Yeah a fresh install with no extra software created these events
Windows 11 Events is it virus?
- Thread starter spluff
- Start date
Yeah a fresh install with no extra software created these events
Ok using taskscheduler i looked at tasks that happened when the event ids were generated at 10:49:14
Strange as event viewer says those events are being triggered by task scheduler so you'd sort of expect something related to those events to be there.
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,711
Hold on... OobeDiscovery is that not relating to the call back for auto setup in a business environment with it been the pro version?
Just had a quick search and found
"When you install Windows 11/10, it takes you through a setup process. Only when you complete all the steps, do you get to use Windows. Microsoft calls them OOBE or Out of Box experience in Windows" so not sure if related to business environment setup or not
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,711
Maybe clear the event viewer completely, do a reboot and double check. I'm wondering is it because it happens when you first set up the device. I won't see these in my event log as I've cleared it since doing a clean install few months ago.
Already done this and it always does it when first booting in (only on restart / i guess shutdown doesnt close PC down fully into sleep mode so different)
Last edited:
Soldato
- Joined
- 28 Sep 2014
- Posts
- 3,577
- Location
- Scotland
I guess you have nothing to worry about Event ID 112.
I checked mine found I got lots of Event ID 112 in Windows logs:
I counted 1192 Event ID 112 logs total to be exactly, it started on 21 September 2022 when I upgraded to 22H2 and the latest on 27 January 2023 like this:
Attempted to reserve URL https://127.0.0.1:41954:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
I got DYMO label printer app and driver installed.
Found logs like one on 12 November 2022:
Attempted to reserve URL https://+:5986/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Found logs like one on 7 November 2022:
Attempted to reserve URL http://+:47001/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Found logs like one on 3 December 2022:
Attempted to reserve URL https://*:5358/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:80/Temporary_Listen_Addresses/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://*:5357/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
There are so many logs that used different URL addresses.
I checked mine found I got lots of Event ID 112 in Windows logs:
I counted 1192 Event ID 112 logs total to be exactly, it started on 21 September 2022 when I upgraded to 22H2 and the latest on 27 January 2023 like this:
Attempted to reserve URL https://127.0.0.1:41954:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
I got DYMO label printer app and driver installed.
Found logs like one on 12 November 2022:
Attempted to reserve URL https://+:5986/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Found logs like one on 7 November 2022:
Attempted to reserve URL http://+:47001/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Found logs like one on 3 December 2022:
Attempted to reserve URL https://*:5358/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:80/Temporary_Listen_Addresses/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://*:5357/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
There are so many logs that used different URL addresses.
I guess you have nothing to worry about Event ID 112.
I checked mine found I got lots of Event ID 112 in Windows logs:
I counted 1192 Event ID 112 logs total to be exactly, it started on 21 September 2022 when I upgraded to 22H2 and the latest on 27 January 2023 like this:
Attempted to reserve URL https://127.0.0.1:41954:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
I got DYMO label printer app and driver installed.
Found logs like one on 12 November 2022:
Attempted to reserve URL https://+:5986/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Found logs like one on 7 November 2022:
Attempted to reserve URL http://+:47001/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Found logs like one on 3 December 2022:
Attempted to reserve URL https://*:5358/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:80/Temporary_Listen_Addresses/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://*:5357/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
There are so many logs that used different URL addresses.
Thank you so much for that - are you running Windows Pro? Seems like a microsoft thing then not a virus (unless we both have it)
Do you have any recent ones? If not any ideas when they stopped or if you did something to make them stop
Really curious what its trying to do.
Also wondering why Murphy and GTS dont get have them....
Last edited:
Soldato
- Joined
- 28 Sep 2014
- Posts
- 3,577
- Location
- Scotland
Yes I am running Windows 11 Pro.
It probably best to leave it alone.
I wondered what http://+:80/Temporary_Listen_Addresses/ is for, I googled found it is used by Windows Communication Framework which is part of .NET.
How can I determine why the System process is listening on port 80? - The Old New Thing
netsh can tell you.
devblogs.microsoft.com
Windows Communication Foundation - Wikipedia
Yes I am running Windows 11 Pro.
It probably best to leave it alone.
I wondered what http://+:80/Temporary_Listen_Addresses/ is for, I googled found it is used by Windows Communication Framework which is part of .NET.
How can I determine why the System process is listening on port 80? - The Old New Thing
netsh can tell you.Windows Communication Foundation - Wikipedia
en.wikipedia.org
I have that one as well. Yeah i guess it is best to leave alone but really dont like things that im not sure what they doing. If its not a virus i feel much better.
Interestingly you can see all these assignments if you goto cmd and type following command
netsh http show url
This shows all 15 of them e.g.
Reserved URL : http://+:5985/wsman/
User: NT SERVICE\WinRM
Listen: Yes
Delegate: No
User: NT SERVICE\Wecsvc
Listen: Yes
Delegate: No
SDDL: D
A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)
Reserved URL : http://+:80/Temporary_Listen_Addresses/
User: \Everyone
Listen: Yes
Delegate: No
SDDL: DA;;GX;;;WD)
Also when i just installed Hearthstone Deck Tracker i noticed in my eventlog:-
EVent Id 111 Create URL group 0xFE00000220000001. Status 0x0. Process Id 0x2F88 Executable path \Device\HarddiskVolume4\Users\spluf\AppData\Local\HearthstoneDeckTracker\app-1.19.12\HearthstoneDeckTracker.exe, User HOMEPC\spluf
Event Id 113 Attempted to add URL (http://localhost:17781/) to URL group (0xFE00000220000001). Status: 0x0. Process Id 0x2F88 Executable path \Device\HarddiskVolume4\Users\spluf\AppData\Local\HearthstoneDeckTracker\app-1.19.12\HearthstoneDeckTracker.exe, User HOMEPC\spluf
Event Id 114 Removed URL (http://localhost:17881/) from URL group (0xFF00000220000001). Process Id 0x1F28 Executable path \Device\HarddiskVolume4\Users\spluf\AppData\Local\HearthstoneDeckTracker\app-1.19.12\HearthstoneDeckTracker.exe, User HOMEPC\spluf
Event Id 117 Delete URL group 0xFF00000220000001. Status 0x0. Process Id 0x1F28 Executable path \Device\HarddiskVolume4\Users\spluf\AppData\Local\HearthstoneDeckTracker\app-1.19.12\HearthstoneDeckTracker.exe, User HOMEPC\spluf
It looks like its doing some kind of monitoring?
netsh http show url
This shows all 15 of them e.g.
Reserved URL : http://+:5985/wsman/
User: NT SERVICE\WinRM
Listen: Yes
Delegate: No
User: NT SERVICE\Wecsvc
Listen: Yes
Delegate: No
SDDL: D
A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)Reserved URL : http://+:80/Temporary_Listen_Addresses/
User: \Everyone
Listen: Yes
Delegate: No
SDDL: D
A;;GX;;;WD)Also when i just installed Hearthstone Deck Tracker i noticed in my eventlog:-
EVent Id 111 Create URL group 0xFE00000220000001. Status 0x0. Process Id 0x2F88 Executable path \Device\HarddiskVolume4\Users\spluf\AppData\Local\HearthstoneDeckTracker\app-1.19.12\HearthstoneDeckTracker.exe, User HOMEPC\spluf
Event Id 113 Attempted to add URL (http://localhost:17781/) to URL group (0xFE00000220000001). Status: 0x0. Process Id 0x2F88 Executable path \Device\HarddiskVolume4\Users\spluf\AppData\Local\HearthstoneDeckTracker\app-1.19.12\HearthstoneDeckTracker.exe, User HOMEPC\spluf
Event Id 114 Removed URL (http://localhost:17881/) from URL group (0xFF00000220000001). Process Id 0x1F28 Executable path \Device\HarddiskVolume4\Users\spluf\AppData\Local\HearthstoneDeckTracker\app-1.19.12\HearthstoneDeckTracker.exe, User HOMEPC\spluf
Event Id 117 Delete URL group 0xFF00000220000001. Status 0x0. Process Id 0x1F28 Executable path \Device\HarddiskVolume4\Users\spluf\AppData\Local\HearthstoneDeckTracker\app-1.19.12\HearthstoneDeckTracker.exe, User HOMEPC\spluf
It looks like its doing some kind of monitoring?
What are they for and can they be stopped?
Soldato
- Joined
- 28 Sep 2014
- Posts
- 3,577
- Location
- Scotland
I found 54 recently Event 112 logs on 27 January 2023.
The first 27 logs recorded at 9:27:17am:
Attempted to reserve URL http://+:10243/WMPNSSv4/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:10245/WMPNSSv4/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:3387/rdp/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:3392/rdp/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://127.0.0.1:41960:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://127.0.0.1:41959:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://127.0.0.1:41958:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://127.0.0.1:41957:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://127.0.0.1:41956:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://127.0.0.1:41955:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://127.0.0.1:41954:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://127.0.0.1:41953:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://127.0.0.1:41952:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://127.0.0.1:41951:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:10246/MDEServer/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:80/116B50EB-ECE2-41ac-8429-9F9E963361B7/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:443/C574AC30-5794-4AEE-B1BB-6651C5315029/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:80/0131501b-d67f-491b-9a40-c4bf27bcb4d4/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://*:2869/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:10247/apps/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:5985/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:47001/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:5986/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://*:5358/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:80/Temporary_Listen_Addresses/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://*:5357/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
The last 27 logs recorded at 10:36:37am repeated the same thing:
Attempted to reserve URL http://+:10243/WMPNSSv4/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:10245/WMPNSSv4/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:3387/rdp/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:3392/rdp/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://127.0.0.1:41960:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://127.0.0.1:41959:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://127.0.0.1:41958:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://127.0.0.1:41957:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://127.0.0.1:41956:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://127.0.0.1:41955:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://127.0.0.1:41954:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://127.0.0.1:41953:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://127.0.0.1:41952:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://127.0.0.1:41951:127.0.0.1/DYMO/DLS/Printing/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:10246/MDEServer/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:80/116B50EB-ECE2-41ac-8429-9F9E963361B7/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:443/C574AC30-5794-4AEE-B1BB-6651C5315029/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:80/0131501b-d67f-491b-9a40-c4bf27bcb4d4/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://*:2869/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:10247/apps/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:5985/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:47001/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:5986/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://*:5358/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:80/Temporary_Listen_Addresses/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://*:5357/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Last edited:
Microsoft explain it far better than i ever could.
Whether it can be stopped really depends on your particular configuration, like if how you're connecting to the internet needs a proxy and/or uses a Proxy Auto-Configuration file to configure clients. Personally i disable it but it's a decision only you can make in the end, plus you'll probably find you won't be able to disable it in the usual manner (via services and changing the startup type from the drop down) as it will moan about permissions, you can disable it via the registry but you don't know how to undo that change of forget about it it could obviously cause problems in the future.
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,711
I would leave it alone. It's established they not harmful. They just call backs to things.
Just checked and it wont allow me to change it - its a fresh install and havent used any proxy etc - just a network conenction via cable into router.........
What they calling back to and why hahaha - if its legit then its not to worry
Yup, like i said the only way to change it is directly via the registry. If you really want to change it then obviously all the usual warnings WRT to editing the registry, it's entirely on you if something stops working, etc, etc.
If you want to change it directly you'd find it listed under HKLM\SYSTEM\CurrentControlSet\Services with each key under that representing the service name, so for WinHTTP Web Proxy Auto-Discovery Service it would be WinHttpAutoProxySvc. Then you'd change the DWord called Start from 2 to 4 (0 = Boot ; 1 = System' 2 = Automatic; 3 = Manual; 4 = Disabled) and reboot.