• File Path: C:\WINDOWS\SysWOW64\TpmTool.exe


Type Hash
MD5 3696EF95786E631252FCA17E1F2E7710
SHA1 763A76E5C5706D5A2E26BCF96682A2C3D8A705A2
SHA256 D638503D61513EE4FA85BB15D8F1CA2F4B6A17A7EE765522128DE13C43ECC520
SHA384 17C833B5FA2CB19F63CFDB021CB8D7A85D6260DE92AB17608E7F7E1CEA27006710E281070F41CBF4828691E05C5668E7
SHA512 39C12DB1E5973C0489FA051459EB65A102A821F4CC336484F9C01D5A609B95F8D3FB77F3B6EB0D3DBFCF0021BDA3ECDB29BC21D9FA6309F193B51313C2388B91
SSDEEP 3072:OM+U2RNKfp8+mS3tC2dNPAGiEQpncsTJDk68j:da7olDPtiEexkt
IMP 247ED4A0824EB459569B62B8B2087E15
PESHA1 7FD4D86137C4C64A881AC1B2A4289E0CAFA2A101
PE256 28E8764174F23E2E591709D60253955D9481D837318303A6FCA36525820DD0C2

Runtime Data

Child Processes:


Loaded Modules:



  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename:
  • Product Name:
  • Company Name:
  • File Version:
  • Product Version:
  • Language:
  • Legal Copyright:
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: Unknown

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


This utility can be used to get information about the Trusted Platform Module (TPM).

[!IMPORTANT] Some information may relate to the pre-released product, which may be substantially modified before it’s commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.


tpmtool /parameter [<arguments>]


Parameter Description
getdeviceinformation Displays the basic information of the TPM. See the Win32_Tpm::IsReadyInformation method parameters article for details about the information flag values.
gatherlogs [output directory path] Collects TPM logs and places them in the specified directory. If that directory doesn’t exist, it’s created. By default, the log files are placed in the current directory. The possible files generated are:<ul><li>TpmEvents.evtx</li><li>TpmInformation.txt</li><li>SRTMBoot.dat</li><li>SRTMResume.dat</li><li>DRTMBoot.dat</li><li>DRTMResume.dat</li></ul>
drivertracing [start | stop] Starts or stops collecting TPM driver traces. The trace log, TPMTRACE.etl, is created and placed in the current directory.
/? Displays help at the command prompt.


To display the basic information of the TPM, type:

tpmtool getdeviceinformation

To collect TPM logs and place them in the current directory, type:

tpmtool gatherlogs

To collect TPM logs and place them in C:\Users\Public, type:

tpmtool gatherlogs C:\Users\Public

To collect TPM driver traces, type:

tpmtool drivertracing start
## Run scenario
tpmtool drivertracing stop

Additional References

MIT License. Copyright (c) 2020-2021 Strontic.