Windows 11 IP SERVER automatically pops up after windows start,but to my knowledge never installed ip server,so is this any suspicious activity?

Short answer: it’s most likely a local program / scheduled task / leftover startup entry and not “someone remotely popping up windows” — but it can be suspicious if the process path is odd (Temp, user profile, unsigned, or a renamed system binary). Below are practical steps to determine exactly which application is creating the “IP SERVER” popup and what to do depending on what you find.
Before we start

• Can you paste the exact text shown in the popup or upload a screenshot? That often points directly to the culprit. safe)
  1) Task Manager — Command line
• When the popup appears, open Task Manager (Ctrl+Shift+Esc) → Details tab → right‑click header → Select columns → enable Command line. Reproduce the popup and look for newly started processes and their command lines. This often reveals the exact executable/path.

2) Check obvious stManager → Startup tab (disable unfamiliar items), Services (services.msc) for non‑Microsoft services set to Automatic, and Task Scheduler → Task Scheduler Library for tasks that trigger At logon / At startup. Many startup popups come from scheduled tasks or leftover uninstallers.
3) Autoruns (Sysinternals)

• Download/rund inspect Logon, Scheduled Tasks, Services, and Drivers tabs. It shows everything that can start at boot and is great for finding odd entries you missed.

Guaranteed trace (recommended)
If the quick checks don’t showtor (Procmon) to capture the creator process (this will tell you exactly which binary launched the popup):

• Download Procmon (Sysinternals) and run as Administrator.
• Stop capture, clear the log, then add a filter:
  • Filter: Operation is Process Create → Include.
  • (If the popup looks like a CMD window, also add: Process Name is cmd.exe → Include.
• Start capture, reproduce the popup once, stop capture.
• Look for the Process Create events and check the Image / CommandLine / Parent PID columns — you’ll see the full path and parent process that started the popup. That identifies the initiating application. Procmon is the most reliable method to find transient, short‑lived processes.

If the popup seems network‑related (mentions IP or ports)

• Use elevated netstat opup is present:
  • netstat -abno | findstr /i "LISTEN ESTABLISHED" (admin required)
  • Or use TCPView (Sysinternals) to see live connections and owning processes. Match the PID → Get-Process -Id <pid> to find path. For similar “netsh / IP” popups, users often tracked netsh.exe via Procmon/Autoruns.

Safety checks / next steps after you identify the process

• If process path is in Program Files, signed, and vendor‑named (printer, VPN, Bonjour, AV, virtualization helpers, etc. it’s probably benign.
• If path is in %TEMP%, user profile, odd folder, unsigned, or name looks like Windows but is in the wrong location → treat as suspicious. Run full AV + Malwarebytes scan and consider isolating the machine until clean.

Other useful troubleshooting

• Clean boot (msconfig: hide Microsoft services → disable others, then reboot) to see if it stops, then re-ee to find the offender.
• If you suspect system corruption: run DISM /Online /Cleanup-Image /RestoreHealth then sfc /scannow.

If you want I can walk you through any of the above sive you the exact Procmon filters and show how to read Parent PID / Image / CommandLine.

• Or if you upthe popup (or paste the exact text), I’ll try to identify the likely app immediately and give the precise next command to run.

Which of these would you like to do first — quick Task Manager checks, Autoruns, or I guide you through Procmon capture?