Windows 11 Events is it virus?

spluff

spluff

spluff

Soldato
Joined
19 Oct 2002
Posts
2,599
Hi all,

I noticed in EventViewer / System I was getting around 15 of events like these with different http://

EVENT ID 112 Attempted to reserve URL https://+:5986/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
EVENT ID 112 Attempted to reserve URL http://+:47001/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
EVENT ID 112 Attempted to reserve URL https://*:5358/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM

They appear straight away after startup on a PC restart (not shutdown).

They look kinda dodgy to me as if its trying to connect to something? I needed to do a reinstall of Windows so I did it. This is also happening on a clean install of Windows 11.

Can you please have a look in Event Viewer - System section and see if you can see these kind of events?

Anyone have any idea what they are and if they are a virus or something i should be concerned about?

Kind regards
SpLuFF
 
GaryTheSnail said:
Event 112 is task scheduler. I suggest you hop into your task scheduler and see what's there. Post a screenshot of what you see.
Click to expand...


Did you check your eventlog and see if you have any 112 events (I just noticed i have some 113 and 114 now)

There you go.

vuKWmC.jpg
 
Last edited:
Click on task schedule library and give me a new screenshot (delete or edit the one above as it shows nothing of importance) of that window with title bars expanded enough to see what stuff is.

Task ID 113 is General Task Registration.
Task ID 114 is Task Properties
 
Last edited:
Can't tell much from the picture but wsman is Windows web based remote management system (WinRM) and by the looks of it it's basically listening for connections on the ports listed (5986 is the default WinRM port but the others are not).

Like GTS said it's being triggered by task scheduler, the Windows GUI makes finding things harder than it need to be so I'd suggest using TaskSchedulerView from NirSoft as then you list all the tasks in a single list and search for wsman.
 
Just wondering id you guys have these event ids? Its a bit strange that they exist on a completely fresh install if its something bad?
 
spluff said:
Just wondering id you guys have these event ids? Its a bit strange that they exist on a completely fresh install if its something bad?
Click to expand...

I have non of these IDs in my system, windows 11 pro.

What is the URL call back? You said you are getting 15 of them, does it show the url where it's going too?

You didn't happen to get your ISO from somewhere dodgy did you? Did you make your install from Microsoft USB/CD/DVD e.t.c ?
 
Last edited:
GaryTheSnail said:
I have non of these IDs in my system, windows 11 pro.

What is the URL call back? You said you are getting 15 of them, does it show the url where it's going too?

You didn't happen to get your ISO from somewhere dodgy did you? Did you make your install from Microsoft USB/CD/DVD e.t.c ?
Click to expand...

The new install I got it from microsoft and made a usb drive
The other install was an upgrade from windows 10 to 11 online (this was showing the same events)

What is the URL call back? You said you are getting 15 of them, does it show the url where it's going too? <--------- not sure what this means
 
Personally I'd just disable the Windows Remote Management service, that is if you're sure you or someone like work don't use it.
 
So let me get this right..

You are saying a fresh install of windows done this morning, no extra software installed is creating these event IDs itself?

What's strange is a Google Search of these events brings back nothing, except this thread.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom