I'm trying to figure out which service in Windows is making regular connections to the domain ftpm.amd.com every hour. I suspect it might be something related to AMD, possibly downloading the TPM Endorsement Certificate, but when I check with my TPM keys command, there's no output showing any tasks related to that. I found out through ProcMon that taskhostw.exe is linked to TpmTasks under svchost.exe, but I can't find a scheduled task for it. It seems like it creates a task dynamically but deletes it afterwards. Any insights on what could be happening?
8 Answers
Did you use a standard installer, or did you modify it to skip TPM and BitLocker checks? At least for my AMD Ryzen systems, I haven't noticed any logs related to that domain in my DNS records.
You should definitely use ProcMon and log everything. Start logging, stop when it tries to connect, and filter down from the huge log file to spot the culprit process.
Thanks! I actually figured it out and updated my post.
It's probably something related to your AMD hardware, like the motherboard or graphics card. It could be set as a service or task in the background.
That endpoint is likely checking for revocation of TPM signing certificates. There's a similar setup for Intel systems too, but I don't know the exact process behind it.
Check this link out; it details some related findings: https://call4cloud.nl/2021/11/the-pursuit-of-happy-uhhh-tpm-amd-happyness-part-3/#part6
I suspect it's related to Device Health Attestation. Maybe there's a way to catch the task creation before it's gone?
That's a good point; maybe someone knows how to intercept that process.
If you're seeing it run regularly, fire up Process Monitor from Sysinternals. Just filter for that domain, and you'll likely catch which process is making the call.
It might be a utility hunting for updated firmware. That's my best guess based on similar behaviors I've seen.
That makes sense, but since it's downloading a TPM certificate, I doubt it's just a firmware checker.
BitLocker is off and I installed using the official Microsoft image. I even ran taskhostw.exe TpmTasks, but it didn't initiate the same behavior.