the Pentium III chip and privacy advocates' concerns about it. Turns out many of us already have hardware IDs on our systems since ALL Ethernet cards have a MAC, a six byte ID number that networks need to be sure to properly direct network packets. Of course, the Pentium III ID's are more serioussince many home systems don't (yet) have network cards and the biggestprivacy concerns are in the consumer space.. And privacy concerns result from all these uses. Microsoft is collectingand storing in its databases unique hardware information. Thatinformation brands your documents, and is always sent on when you accessMicrosoft's site. One has to consider the possibility that Microsoft iskeeping some master database tracking all sorts of interactions based onyour MAC. And one has to allow the possibility that the MAC will beencoded in the information that is sent by the Office Registration Wizardin Office 2000. Microsoft has reacted vigorously to the developments in this story. Theyhave on their site in which theypromise to remove the hardware ID part of the registration wizard in aWin98 upgrade. They also promise to delete 'any hardware ID informationthat may have been inadvertently gathered without the customer having chosen to provide Microsoft with this information.' Tools have alreadybeen posted to remove branding from Office applications and fromalready-created docs and there is a promise that branding will be removed>from the final version of Office 2000. Beyond these actions, there has been a full court spin operation. Some MSrepresentatives have (unwisely in my opinion) attempted to minimize theissue. There have been claims that the doc branding was a part of afeature, never implement, intended solely to help network administrators. There has been harping on the fact that the MAC only identifies a machinebut not an individual - true but not of much comfort in many cases. We'vebeen told that Windows 98 sending a HWID even if you said not to sendhardware information was a bug, not a feature - an inadvertent programmingerror. There's been no new statement about the use of MACs in cookieswhich I find most disturbing. We've been told by Microsoft representatives that the Office 2000Registration Wizard doesn't collect MACs or anything like a MAC. Indeed,they claim that while the Office CD serial number can be reconstructed>from the 16 byte code sent by the wizard, the hardware info does not allowreconstruction. In particular, if the different CDs were used on the samemachine, they'd be unable to tell that the codes came from the samemachine. The problem with the Microsoft position is that the company has so little credibility and there is too much of a pattern here. . Microsoft has amply demonstrated that it is companypolicy to, er, shade the truth when doing so serves aperceived businesspurpose. We see it in the leaked disinformation about Windows 2000 shipping this fall, we've seen it in their previous reactions toaccusations and we saw it too often in the testimony at the DOJ trial. That means one has to take skeptically every statement that Microsoft hasmade about the MAC problem. I'm inclined to believe that branding ofOffice documents wasn't part of a plot to link together our entire livesin Microsoft's databases. But I'm insulted that they try to bat theireyelashes and claim to us that the sending of the HWID even when you told them not to send hardware info was an inadvertent error. And I'm concerned that we have no way of knowing that they've kept their promise to remove hardware IDs from their internal databases. Indeed, my presumption is that they will not.

    In conclusion: Micro$oft and other contless companies are tucking all sorts of numbers into all their productsfor accounting and tracking purposes and not telling us the users about this. While they have said they'll stop using HWID, they have also said they'll continue to use the MSID number which is created by the Windows 98 Registration wizard. And, guess what? As discovered byPeter Siering at the German publication C'T Magazine, the registration wizard also creates a Microsoft cookie that includes MSID. So even after the apologies and changes, it seems Microsoft hasnt learned it lessonand STILL be quite capable of tracking us and linking online visits to registration information. The only thing as a userI might say one word-LINUS......

    FINAL NOTE* ANY ideas, tips, suggestions about GUIDs are welcome.