Historically, the WindowsUpdate.log plain textual content file has been used to analyze the operation of the Windows Update agent and service. However, the Windows Update logs in Windows 10 (Windows Server 2016/2019) are saved within the Event Tracing for Windows file format (ETW), as a substitute of the standard textual content file. With such an motion, the Windows builders deliberate to improve the efficiency of the logging subsystem and scale back the area occupied by the textual content recordsdata on the disk.
Thus, Windows Update occasions are not written in actual time to the %windir%WindowsUpdate.log file. Even although the file continues to be current within the root of the Windows folder, it solely says that the ETW format is now used to accumulate WU logs.
Please run the Get-WindowsUpdateLog PowerShell command to convert ETW traces right into a readable WindowsUpdate.log.
For extra info, please go to http://go.microsoft.com/fwlink/?LinkId=518345
The drawback of the brand new logging methodology for directors – now you may’t rapidly analyze the Windows Update Agent service, discover error codes within the WindowsUpdate.log textual content file (see the ), verify the agent settings and analyze the replace set up historical past.
You can convert ETW occasions to the plain textual content WindowsUpdate.log file for a extra handy evaluation of replace service occasions. To do that, use the PowerShell cmdlet – Get-WindowsUpdateLog. This cmdlet permits you to accumulate info from all .etl recordsdata recordsdata (they’re saved in C:WINDOWSLogsWindowsUpdate) and create a single WindowsUpdate.log textual content file.
To generate the WindowsUpdate.log file and reserve it within the C:PSLogs, run the next command within the PowerShell console:
Get-WindowsUpdateLog -logpath C:PSLogsWindowsUpdate.log
Copy-Item : Cannot discover path 'C:Program InformationWindows DefenderSymSrv.dll' as a result of it doesn't exist. At C:Windowssystem32WindowsPowerShellv1.0ModulesWindowsUpdateWindowsUpdateLog.psm1:56 char:5
The file “C:Program InformationWindows DefenderSymSrv.dll” is often lacking if the shouldn’t be put in on the server.
To repair the error, you may set up Windows Defender, copy the SymSrv.dll file from one other Windows Server 2016/Windows 10, or seek for the file SymSrv.dll within the native WinSxS folder (in my case, the listing was referred to as C:WindowsWinSxSamd64_windows-defender-service-cloudclean_…) and copy it to the “C:Program InformationWindows Defender” folder.
In older Windows 10 builds, the primary time you run the Get-WindowsUpdateLog cmdlet, it obtain and set up the Microsoft Internet Symbol Store. Newest variations of Windows 10 entry the Microsoft Character Server in Azure on-line. Then the cmdlet:
- Reads the info from all .etl recordsdata;
- The knowledge are transformed into CSV (by default) or XML format;
- The knowledge from the file in an intermediate format can be transformed and added to the log textual content file specified within the LogPath parameter (if the parameter is LogPath shouldn’t be specified, WindowsUpdate.log is created on the desktop of the consumer working the command)
Tip. Another manner to analyze ETL recordsdata, however considerably extra sophisticated, is utilizing Tracefmt.exe utility to obtain knowledge from .etl.
Open the log file utilizing this PowerShell command:
Invoke-Item -Path C:PSLogsWindowsUpdate.log
In some instances, within the WindowsUpdate.log file you may see such a strings:
Unknown(140): GUID=53212e4cc-4321-f43a-2123-9ada0090bc12b (No Format Information discovered).
This signifies that you don’t have the Windows Symbol server put in (at the moment you can’t obtain a separate Windows symbols installer, as a result of it’s routinely downloaded from the image retailer in Azure). For remoted environments, you should use the offline model of the image server in accordance to the article Offline Symbols for Windows Update.
Tip. Please, word that the created WindowsUpdate.log file is static and shouldn’t be up to date in actual time as in earlier Windows variations. To replace the file, you want to run Get-WindowsUpdateLog cmdlet as soon as once more or create a script that routinely updates the file at some frequency (the file is overwritten).
It is sort of tough to analyze the ensuing WindowsUpdate.log file, as a result of it collects knowledge from many occasion sources:
- AGENT – Windows Update agent occasions;
- AU – computerized replace;
- AUCLNT – consumer interplay;
- HANDLER – replace installer administration;
- MISC – frequent WU information;
- PT – synchronization of updates with native datastore;
- REPORT – experiences assortment;
- SERVICE – wuauserv service begin/cease occasions;
- SETUP – putting in new variations of the Windows Update consumer;
- DownloadManager – downloading updates to native cache utilizing ;
- Handler, Setup – installer headers (CBS , and so forth.);
- and many others.
You can choose the final 30 occasions from the Windows Update Agent (agent) with a easy common expression:
Select-String -Pattern 'sagents' -Path C:PSLogsWindowsUpdate.log | Select-Object -Last 30
You can filter occasions within the WindowsUpdate.log by a number of sources:
Select-String -Pattern 'sagents|smiscs' -Path c:PSLogsWindowsUpdate.log | Select-Object -Last 50
Similarly, you may parse the textual content file for occasions by KB quantity, errors (FAILED, Exit Code, FATAL).
You may generate the WindowsUpdate.log file for the distant pc or server:
Get-WindowsUpdateLog -ETLPath ny-srf-1C$home windowsLogsWindowsUpdate -LogPath C:PSLogswindowsupdate-ny-srf-1.log
You may use Event Viewer logs to analyze the operation of the Windows Update service. Expand the next Event View part: Applications and Services Logs -> Microsoft -> Windows –> WindowsUpdateConsumer -> Operational.
You can use the module to handle updates from PowerShell cli.