Windows 11 Events - could it be a virus?

Hi all,

I noticed in EventViewer / System I was getting around 15 of events like these with different http://

EVENT ID 112 Attempted to reserve URL https://+:5986/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
EVENT ID 112 Attempted to reserve URL http://+:47001/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
EVENT ID 112 Attempted to reserve URL https://*:5358/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM

They appear straight away after startup on a PC restart (not shutdown).

They look kinda dodgy to me as if its trying to connect to something? I needed to do a reinstall of Windows so I did it. This is also happening on a clean install of Windows 11.

Can you please have a look in Event Viewer - System section and see if you can see these kind of events?

Anyone have any idea what they are and if they are a virus or something i should be concerned about?

Kind regards
SpLuFF

This appears to be a command attempting to create a remote management link to a server.
Open a PowerShell console as admin and enter 'dir WSMan:\localhost\Service' without the quote marks, this will tell you the WSMAN settings and point to the folder in use on the local computer (your machine).
There may well be a valid reason for this setting to be active so don't just disable it or attempt to delete the folder without checking first.

I have the WsMan service(Windows Remote Management) but it is set to manual and the service is stopped. I see nothing in event viewer regarding it.

When i run that command it says WinRM service is not started currently. Running this command will start the WinRM service....

I clicked NO

Ok, so the service is not running and you don't need to worry about the connection being made. If you want to dig further you can try to find out what is trying to reserve that URL, it could be an app or srvice that is perfectly valid, like Corsair iCue or a printer driver, looking to connect to the upgrade center or similar.
A combination of Autoruns, Process Explorer and Process Monitor (parts of the Sysinternals suite, available for free through the MS Store) with appropiate filters set should pinpoint the culprit, then you can either keep things as they are or remove it if not needed.
If it just generates an entry in the event log and is non malicious I would just leave it as is.

it was on my old computer which was updated from windows 10

and then i formatted and it was happening on brand new clean install from Microsoft usb install

I have the same,