If the proxy server keeps turning on in Windows 11, something is restoring it. Do not keep switching it off or deleting ProxyEnable; first identify whether the owner is your organization, a VPN or filtering app, a PAC/WPAD setup script, WinHTTP, a local process, policy, a startup item, a scheduled task, a service, or unwanted software. Record the proxy address and port before changing anything. On a work or school PC, ask IT before overriding managed settings. On an unmanaged home PC, follow the sequence below to find and remove only the component that is putting the proxy back.
A proxy is not automatically malicious. Organizations, VPNs, filters, security apps, and developer tools may use one. Investigate an owner you cannot identify, especially when the setting returns with redirects, certificate warnings, disabled security settings, or an unknown program.
Use the symptom to choose the first check
| What keeps returning | Most useful first check |
|---|---|
| Manual proxy with an IP or hostname and port | Record it. Map a loopback address to its local listener; for a remote address, trace the policy or app that supplied it. |
| Use setup script with a PAC URL | Identify the organization, VPN, filter, or policy that supplied the script; inspect management before deleting it. |
| Automatically detect settings | Check whether the network legitimately uses WPAD. Test on a trusted home network only; consult IT on managed networks. |
| Settings looks direct, but an app still cannot connect | Compare the separate WinHTTP proxy with netsh winhttp show advproxy. |
| The switch is locked or says it is managed | Review work/school enrollment, Group Policy, browser policy, and the management owner. |
127.0.0.1:port or localhost:port |
Map the port to its listening PID and executable path before stopping or uninstalling anything. |
| The setting returns after reboot or sign-in | Inspect installed apps, Startup apps, startup folders, scheduled tasks, and automatic services. |
1. Record the Windows proxy settings
Open Settings > Network & internet > Proxy. Windows supports automatic detection, a setup script, and a manual proxy; a VPN connection can also have its own separate proxy configuration.1 Record all of these before changing them:
- whether Automatically detect settings is on;
- whether Use setup script is on and the complete script address;
- whether Use a proxy server is on, including the address, port, and bypass list;
- whether the affected connection is Wi-Fi/Ethernet or a VPN profile, and when the value returns.
You can read the current user’s Internet Settings values without editing them. Open PowerShell as the affected user and run:
Get-ItemProperty 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' |
Select-Object ProxyEnable,ProxyServer,AutoConfigURL
ProxyEnable controls the manual user proxy, ProxyServer holds its address, and AutoConfigURL identifies a setup script. They are evidence, not the writer that may restore them.
2. Compare the separate WinHTTP proxy
Some Windows services and applications use WinHTTP rather than the current user’s Settings proxy. That is why a browser may work while Windows Update, an installer, or another service fails—or the reverse. Open Terminal as administrator and run:
netsh winhttp show advproxy
netsh winhttp show proxy
Current Windows versions document show advproxy; show proxy exposes the older basic view. Microsoft documents the available show, set, import, and reset operations.2
Do not reset WinHTTP yet. Compare its proxy, bypass list, auto-detection, and configuration URL with Settings. A management agent, security product, installer, or service may legitimately configure WinHTTP. Record the result before changing it.
3. Identify PAC, setup script, and WPAD ownership
A PAC file is a proxy auto-configuration script that decides which destinations use a proxy and which connect directly. WPAD is the discovery mechanism that can let Windows locate an automatic proxy configuration supplied by a network. Microsoft documents WinHTTP AutoProxy support and its use of WPAD.3
A setup script may belong to an employer, school, VPN, parental-control tool, or filter. Treat an unfamiliar domain, raw IP address, URL shortener, user-writable local file, or unknown app as unexplained.
- Managed PC: ask IT which profile or agent owns the script or WPAD configuration.
- Known VPN/filter: exit it normally, compare the proxy, then reopen it and compare again.
- No expected proxy: test on a trusted home network. If behavior changes by network, investigate the network before assuming Windows malware.
- Unknown PAC URL: record it, do not enter credentials into pages it causes, and continue to policy, process, and persistence checks.
4. Check whether policy is enforcing the setting
If Settings says “Some of these settings are managed by your organization,” first open Settings > Accounts > Access work or school. A real employer or school connection, device-management profile, or security suite may explain the restriction. A personal PC can also show management wording after an unwanted browser policy or leftover management enrollment.
Create a read-only Group Policy report:
gpresult /h "%USERPROFILE%\Desktop\proxy-policy.html"
Open the report and look for network, Internet Settings, browser, or management policies and their source. You can also inspect likely policy paths without deleting them:
reg query "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /s
reg query "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /s
A missing key is normal; a present key is not automatically malicious. Do not start with reg delete. Remove or repair the app, account, extension, or management profile that owns the policy. For unexpected Chrome or Edge management, use the managed-browser policy cleanup guide.
5. Map a local proxy port to its process
If the proxy address is 127.0.0.1:8080, 127.0.0.1:8888, localhost:port, or another loopback value, traffic is being sent to software on this PC. The loopback address itself is normal; the owner of the listening port is what matters. See the 127.0.0.1 and local-port guide for the address-level explanation.
Replace 8080 with the proxy port shown in Settings:
Get-NetTCPConnection -State Listen -LocalPort 8080 |
Select-Object LocalAddress,LocalPort,OwningProcess
Then replace 1234 with the returned PID:
Get-CimInstance Win32_Process -Filter "ProcessId = 1234" |
Select-Object ProcessId,Name,ExecutablePath,CommandLine
A signed executable under a known VPN, filter, security, or developer-tool folder may be expected. An unsigned program under %LOCALAPPDATA%\Temp, a random %APPDATA% folder, or Downloads deserves investigation. Record its path and parent product before ending it; killing a legitimate filter may cut off access without removing its restart mechanism.
If no process listens, the configurator may run only at sign-in or on a schedule. Restart once and repeat the check when the setting returns.
6. Find what restores the proxy at sign-in or reboot
- Installed apps: sort by install date and check recent VPNs, filters, download managers, “security” utilities, browser helpers, and bundles. Use the supported uninstall option.
- Startup apps: open Task Manager > Startup apps. Verify each publisher and file path. The suspicious startup-app checklist helps prevent deleting normal Windows and driver entries.
- Startup folders: inspect
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartupandC:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUpfor shortcuts or scripts you can tie to the proxy owner. - Task Scheduler: open
taskschd.mscand review logon, startup, and repeating tasks. Record the task and Actions path before disabling it. - Services: open
services.mscand inspect automatic services belonging to the identified executable or recently installed app. Do not delete services by name; use the owning application’s repair or uninstall path. - Browser components: review extensions and browser policies when the proxy returns only after one browser launches. Remove an extension through the browser, then check whether its policy or companion Windows app remains.
7. When a recurring proxy needs a malware scan
Scan the system when no trusted app or administrator owns the proxy, the listener runs from a user-writable temporary path, the setting returns after a supported uninstall, or the incident includes redirects, injected ads, fake updates, unknown certificates, DNS changes, disabled security tools, new Defender exclusions, repeated detections, or unexplained network traffic.
Switching off the proxy treats the symptom. An unwanted app can retain a task, service, startup entry, browser policy, exclusion, or bundled component that restores it. Run a full Gridinsoft Anti-Malware scan to check those locations. If other security settings changed, follow the Windows security audit after malware. If the PC relayed other traffic, see the proxyjacking guide.
If redirects, notifications, extensions, homepage changes, or managed policies return after browser cleanup, the source is often outside the browser: an installed app, policy, scheduled task, or startup entry.
Scan for the proxy-changing app8. Reset the proxy only after removing its owner
On an unmanaged personal PC that should connect directly, uninstall or disable the confirmed unauthorized owner first. Then turn off the unknown setup script and manual proxy in Settings > Network & internet > Proxy. Leave a legitimate organization or VPN configuration alone.
If the recorded WinHTTP configuration is also unauthorized, open Terminal as administrator and reset it to direct access:
netsh winhttp reset proxy
Restart Windows, sign in, wait long enough for normal startup tasks to run, and recheck Settings, netsh winhttp show advproxy, and the local listening port. Test multiple trusted sites and Windows Update. If the proxy returns, use the timing to narrow the writer: immediate return suggests policy or a running service; return at sign-in suggests Startup or a logon task; return after launching one app suggests that app or its helper.
What not to do
- Do not delete
ProxyEnable,ProxyServer, or policy keys repeatedly without identifying the writer. - Do not run a broad Winsock or network reset as the first proxy fix.
- Do not disable automatic detection on a managed corporate network without approval.
- Do not terminate an unknown local listener before recording its PID, path, command line, and owning app.
- Do not delete scheduled tasks or services solely because their names look unfamiliar.
- Do not assume
127.0.0.1is a remote attacker; it points back to the local PC.
FAQ
Why does the Windows proxy turn back on after reboot?
A startup app, automatic service, logon task, management policy, VPN/filter, or unwanted program is probably writing the setting again. Record when it returns, then inspect the matching persistence layer instead of changing the switch repeatedly.
Is a 127.0.0.1 proxy a virus?
No. 127.0.0.1 is the local loopback address. VPNs, filters, antivirus tools, and developer software can use a local proxy legitimately. It becomes suspicious when you did not install the owner, the process path is unexpected, or the proxy returns with other compromise symptoms.
Should “Automatically detect settings” be on?
It can be legitimate on networks that use WPAD. On a work or school device, ask IT. On a personal PC, compare behavior on a trusted home network and identify the network or app supplying the configuration before making the change permanent.
Can a VPN or antivirus keep enabling the proxy?
Yes. Some VPN, web-filtering, parental-control, privacy, and security applications use a proxy or local listener. Exit the app normally, compare the settings, and consult its documentation. Uninstall it through Windows if you no longer want that behavior.
What if Windows says the proxy is managed by my organization?
Check Access work or school, Group Policy results, browser policies, and installed management/security software. Do not delete policy keys on a real managed device. On a personal PC with no legitimate manager, remove the app, account, or unwanted policy owner first.
References
- Microsoft Support. “Use a proxy server in Windows.” Microsoft, accessed July 17, 2026. https://support.microsoft.com/en-US/Windows/Experience/Connectivity-Networking/use-a-proxy-server-in-windows
- Microsoft Learn. “netsh winhttp.” Microsoft, updated August 20, 2025, accessed July 17, 2026. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/netsh-winhttp
- Microsoft Learn. “WinHTTP AutoProxy Support.” Microsoft, accessed July 17, 2026. https://learn.microsoft.com/en-us/windows/win32/winhttp/winhttp-autoproxy-support

