Windows 11 Events is it virus?

[spluff]

Hi all,

I noticed in EventViewer / System I was getting around 15 of events like these with different http://

EVENT ID 112 Attempted to reserve URL https://+:5986/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
EVENT ID 112 Attempted to reserve URL http://+:47001/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
EVENT ID 112 Attempted to reserve URL https://*:5358/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM

They appear straight away after startup on a PC restart (not shutdown).

They look kinda dodgy to me as if its trying to connect to something? I needed to do a reinstall of Windows so I did it. This is also happening on a clean install of Windows 11.

Can you please have a look in Event Viewer - System section and see if you can see these kind of events?

Anyone have any idea what they are and if they are a virus or something i should be concerned about?

Kind regards
SpLuFF

 

[spluff]

Event 112 is task scheduler. I suggest you hop into your task scheduler and see what's there. Post a screenshot of what you see.

Did you check your eventlog and see if you have any 112 events (I just noticed i have some 113 and 114 now)

There you go.

 

[spluff]

Ok done and updated screenshot above

 

[spluff]

Just wondering id you guys have these event ids? Its a bit strange that they exist on a completely fresh install if its something bad?

 

[spluff]

Port 5986, 47001 and 5358 are relating to Windows Remote Management Service/Web Services for Devices Secured port.

Is this a works device by any chance?

No its a home PC it is running Windows Pro 11 though

 

[spluff]

there is also

3387 rdp
3392 rdp
10246 mdeserver
2869
10247 apps
5358
http://+:80/Temporary_Listen_Addresses/
5357

 

[spluff]

I have non of these IDs in my system, windows 11 pro.

What is the URL call back? You said you are getting 15 of them, does it show the url where it's going too?

You didn't happen to get your ISO from somewhere dodgy did you? Did you make your install from Microsoft USB/CD/DVD e.t.c ?

The new install I got it from microsoft and made a usb drive
The other install was an upgrade from windows 10 to 11 online (this was showing the same events)

What is the URL call back? You said you are getting 15 of them, does it show the url where it's going too? <--------- not sure what this means

 

[spluff]

Personally I'd just disable the Windows Remote Management service, that is if you're sure you or someone like work don't use it.

Just did that and still getting those eventids

 

[spluff]

Like GTS said it's being triggered by task scheduler, the Windows GUI makes finding things harder than it need to be so I'd suggest using TaskSchedulerView from NirSoft as then you list all the tasks in a single list and search for wsman.

Ok downloaded but dont see wsman in the task list :/

 

[spluff]

So let me get this right..

You are saying a fresh install of windows done this morning, no extra software installed is creating these event IDs itself?

What's strange is a Google Search of these events brings back nothing, except this thread.

Yeah a fresh install with no extra software created these events

 

[spluff]

So let me get this right..

You are saying a fresh install of windows done this morning, no extra software installed is creating these event IDs itself?

What's strange is a Google Search of these events brings back nothing, except this thread.

Ok using taskscheduler i looked at tasks that happened when the event ids were generated at 10:49:14

 

[spluff]

Hold on... OobeDiscovery is that not relating to the call back for auto setup in a business environment with it been the pro version?

Just had a quick search and found

"When you install Windows 11/10, it takes you through a setup process. Only when you complete all the steps, do you get to use Windows. Microsoft calls them OOBE or Out of Box experience in Windows" so not sure if related to business environment setup or not

 

[spluff]

Maybe clear the event viewer completely, do a reboot and double check. I'm wondering is it because it happens when you first set up the device. I won't see these in my event log as I've cleared it since doing a clean install few months ago.

Already done this and it always does it when first booting in (only on restart / i guess shutdown doesnt close PC down fully into sleep mode so different)

 

[spluff]

I guess you have nothing to worry about Event ID 112.

I checked mine found I got lots of Event ID 112 in Windows logs:

I counted 1192 Event ID 112 logs total to be exactly, it started on 21 September 2022 when I upgraded to 22H2 and the latest on 27 January 2023 like this:

Attempted to reserve URL https://127.0.0.1:41954:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM

I got DYMO label printer app and driver installed.

Found logs like one on 12 November 2022:

Attempted to reserve URL https://+:5986/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM

Found logs like one on 7 November 2022:

Attempted to reserve URL http://+:47001/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM

Found logs like one on 3 December 2022:

Attempted to reserve URL https://*:5358/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:80/Temporary_Listen_Addresses/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://*:5357/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM

There are so many logs that used different URL addresses.

Thank you so much for that - are you running Windows Pro? Seems like a microsoft thing then not a virus (unless we both have it)

Do you have any recent ones? If not any ideas when they stopped or if you did something to make them stop

Really curious what its trying to do.

Also wondering why Murphy and GTS dont get have them....

 

[spluff]

Yes I am running Windows 11 Pro.

It probably best to leave it alone.

I wondered what http://+:80/Temporary_Listen_Addresses/ is for, I googled found it is used by Windows Communication Framework which is part of .NET.

How can I determine why the System process is listening on port 80? - The Old New Thing

netsh can tell you.

devblogs.microsoft.com

Windows Communication Foundation - Wikipedia

en.wikipedia.org

I have that one as well. Yeah i guess it is best to leave alone but really dont like things that im not sure what they doing. If its not a virus i feel much better.

 

[spluff]

Interestingly you can see all these assignments if you goto cmd and type following command

netsh http show url

This shows all 15 of them e.g.

Reserved URL : http://+:5985/wsman/
User: NT SERVICE\WinRM
Listen: Yes
Delegate: No
User: NT SERVICE\Wecsvc
Listen: Yes
Delegate: No
SDDL: DA;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)


Reserved URL : http://+:80/Temporary_Listen_Addresses/
User: \Everyone
Listen: Yes
Delegate: No
SDDL: DA;;GX;;;WD)


Also when i just installed Hearthstone Deck Tracker i noticed in my eventlog:-

EVent Id 111 Create URL group 0xFE00000220000001. Status 0x0. Process Id 0x2F88 Executable path \Device\HarddiskVolume4\Users\spluf\AppData\Local\HearthstoneDeckTracker\app-1.19.12\HearthstoneDeckTracker.exe, User HOMEPC\spluf

Event Id 113 Attempted to add URL (http://localhost:17781/) to URL group (0xFE00000220000001). Status: 0x0. Process Id 0x2F88 Executable path \Device\HarddiskVolume4\Users\spluf\AppData\Local\HearthstoneDeckTracker\app-1.19.12\HearthstoneDeckTracker.exe, User HOMEPC\spluf

Event Id 114 Removed URL (http://localhost:17881/) from URL group (0xFF00000220000001). Process Id 0x1F28 Executable path \Device\HarddiskVolume4\Users\spluf\AppData\Local\HearthstoneDeckTracker\app-1.19.12\HearthstoneDeckTracker.exe, User HOMEPC\spluf

Event Id 117 Delete URL group 0xFF00000220000001. Status 0x0. Process Id 0x1F28 Executable path \Device\HarddiskVolume4\Users\spluf\AppData\Local\HearthstoneDeckTracker\app-1.19.12\HearthstoneDeckTracker.exe, User HOMEPC\spluf


It looks like its doing some kind of monitoring?

 

[spluff]

Not sure if i missed it but now i know the source of the events it's the WinHTTP Web Proxy Auto-Discovery Service causing them.

What are they for and can they be stopped?

 

[spluff]

Microsoft explain it far better than i ever could.

Whether it can be stopped really depends on your particular configuration, like if how you're connecting to the internet needs a proxy and/or uses a Proxy Auto-Configuration file to configure clients. Personally i disable it but it's a decision only you can make in the end, plus you'll probably find you won't be able to disable it in the usual manner (via services and changing the startup type from the drop down) as it will moan about permissions, you can disable it via the registry but you don't know how to undo that change of forget about it it could obviously cause problems in the future.

Just checked and it wont allow me to change it - its a fresh install and havent used any proxy etc - just a network conenction via cable into router.........

 

[spluff]

I would leave it alone. It's established they not harmful. They just call backs to things.

What they calling back to and why hahaha - if its legit then its not to worry

 

[spluff]

Yup, like i said the only way to change it is directly via the registry. If you really want to change it then obviously all the usual warnings WRT to editing the registry, it's entirely on you if something stops working, etc, etc.

If you want to change it directly you'd find it listed under HKLM\SYSTEM\CurrentControlSet\Services with each key under that representing the service name, so for WinHTTP Web Proxy Auto-Discovery Service it would be WinHttpAutoProxySvc. Then you'd change the DWord called Start from 2 to 4 (0 = Boot ; 1 = System' 2 = Automatic; 3 = Manual; 4 = Disabled) and reboot.

I think I will leave it - it seems that its not a malicious virus unless AthlonXP has the same (but i doubt as I did clean install)

Really appreciate all the help from you all.