Game Hacking Guides

Hardware Bans Explained: Why a Software Spoofer Is Not Enough

July 14, 2026Nathan Reed9 min read

A hardware ban fingerprints eight different components, from motherboard SMBIOS to monitor EDID. Here is what each layer actually checks and what closes the gap.

Hardware Bans Explained: Why a Software Spoofer Is Not Enough

What a hardware ban actually targets

Most players picture a hardware ban as a slightly angrier account ban. It is not. An account ban blocks a login. A hardware ban blocks a machine, and it does that by fingerprinting the physical components inside it rather than anything you typed into a signup form. Delete the account, register a new email, the fingerprint from the old session is still sitting in the anti-cheat's database waiting for a match.

The fingerprint is built from serial numbers, and serial numbers exist for reasons that have nothing to do with anti-cheat. Manufacturers use them for warranty tracking, inventory, and fraud prevention on returns. BattlEye, EasyAntiCheat, Vanguard, Ricochet, and ACE simply read what is already there and store it the first time your account gets flagged. Every anti-cheat listed here already runs on titles most of this audience plays daily.

That is the part a software-only spoofer can only half solve. A registry edit changes what Windows reports. It does not change what the motherboard's firmware reports, what the disk controller reports, or what the monitor reports over its own data line. Those three keep telling the truth unless something intercepts them directly.

The eight components that carry a fingerprint

A modern PC is not one identifier. It is a cluster of them, spread across firmware, storage, and peripherals that most players never think about as "identity" at all.

Component What gets fingerprinted Software-only fix works?
Motherboard (SMBIOS) Serial number, UUID, asset tag burned into firmware ROM No, firmware write required
TPM module Endorsement Key, unique per chip, not per motherboard No, physical chip swap required
Disk drive (NVMe/SSD) Controller-level serial, reported below the OS Partial, RAID or hardware swap needed
Monitor (EDID) Manufacturer ID and serial reported over HDMI/DP No, requires EDID reprogramming
RAM module (SPD) Serial and asset tag on newer DDR4/DDR5 kits No, requires an SPD programmer
Network adapter (MAC) Hardware address burned into the NIC chip Partial, adapter-level only
USB peripherals Mouse, keyboard, headset serials on some branded devices Depends on brand, many ship with null serials
Windows identifiers MachineGuid, Product ID, SID Yes, but only this layer

The row that trips people up most is the disk. Players assume swapping the SSD clears the flag, and on some anti-cheats it does. The problem is scale. Replacing a drive after every ban is expensive and slow, which is exactly why the RAID trick covered in the next section exists.

Temporary spoofing versus permanent firmware writes

The word "spoofer" gets used for two completely different approaches, and mixing them up is the single most common reason a fresh account gets caught within days.

// What each method actually changes

Temporary spoofing: intercepts queries at runtime, real serials untouched, resets on reboot Session only
Registry-only edit: changes MachineGuid and Product ID, every firmware-level ID stays original Ineffective alone
Permanent SMBIOS write: rewrites the values stored in motherboard ROM, survives reboot and reinstall Firmware write
Physical component swap: new TPM chip, new NIC, new RAM kit, the only fix for parts with no rewritable field Hardware swap

Permanent firmware writes are not a casual weekend project. The tooling that OEMs use to write SMBIOS data during manufacturing exists for system builders and repair technicians, not end users, and running it while an anti-cheat's kernel driver is active is how systems get bricked or bans get triggered mid-write. Anyone attempting a firmware-level change reinstalls Windows afterward as a baseline precaution, every time.

Temporary spoofing avoids all of that risk by never touching the firmware at all. A kernel driver sits between the anti-cheat's query and the real hardware response, substitutes a consistent fake value for the duration of the session, and unloads cleanly. Nothing on the motherboard changes. Nothing needs to be backed up before you start. That tradeoff, zero physical risk against a rebuild every session rather than a permanent one, is why session-based spoofing is the standard approach in a legitimate HWID Spoofer product rather than a firmware flash tool.

Why RAID hides a disk and why TPM does not care about your motherboard

Two pieces of this puzzle confuse people more than the rest combined, and both come down to where the identifier actually lives.

RAID 0 across a single NVMe drive sounds pointless for performance since there is nothing to stripe data across. That is not why it gets used here. AMD's RAID implementation abstracts the underlying disk from the operating system more aggressively than Intel's does, which means less of the drive's real controller-level serial reaches software that anti-cheat can query. Intel RAID still exposes more of that raw disk data. It is a platform-level difference, not a marketing one, and it is the reason AMD boards show up disproportionately in ban-evasion hardware discussions.

fTPM (firmware TPM on AMD, PTT on Intel) is generated by the CPU itself, not the motherboard. Buying a new motherboard while keeping the same processor does nothing to change it. Anti-cheats that increasingly require TPM 2.0, Vanguard among them, are reading a key tied to the chip in the socket. The only way to change that specific identifier is a discrete TPM module connected through the motherboard's TPM header, replacing the firmware-based key with one on a physically separate, replaceable chip.

That distinction, CPU-bound versus motherboard-bound, is easy to miss and expensive to get wrong. A full motherboard replacement solves the SMBIOS row in the table above. It solves nothing for TPM.

The fingerprints nobody checks: monitors and RAM

Two identifiers get almost no attention in most ban discussions, and both have become more relevant as manufacturers add serials to parts that never used to carry them.

A monitor reports its own EDID data (manufacturer, model, serial number) directly to the graphics card over HDMI or DisplayPort. Some anti-cheats log it. The fix is not obvious because it sits outside the PC entirely; the data comes from the display, not from Windows. One workaround is buying monitors with null serials from the factory. The more flexible option is a device that sits physically between the graphics card and the monitor, reprograms the EDID data in transit, and can generate a fresh serial without opening the monitor itself.

A hardware EDID fuser box that sits between a graphics card and monitor to reprogram display identifiers
An EDID fuser intercepts the data line between GPU and monitor, letting the reported serial be reprogrammed independently of the display's factory firmware.

RAM is the newer problem. DDR4 and DDR5 kits historically shipped with null or non-unique SPD (Serial Presence Detect) serials, which is why RAM barely came up in hardware ban discussions until recently. That has started changing as manufacturers add real serials, partly to reduce warranty fraud and partly because anti-cheat vendors started asking for it. A quick PowerShell check tells you where a given kit stands:

Get-CimInstance Win32_PhysicalMemory | Select-Object Manufacturer, PartNumber, SerialNumber

A result showing all zeros or an obviously generic string means the kit was never uniquely identified in the first place. A real, distinct serial per stick means the module can now be logged and matched, the same way a disk or a motherboard can.

A DDR4/DDR5 SPD programmer module clipped onto a RAM stick to read and rewrite its serial data
An SPD programmer clips directly onto the RAM module to read and rewrite the serial and asset tag fields stored on the chip, separate from anything the OS reports.

How deep each anti-cheat reads into firmware

Not every anti-cheat pulls from the same depth of the stack, and the difference determines how much of the table in section two actually matters for a given game.

// Firmware-level identifier depth per anti-cheat (2026)

Vanguard (Valorant)
TPM + SMBIOS + disk, boots pre-Windows
BattlEye (Tarkov, PUBG)
SMBIOS + disk + MAC + volume GUID
EasyAntiCheat
SMBIOS + disk + MachineGuid cluster
Ricochet
Disk + GPU + telemetry cluster
EA Javelin
Disk + MachineGuid, lighter firmware reach

Vanguard sits at the top for a structural reason, not a policy one. Its driver loads before Windows finishes booting, on systems where TPM and Secure Boot are already required, so it gets first access to firmware data before anything else on the machine has a chance to intercept the query. That timing is also its weak point. A spoofer that does not win the race to load before Vanguard initializes only spoofs queries that happen after the original fingerprint was already recorded.

EA Javelin's lower score reflects a newer, narrower rollout across EA Sports FC titles rather than a permanently lighter footprint. Coverage tends to expand with each patch cycle, not shrink, which matters for anyone assuming a currently thin check stays thin.

What actually closes the gap

Firmware rewrites and physical chip swaps solve the problem permanently, at the cost of real risk: a bad write can brick a board, and every step assumes you already backed up the factory values before touching anything. That is not a fit for someone who wants to be back in a match this weekend, not next month.

The practical middle ground is a spoofer that covers the full identifier surface at the driver level rather than one or two registry values. Disk, SMBIOS, MAC, and volume identifiers all get intercepted the same way, before the anti-cheat's query ever reaches the real hardware, so nothing on the actual motherboard or drive changes and nothing needs to be reflashed between sessions.

That is the model the ZhexCheats HWID Spoofer is built on. For titles like Escape from Tarkov and PUBG, both running BattlEye's firmware-level checks, and Valorant, where the TPM Endorsement Key check described above is the harder problem to solve, session-based spoofing paired with a proper trace cleaner closes the practical gap without anyone touching a soldering iron. EA Sports FC players heading into EA FC 27 face the same Javelin coverage expansion noted in the bar chart above, and the same driver-level approach applies there too.

None of this replaces buying clean secondhand hardware in the first place. It does mean a ban does not have to end in a motherboard teardown to come back from.

// More articles