not a usb programmer, but are you saying i can buy any old usb chip and program it with any vendors ID and spoof windows into giving me admin? if so, gj micrcosoft.
You can pretend to be any vid:pid with usb gadget mode. For example with a raspberry pi zero something.
But you can't pretend to be any vendors id, only the ones with vulnerabilities. And the drivers or spyware will be downloaded by windows from the vendor's site, not from your peripheral.
But yes, usb device identifier is done through software/firmware.
You can also spoof a keyboard and simulate keystrokes to open terminals and run arbitrary commands. I don't know about Windows, but on Linux it's possible to block USB connections by default and filter them in userspace:
This allows enforcing rules like "never add an additional keyboard". But the USB protocol has no support for strong device authentication, so there's no way to prevent a device from acting like a malicious version of something in the device class you expected it to be without abandoning "plug and play" altogether (a reasonable solution in secure environments where unused ports are often physically blocked).
I've heard so before: that USB is a massive security hole. At least in Windows; I don't know if other OSs are also vulnerable.
Better to just never stick strange USB sticks in your computer.
You can "spoof" any system where you can load older drivers into giving you admin/root, you just need to find a vulnerable driver. Nothing Windows-specific in that.
You could use any programmable microcontroller with a USB interface. Consumer products tend to have fuses set to they can't be programmed again.
The latest driver registered with Microsoft for the product you're going to spoof would need to have a vulnerability to exploit. You can't supply any driver.