Jump to content

How to find the unique ID that Microsoft has assigned to you


LetsWindows10

Recommended Posts

Thanks to the blog post linked below where it was discovered that your unique ID was being passed to MS Cloud services in plain text, I've found the same unique ID located in the Windows 10 registry.

 

http://annoyedmicrosoftuser.blogspot.com/2015/10/microsoft-stop-sending-user-identifiers.html

 

The same ID passed in plain text to the cloud is located in the Windows 10 registry under:

HKLM\Software\Microsoft\Windows\CurrentVersion\Census\MSACIDs

 

 

8RjtNYy.png

 

The above screenshot is from Window 10 build 10240.  I'll be updating OS build to confirm it persists across builds.  It was found while logged into Windows 10 with my Microsoft account - not a local account, so YMMV.  

 

Originally I used the info in that blog post to verify his results under Windows 7 and IE11.  I logged into my Microsoft account and found the CID with Developer Tools (F12) on the Network tab.  (The CID is "yellowed-out" in all screenshots)

6t4ZeSF.png

 

Notice at the top right of the screenshot how Microsoft has conveniently recorded information about every PC I've used to test Windows 10.

 

Stopped capturing network data, closed & reopened IE, started recording network data again and logged into OneDrive to find the same CID.

 

gdKGQUz.png

 

 

 

This information persists across hardware, it is not an "anonymous identifier."  It is directly linked to your MS account, in plain text, for the majority of Windows 10 users who do not use local accounts.

I have Windows 10 and Windows 7 on separate physical hard drives and I physically swapped them out to test this. 

 

What does this mean to the average user?  Probably not much yet, but I'm sure the blackhats are already on the case.

 

Should we get CID tattoos now or later?  One of us!  One of us!

Link to comment
Share on other sites


This information persists across hardware, it is not an "anonymous identifier."  It is directly linked to your MS account

The CID is tied to your MS account. It would make sense that if you use your MS account to log into Windows 10, then that ID is stored somewhere in the OS. See here:

http://www.msfn.org/board/topic/174208-windows-10-deeper-impressions/#entry1109597

Link to comment
Share on other sites

Logged in with a local account, the MSACIDs field in the registry is blank for me.

 

Is this the "Microsoft Advertising Customer ID" we're talking about here?

 

LetsWindows10, you're anticipating a new kind of identity theft?

 

-Noel

Link to comment
Share on other sites

Have read that after the next upgrade it won't require MS account

 

???  As far as I can see, it doesn't require an MS account now.

 

And no, I'm not logging in with an MS account (it's a local account, as I mentioned above).

 

-Noel

Link to comment
Share on other sites

 

Have read that after the next upgrade it won't require MS account

 

???  As far as I can see, it doesn't require an MS account now.

 

And no, I'm not logging in with an MS account (it's a local account, as I mentioned above).

 

-Noel

 

 

If I go to Store and try to install something I get this. I guess it changed allowing Work account, yeah right I not plugging that in either

I tried one time with MS and it changed my user and all so I had to image back

 

A workaround haven't tried yet http://lifehacker.com/install-windows-10-store-apps-without-switching-to-a-mi-1723075610

 

AayvATg.png

Link to comment
Share on other sites

If I go to Store and try to install something

 

(Said with a southern drawl...)  "Well thar's your problem right there!"  ;)

 

Way back when I had Apps installed, as I recall if you were careful there was a way to enter one's Microsoft account temporarily, for that one visit.  But things have probably changed since then.

 

You're saying they're going to loosen up on the requirement to have a Microsoft account to be able to visit the App Store and buy something?  That seems almost impossible to imagine.

 

-Noel

Link to comment
Share on other sites

You're saying they're going to loosen up on the requirement to have a Microsoft account to be able to visit the App Store and buy something?  That seems almost impossible to imagine.

For all the Windows 10 Upgrade (from Win7) testing I did, I was never asked to log in or create a Microsoft account. So the local account from Win7 was the default account then in Windows 10. Maybe it has to do with situations like that?

Link to comment
Share on other sites

LetsWindows10, you're anticipating a new kind of identity theft?

 

It seems careless and ripe for exploitation.  In the MS profile, there's a section for Money & Gift Cards (see screenshot above) for Microsoft Stores and Apps.  Wonder if it saves credit cards for "fast checkout" and how long it will take someone to compromise?

 

A system is only as secure as its weakest link.  Plain text is weak.  There's a whole site dedicated to it http://plaintextoffenders.com

 

From Krebs on Security regarding the Experian data leak (cleverly reported as a T-Mobile data leak in the media because no one needs to know it was actually the largest credit check firm in the world involved or they've never heard of Experian unless they've applied for a mortgage)

 

The same source demonstrated how modifying just one or two numbers at the tail end of that link revealed requests for access to networked file shares from across a range of Experian’s business units. The requests included specific names of network shares, usernames, userIDs, and LanIDs, as well as email addresses, phone numbers of Experian personnel requesting and approving the changes.

 

It's disconcerting at the least whenever a number is assigned to a human being.  I'm well aware of unique keys in databases, and that's potentially all this is, but it should not by any means be plain text and accessible via web from any unauthenticated browser.  I know someone who just searched for OneDrive screenshots and was able to pull up profile photos for the people who posted them.

 

Most of this rant is wild speculation and...well, just a rant, but there are real-world examples of this practice being a Bad IdeaTM

 

Leave a door open for long enough and you'll start to get uninvited guests.

Link to comment
Share on other sites

Seems to me Microsoft was all Gung Ho on requiring everyone to have a Microsoft Account early in the pre-release process, then reality started to set in and they finally had to cave and provide local account support.

 

It's a matter of taking Windows in a direction people just don't want to go in.  Especially not the business folks, who pay for it all.

 

They think they're leading the world, but they're really wandering randomly with the overly simplistic mindset of a child.

 

-Noel

Link to comment
Share on other sites

It appears they're catering to Joe Consumer by mimicking Apple in some regards and running around like a fox in a hen house, stealing all the data while you pay no attention to the man behind the curtain.

 

Both companies' offerings are functioning as they have specified so the only things left to improve are fonts, menus and emojis for christsakes.

 

Apple releases flat menus and new fonts in Yosemite -> Microsoft releases flat menus and new fonts in Windows 10

Apple releases new emoji in iOS 9 -> Microsoft releases new emoji in Windows 10

 

I've listened to headline news on the net and on radio news/talk shows where grown men are excited about new SMILEY FACES as much as they are about cars/sports/new power tools?!!!?

 

They're just smiley faces!  

Reported for Apple's release: "you’ll see a ton of new emoji on the keyboard including taco, unicorn, a stop hand, turkey, burrito and block of cheese."  A block of cheese!

 

Reported for Microsoft's release (Forbes no less!): "Microsoft has its mojo back. Under Satya Nadella the company is now radical, cool and determined to take risks. Apparently even with its emoji…While it may offend some, the middle finger emoji is at least racially diverse and it is included in five new Windows 10 emoji skin tone options."

 

I'm saving my money so I can buy the next ticket off this planet.

Link to comment
Share on other sites

Well can't find where I read that so my bad, maybe wishfull thinking cause first few days on 10240 it only allowed MS account if you wanted to download from store. They now letting you use work or school. And all the puppies will follow so obediently

 

The workaround does work. I tried with 2 app just to check it. I imaged back to having Store and app connector I think is required to use it also

For the average user trying to figure out how to sign out of store is not easy.

You click your icon, then under account you click on the account again and the Sign out is there %$#@

 

Dam I get no cheese block on my samsung. may commit hairy my carey. But I would like to give MS their MF back nlm

Edited by maxXPsoft
Link to comment
Share on other sites

 

I'm saving my money so I can buy the next ticket off this planet.

The issue being of course that those tickets are only sold online through an app that you can only have through a "downloader app" from the Windows Store, accessible only once you have logged in with your Microsoft Online Account and that buying one will activate an interstellar  :w00t: tracking cookie on all your devices .... ;)

 

jaclaz

Edited by jaclaz
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...