В современных версиях Windows логи службы обновлений
wuauserv
пишутся не в текстовый файл WindowsUpdate.log, а в бинарные файлы Event Trace Log (ETL) через механизм Event Tracing for Windows (ETW). Также информация об действиях агента обновления и история установки обновлений на компьютере доступна в журнале Event Viewer. В этой статье мы рассмотрим, как просмотреть логи агента обновлений в Windows и получить историю установки обновлений на компьютере.
Содержание:
- Просмотр журнала обновлений Windows в Event Viewer
- Просмотр лога обновлений WindowsUpdate.log в Windows 10 и 11
- История установки обновлений в Windows
Просмотр журнала обновлений Windows в Event Viewer
Служба обновлений Windows пишет довольно подробный лог о всех выполненных действиях в журналы Event Viewer (eventvwr.msc). При анализе логов установки Windows администратору будут полезные следующие журналы событий:
- • Applications and Services Logs -> Microsoft -> Windows –> WindowsUpdateClient -> Operational – логи клиента WindowsUpdate (позволяет понять, когда клиент выполнял поиск обновлений и загрузил с сервера обновления новые файлы);
- • Windows Logs -> Setup — логи установки обновлений Windows из CAB и MSU файлов. Например:
Package KB5034122 was successfully changed to the Installed state.
Вы можете выбрать события из журналов загрузки и установки обновлений с помощью PowerShell командлета Get-WinEvent:
Вывести десять последних ошибок в журнале клиента Windows Update:
$filter = @{ ProviderName="Microsoft-Windows-WindowsUpdateClient"; level=1,2,3}
Get-WinEvent -FilterHashtable $filter | Select-Object -ExpandProperty Message -First 4
Вывести список последних установленных обновлений Windows:
Get-WinEvent -filterHashtable @{ LogName = 'Setup'; Id = 2 }| Format-List Message, TimeCreated, MachineName
Просмотр лога обновлений WindowsUpdate.log в Windows 10 и 11
Начиная с Windows 10, логи агента обновления Windows не пишутся в реальном времени в файл
%windir%\WindowsUpdate.log
. Если открыть этот файл, в нем будет указано, что формат лога был изменен:
Windows Update logs are now generated using ETW (Event Tracing for Windows).Please run the Get-WindowsUpdateLog PowerShell command to convert ETW traces into a readable WindowsUpdate.log. For more information, please visit http://go.microsoft.com/fwlink/?LinkId=518345
Вместо этого логи Windows Update пишутся в ETL-файлы в каталоге
%windir%\Logs\WindowsUpdate
. Чтобы конвертировать ETW трейсы из ETL файлов в привычный текстовый файл с логом WindowsUpdate.log, воспользуйтесь командлетом Get-WindowsUpdateLog:
Get-WindowsUpdateLog -logpath C:\Temp\WindowsUpdate.log
В старых версия ОС (Windows 10 1709- и в Windows Server 2016) для преобразования логов на компьютере должен быть открыт доступ в интернет с серверу символов Microsoft (msdl.microsoft.com).
Если доступ в интернет заблокирован, вы можете скопировать ETL файлы на компьютер с новым билдом Windows 10/11 и сгенерировать лог файл с помощью команды:
Get-WindowsUpdateLog -ETLPath "C:\Temp\WindowsUpdateETL\" -LogPath "C:\Temp\WindowsUpdate.log"
Откройте журнал Windows Update с помощью блокнота:
Notepad C:\Temp\WindowsUpdate.log
Совет. Обратите внимание, что созданный файл WindowsUpdate.log является статическим и не обновляется в реальном времени, как в предыдущих версиях Windows.
Анализировать получившийся файл WindowsUpdate.log довольно сложно, т.к. в нем собираются данные из множества источников:
- AGENT- события агента Windows Update;
- AU – автоматическое обновление;
- AUCLNT- взаимодействие с пользователем;
- HANDLER- управление установщиком обновлений;
- MISC- общая информация;
- PT- синхронизация обновлений с локальным хранилищем;
- REPORT- сбор отчетов;
- SERVICE- запуск/выключение службы wuauserv;
- SETUP- установка новых версий клиента Windows Update;
- DownloadManager – загрузка обновлений в локальных кэш;
- Handler, Setup – заголовки установщиков (CBS и т.п.);
- И т.д.
Вы можете выбрать последние 30 событий от агента обновления Windows (agent) с помощью простого регулярного выражения PowerShell, выполняющего поиск текста в файле:
Select-String -Pattern '\sagent\s' -Path C:\Temp\WindowsUpdate.log | Select-Object -Last 30
По логу WindowsUpdate.log можно понять, получает ли компьютер обновления с Windows Update или локального WSUS сервера, есть ли проблемы с доступном в Интернет, используется ли системный прокси и т.д.
История установки обновлений в Windows
В современных версиях Windows 10/11 и Windows Server 2019/2022 журнал установленных обновлений доступен в панели Settings.
Перейдите в Settings -> Update & Security -> Windows Update -> View update history (или вымолните команду
ms-settings:windowsupdate-history
).
В этом разделе отображается список всех установленных в Windows обновлений. Отсюда же можно удалить обновление, если оно вызывает проблемы.
Также вы можете получить историю установки обновлений в Windows с помощью PowerShell. Можно получить дату установки последних обновлений на компьютере через CIM класс:
Get-CimInstance win32_quickfixengineering |sort installedon -desc
Или с помощью командлета
Get-WUHistory
из модуля PSWindowsUpdate.
При отладке работы клиента Windows Update в Windows Server 2016 одним из ключевых источников получения информации является лог, который ведёт системная служба «Windows Update«. В отличие от предыдущих версий Windows Server, где этот лог имел простой текстовый формат и мог быть прочитан любым текстовым редактором, в Windows Server 2016, как и в Windows 10, прежний текстовый формат лога сменился на бинарный формат Event Trace Log (ETL) механизма Event Tracing for Windows (ETW). Соответственно, для извлечения информации из такого лога требуются дополнительные инструменты типа специализированного командлета PowerShell. А в случае, если диагностируемая серверная система имеет ограниченный доступ в Интернет, то с получением читаемого формата данных ETL у нас могут возникнуть проблемы. Рассмотрим такую проблемную ситуацию и способ её решения.
Итак, при открытии лог-файла C:\Windows\WindowsUpdate.log, который исторически использовался администраторами в предыдущих версиях ОС Windows Server, мы увидим в этом файле сообщение, говорящее о смене формата лога и необходимости использовать PS-командлет Get-WindowsUpdateLog:
Windows Update logs are now generated using ETW (Event Tracing for Windows).
Please run the Get-WindowsUpdateLog PowerShell command to convert ETW traces into a readable WindowsUpdate.log.
For more information, please visit http://go.microsoft.com/fwlink/?LinkId=518345
При вызове командлета Get-WindowsUpdateLog без указания дополнительных параметров из множества лог-файлов с расширением *.etl, хранящихся в каталоге C:\Windows\Logs\WindowsUpdate будет сформирован читаемый текстовый лог-файл WindowsUpdate.log на рабочий стол текущего пользователя, запустившего командлет.
Однако, открыв этот файл, вместо читаемых событий мы можем увидеть нераспознанные записи с разными идентификаторами следующего вида:
...
1601.01.01 03:00:00.0000000 1352 1784 Unknown( 10): GUID=d1317ae8-ec05-3e09-4a50-d3b2ce02f784 (No Format Information found).
1601.01.01 03:00:00.0000000 1352 1784 Unknown( 10): GUID=d1317ae8-ec05-3e09-4a50-d3b2ce02f784 (No Format Information found).
1601.01.01 03:00:00.0000000 1352 1784 Unknown( 63): GUID=e26dfe10-35bf-3106-db9d-9a51a6a0981f (No Format Information found).
1601.01.01 03:00:00.0000000 1352 1784 Unknown( 30): GUID=018fc11d-8257-3169-8741-635574c6ffe0 (No Format Information found).
...
Данная проблема связана с отсутствием доступа к Интернет-сервису, предоставляющему по HTTP-запросу актуальные версии символов отладки (Microsoft Internet Symbol Server), которые используются для интерпретации при обработке ETL-логов.
Такое поведение командлета Get-WindowsUpdateLog имеет место быть на Windows 10 версий до 1709 (OS Build 16299), в том числе и на Windows Server 2016, который относится к версии 1607 (OS Build 14393).
Об этом указано в описании к самому командлету.
В качестве самого простого решения данной проблемы может быть открытие прямого доступа к Интернет-узлу msdl.microsoft.com на пограничном шлюзе или прокси-сервере предприятия. Однако, в некоторых случаях, исходя из требований ИБ, такой доступ открыть не представляется возможным. Как же прочитать логи в таком случае?
В качестве одного из вариантов решения может быть обработка логов на другой машине, имеющей доступ в Интернет. Для этого скопируем *.etl логи на систему Windows 10 или Windows Server 2016, имеющую доступ в Интернет, например во временный каталог C:\Temp\WindowsUpdate\ и выполним обработку копии логов:
Get-WindowsUpdateLog -ETLPath "C:\Temp\WindowsUpdate\" -LogPath "C:\Temp\WU.log"
Либо, без предварительного копирования можем сразу попробовать обработать логи прямо с удалённой машины:
Get-WindowsUpdateLog -ETLPath "\\WS2016srv\C$\Windows\Logs\WindowsUpdate" -LogPath "C:\Temp\WU.log"
Однако, при попытке получить читаемый лог, извлечённый с Windows Server 2016 1607 (14393), например, на более новой системе Windows 10 21H2 (19044) мы можем получить примерно следующий результат:
...
2022.04.05 19:44:14.5857095 1352 2928 Unknown Unknown
2022.04.05 19:44:14.5857173 1352 2928 Unknown Unknown
2022.04.05 19:44:15.5861231 1352 1784 Unknown Unknown
2022.04.05 19:44:15.5861305 1352 1784 Unknown Unknown
2022.04.05 19:44:15.5882899 1352 1784 Unknown Unknown
...
При этом свои логи Windows Update с помощью командлета Get-WindowsUpdateLog на этой же системе с Windows 10 21H2 могут формироваться без каких-либо проблем.
Как я понимаю, связано это с тем, что для формирования читаемого лога с Windows Server 2016 1607 нам потребуется иметь символьный кеш, совместимый именно с этой версией ОС.
В качестве обходного решения этой проблемы можно сделать следующее:
- Сформировать символьный кеш на серверной системе нужной версии, выпустив на время её в Интернет (или только конкретно к узлу msdl.microsoft.com) и выполнив командлет Get-WindowsUpdateLog;
- Скопировать полученный символьный кеш в общедоступный сетевой каталог и использовать его в дальнейшем в качестве локального источника при работе с других серверов, отключенных от Интернет.
Итак, предоставляем на время какому-либо серверу с аналогичной версией ОС (Windows Server 2016 1607) прямой доступ в Интернет и выполняем на этом сервере командлет Get-WindowsUpdateLog. В ходе выполнения команды сервер подключится к интернет узлу msdl.microsoft.com и наполнит символьный кеш в каталоге:
%temp%\WindowsUpdateLog\SymCache.
То есть, с точки зрения текущего пользователя, который выполняет командлет, путь может иметь вид типа C:\Users{Username}\AppData\Local\Temp\WindowsUpdateLog\SymCache
В нашем примере в каталог символьного кеша было загружено около 14 MB контента.
Копируем всё содержимое каталога в отдельную сетевую шару, которую в дальнейшем можно будет использовать в качестве источника символьного кеша для всех серверов с аналогичной версией ОС и не имеющих доступа в Интернет.
После этого на сервере, не имеющем доступа в Интернет, выполняем команду формирования читаемого лога с использованием символьного кеша из сетевой шары:
Get-WindowsUpdateLog -SymbolServer "\\FileSrv\WS2016\WUSymCache"
В результате мы должны получить понятный читаемый лог файл на рабочем столе текущего пользователя.
Получить больше информации о логах, относящихся к работе Windows Update, в том числе и о структуре этих логов, можно из документа «Microsoft Docs : Windows — Deployment — Windows Update log files».
Обратите внимание также на то, что при отладке работы клиента Windows Update в Windows Server 2016 перед погружением в вышеописанный ETL-лог для первичного анализа ситуации могут пригодится журналы Event Viewer, которые можно найти в разделе Applications and Services Logs > Microsoft > Windows > WindowsUpdateClient.
Дополнительные источники информации:
- Microsoft Docs : Offline Symbols for Windows Update — Windows drivers
- TechNet Forums : Windows Update Logs are not generated properly for Windows Server 2016 build 1607
Download Windows Speedup Tool to fix errors and make PC run faster
Windows Update uses Event Tracing for Windows (ETW) to generate diagnostic logs in Windows 11/10, and save them in the .etl file format. The reason why this has been done is that it reduces disk space usage as well as improves performance.
One fallout of this method is that the Windows Update logs are not immediately readable. You need to decode the .etl file, which is the format these logs are saved in.
To read the Windows Update logs in Windows 11/10, Microsoft suggests the following method:
- Download Windows Symbol Package and install them using the method outlined here. Install these symbols to say, C:\symbols.
- Download Tracefmt.exe tool by following the instructions here. Tracefmt (Tracefmt.exe) is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. Tracefmt can display the messages in the Command Prompt window or save them in a text file.
Now open a command prompt with administrative rights and create a temporary folder, named %systemdrive%\WULogs. Now copy Tracefmt.exe to this directory.
Now, Run the following commands one after the other:
cd /d %systemdrive%\WULogs
copy %windir%\Logs\WindowsUpdate\* %systemdrive%\WULogs\
tracefmt.exe -o windowsupate.log <each windows update log delimited by space> -r c:\Symbols
The method does look tedious and Microsoft has promised that they would improve things, in the final version of Windows 10. Full details can be found at KB3036646.
UPDATE: Well things have improved in Windows 11/10 now.
Use PowerShell to read Windows Update logs
The WindowsUpdate.log is still located in C:\Windows, however, when you open the file C:\Windows\WindowsUpdate.log, you will only see the following information:
Windows Update logs are now generated using ETW (Event Tracing for Windows). Please run the Get-WindowsUpdateLog PowerShell command to convert ETW traces into a readable WindowsUpdate.log.
In order to read the WindowsUpdate.log in Windows 10, you will need to use Windows PowerShell cmdlet to re-create the WindowsUpdate.log the way we normally view it.
So open a PowerShell window, type Get-WindowsUpdateLog and hit Enter.
BONUS INFORMATION
Windows Update Log File formatting has been improved
When Microsoft released Windows 10, it substituted the Windows Update log file date log file from a plain text to a binary file format. The Windows Update log file is typically required by Developers and IT professionals to read vital information while debugging applications. The preferred format for the Update log file is text so that it can be opened using the plain text editor, or processed using the text editing tools.
However, with Microsoft replacing with an unreadable binary format, a new PowerShell cmdlet, Get-WindowsUpdateLog, was added to format the binary file and convert to the preferred text format.
This process required users to either connect to the Microsoft Symbol Server to get the latest symbol files or they needed to download the latest Windows symbol files before running the Get-WindowsUpdateLog cmdlet. However, the process would not lead to success if the latest symbols were unavailable at the Microsoft Symbol Server at the time of connection, thus throwing formatting issues in the formatted text files.
This issue has been sorted out now
Connection to Microsoft Symbol Server not required
With the release of Windows 10 v 1709, Microsoft has improved the overall Windows update log file access. Establishing a connection to the Microsoft Symbol Server to get the symbols is no longer required. Though, users will still have to run the Get-WindowsUpdateLog PowerShell cmdlet to translate the Windows Update log from its binary format into readable text files.
Observe the screenshots and you will find that though the computer has no network connection at all (see the icon at the bottom right), the Get-WindowsUpdateLog worked successfully.
What are Symbol files
For curious minds, here is an explanation. When applications, libraries, drivers, or operating systems are linked, the linker that creates the .exe and .dll files also create a number of additional files known as symbol files.
Symbol files are identified with the extension .pdb. They hold a variety of data which are not actually needed when running the binaries, but which could be very useful in the debugging process. symbol files typically contain,
- Global variables
- Local variables
- Function names and the addresses of their entry points
- Frame pointer omission (FPO) records
- Source-line numbers
Read next: Where to look for your Windows Update History.
Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP (2006-16) & a Windows Insider MVP (2016-2022). Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.
Key Points
How to Read Windows Update Logs in Windows 11 & 10
How to Access Windows Update Logs
- Using Event Viewer
- Right-click Start → Select Event Viewer
- Navigate to:
Applications and Service Logs → Microsoft → Windows → WindowsUpdateClient - Click Operational to view logs
- Using PowerShell (Get-WindowsUpdateLog)
- Open PowerShell (Admin)
- Run: Get-WindowsUpdateLog
- Logs are saved to WindowsUpdate.log on your Desktop
How to Filter Windows Update Logs
- Search for errors only: Get-Content “C:\WindowsUpdate.log” | Select-String “Error”
- Search for a specific update ID (e.g., KB1234567): Get-Content “C:\WindowsUpdate.log” | Select-String “KB1234567”
This comprehensive guide demonstrates how to read Windows Update logs in Windows 11 and Windows 10 and explains how to use them to troubleshoot problems with your Windows PC. It includes step-by-step instructions for accessing Windows logs, information about what logs mean, and tips for interpreting them.
Troubleshooting Windows Update can be tricky, and being able to read and understand the contents of Windows Update logs will assist you in solving issues faster, with less guesswork.
An overview of Windows Update logs and their importance
A log (or log file) is a record of actions taken by a computer program that can later be used to see what it did and when (and sometimes, why). Log files are usually plain text files with one line of text per log entry. This information contained in logs can be later used to troubleshoot issues, confirm that an action was successful, or audit the behavior of programs and users to monitor for unauthorized or malicious activity.
Windows Update generates log files that contain detailed information about the Windows Update process to assist with troubleshooting, including the following data:
- Timestamp: The date and time the log entry was created.
- Process ID: The ID of the process that generated the log entry.
- Thread ID: The ID of the thread that generated the log entry.
- Component: The Windows Update component that generated the log entry.
- Message: A message describing what action was taken.
Here’s what a series of log entries in a Windows Update log file looks like when exported as text:
2024/11/22 10:13:34.567 12345 67890 Shared * START * Checking for updates
2024/11/22 10:13:35.678 12345 67890 Handler Downloading update KB1234567
2024/11/22 10:13:36.789 12345 67890 Handler Successfully downloaded update KB1234567
2024/11/22 10:14:10.123 12345 67890 Handler ERROR: 0x711f123f Failed to install update
Keeping Windows up-to-date is vital to protect against malware and cybersecurity threats. Windows Update also handles keeping your drivers and other Windows features at their latest versions, ensuring you have the latest stability bug fixes and are getting the best possible performance out of your hardware.
If Windows Update stops functioning properly, it is important to resolve the issue as quickly as possible, and its log files will contain detailed information to assist with this.
How to access Windows Update logs in Windows 11 and Windows 10
The steps for viewing Windows Update logs are the same in both Windows 11 and Windows 10.
You will need to be logged in as an Administrator to perform the below actions.
Viewing Windows Update logs using the Event Manager
The Windows Event Viewer provides an interface for viewing logs from Windows and other applications. The Event Viewer can be used to browse and export logs, and includes the ability to search and filter logs by date and type.
- Right-click on the Start button
- Click on Event Viewer
- Navigate to Applications and Service Logs\Microsoft\Windows\WindowsUpdateClient in the navigation tree in the left panel
- Expand the WindowsUpdateClient item and click on Operational to view the Windows Update events in the log.
You can click on an event to view more details about it, and use the Filter Current Log function to narrow down your search.
Exporting Windows Update log files using Get-WindowsUpdateLog (PowerShell)
Note that you’ll need to open an elevated PowerShell prompt to use this command.
The Get-WindowsUpdateLog PowerShell command merges and exports Windows Update logs into a file on your desktop:
- Right-click on the Start button
- Click Terminal (Admin) if you are running Windows 11, or select Windows PowerShell (Admin) if you’re using Windows 10
- In the PowerShell window, enter the command Get-WindowsUpdateLog followed by the Enter key
- Windows Update logs will be exported to the file WindowsUpdate.log on your desktop
The format of this file will match the example log text shown earlier in this article (note that there are no column headings included in the file).
Filtering Get-WindowsUpdateLog output
As the .log file generated by Get-WindowsUpdateLog is just a text file, you can use PowerShell’s built-in utilities to quickly search it. In the below example, Select-String is used to output only the lines that contain the text “Error”.
Get-Content “C:\WindowsUpdate.log” | Select-String “Error”
If you wanted to only get log entries for a certain date, you could replace the text Select-String searches for with the required date. Due to the way dates are formatted, you can filter down to the hour or minute by expanding the text search. PowerShell can be used to automate many system tasks, making it possible to quickly export log files and scan them for potential failed updates or other issues.
How to read and interpret Windows Update logs
The easiest way for most users to understand Windows Update logs is to use the Event Viewer method, as it provides a graphical, user-friendly way to explore logs, where all the information is labeled and searchable.
The Date, Severity, Event ID, and log Message are the most relevant pieces of information included. If you notice Windows Updates are failing in the Windows Settings App, you can use the Event Viewer to find errors for the date those updates failed and see if the message includes any additional information.
Windows Update log entries will have a severity of either Info, Warning, or Error. You should start by looking for errors that indicate failures, and then if that doesn’t reveal the cause of your problem, continue searching for warnings or informational entries that may indicate something is not completing successfully (or repeatedly being retried without outright failing).
If you know the ID of the update that is failing (which should be visible from any error you see in Windows Update in the Settings App), you should search for that ID (e.g. KB0123456) directly to determine why it is failing. Within the event viewer, you can see the update ID that is related to an event in the event’s Details tab.
Troubleshooting common issues using update logs
If the information you find in the error log is ambiguous and doesn’t plainly tell you what went wrong, you can search for the update ID online for more information.
Searching for the Event ID and the Source of the error listed in the Event Viewer will also help you identify potential issues, and at what stage of the update process they occurred. If you decide to share the contents of your logs online so that others can help you troubleshoot, make sure you limit them to only the relevant log entries, and carefully read through them to make sure no private information is included.
Below are some common Windows Update errors that can be identified using the Event Viewer:
- Network connectivity problems: Checking for and installing updates will fail if the internet connection is not reliable.
- Not enough disk space: Updates will fail to install if there is not enough disk space.
- Missing or corrupted Windows system files: If your Windows operating system has become corrupted, updates may fail. You can attempt to fix this by running sfc /scannow from an elevated PowerShell prompt.
- Software conflict or outdated drivers: Old drivers may conflict with the installation of new drivers. Conflicting software can be uninstalled if an update is trying to replace them but is failing.
- Pending restart: An update may fail if previous updates are waiting for your system to restart to complete their installation.
The specific fix for a failed update will depend on the update, and the reason it failed. Usually, the resolution can be found online. If a driver update has failed, downloading the latest driver directly from the manufacturer may resolve the issue. Windows updates can also be manually downloaded if ongoing connectivity issues are causing Windows Update to fail.
Troubleshooting fleets of Windows devices with centralized logging
Pre-empting system issues by monitoring Windows Update logs, and troubleshooting by using them when something does go wrong, can greatly reduce the amount of time and effort required to keep a fleet of Windows devices healthy.
While PowerShell can be leveraged to automate the process to a degree, it still requires manual scripting and maintenance, as well as additional infrastructure for collecting log files.
NinjaOne provides a complete endpoint management solution that allows you to centrally monitor and maintain tens or thousands of Windows, Apple, and Android devices, including patch management to ensure that every device is up-to-date, and that any update issues are immediately flagged and quickly remediated.
Some Windows 10 users are attempting to view the Windows 10 update log after a failed update/upgrade but have no idea where to look. On Windows 10, the Update logs are now generated using ETW (Event Tracing for Windows) as opposed to Windows 8.1 and Windows 10.
Because Windows 10 uses event tracing for the generated update logs, you will need to do go through some workarounds in order to be able to view the Windows Update logs.
Since there are a couple of ways to go around making this happen, we have listed every potential method of finding & viewing the Update Logs on Windows 10 below:
- Converting Event Tracing events to a WindowsUpdate log.
- Viewing the full Windows Update log using the Event Viewer utility.
Feel free the method that you feel most comfortable with:
Method 1: Converting the ETW traces in Powershell
If you want an easy way to store and view the Windows Update log files in an easy-to-read format, the best way to do it is to run a Powershell command in an elevated command prompt that successfully converts all ETW (Event Tracing for Windows) into a readable WindowsUpdate.log.
This should be your preferred approach if you need to get a broad overview of all your Windows Update logs instead of looking for specific logs.
If this scenario is applicable, follow the instructions below to open up an elevated Powershell menu and run a command that successfully converts any ETW traces into a readable WindowsUpdate.log:
- Press Windows key + R to open up a Run dialog box. Next, type ‘powershell’ inside the text box and press Ctrl + Shift + Enter to open up an elevated Powershell window. When you’re prompted by the UAC (User Account Control), click Yes to grant admin access.
Accessing the PowerShell window - Once you’re inside the elevated PowerShell window, type the following command and press Enter to essentially convert every event tracing event related to your Windows update log into WindowsUpdate.log file:
Get-WindowsUpdateLog
- After you run the command, wait patiently as the operation might take a couple of dozen seconds.
- Once the operation is complete, navigate to your desktop and look for the WindowsUpdateLog file that was just created.
Converting ETW’s to a Windows Update Log Note: You can either open this new file with the classic Notepad app or you can use a superior text viewer like Notepad++.
Important: Keep in mind that this is only a static log file that will NOT update itself even if new errors are logged. If you want the updated list, you need to run the command above again.
If this didn’t work for you or you’re looking for a different method of viewing the error log of Windows Update, move down to the next potential fix below.
Method 2: Read the Windows Update logs via Event Viewer
If you’re looking to investigate specific Windows Update error logs, the better approach is to use the Event Viewer utility to view every Operational entry under WindowsUpdateClient.
This method is not recommended if you’re looking to take your logs outside Event Viewer since there’s no bulk export feature, but it’s perfect for investigating and pinpointing specific events.
If you’re comfortable with reading the Windows Update logs via Event Viewer, follow the instructions below:
- Press Windows key + R to open up a Run dialog box. Next, type ‘eventvwr.msc’ inside the text box and press Enter to open up the Event Viewer utility. If you’re prompted by the UAC (User Account Control), click Yes to grant admin access.
Accessing the Event Viewer Utility via a Run box - Once you’re inside the Event Viewer utility, use the menu on the left to navigate to the following location:
Applications and Service Logs\Microsoft\Windows\WindowsUpdateClient
- After you arrive at the correct location, select the Operational tab, then move down to the center pane to view a list of every Windows Update error log.
Kevin Arrows
Kevin Arrows is a highly experienced and knowledgeable technology specialist with over a decade of industry experience. He holds a Microsoft Certified Technology Specialist (MCTS) certification and has a deep passion for staying up-to-date on the latest tech developments. Kevin has written extensively on a wide range of tech-related topics, showcasing his expertise and knowledge in areas such as software development, cybersecurity, and cloud computing. His contributions to the tech field have been widely recognized and respected by his peers, and he is highly regarded for his ability to explain complex technical concepts in a clear and concise manner.