Из журнала событий Windows можно получить логи установки, обновления и удаления программ, а также определить конкретного пользователя, который запустил установку или удаление приложения.
Для просмотра журнала установки приложений:
- Откройте консоль журнала событий Event Viewer (
eventvwr.msc
) - Перейдите в раздел Windows Logs -> Application
- Щелкните правой кнопкой по журналу и включите фильтр (Filter current log)
- В качестве источника событий выберите
MsiInstaller
.
События с EventID 11707 содержат информацию об успешной установке программы (
Installation completed successfully
).
EventID 11724 – события успешного удаления пакета (
Removal completed successfully
).
В этом журнале будут фиксироваться только события установки приложений, упакованных в MSI/MSP пакеты (или в EXE файлы, которые фактически запускают установку MSI пакета с помощью
msiexec.exe
). Для установки MSI пакетов используется служба установки Windows Installer (
msiserver
), которая позволяет выполнить корректную установку удаление или откат установки приложения. Некоторые приложения, распространяемые через EXE файлы не используют службу msiserver и соответственно не пишут такие события. - Если вы хотите определить, какой конкретно пользователь удалил или установил программу, перейдите на вкладку Details в свойствах события. Переключитесь в режим XML view. SID пользователя указан в значении атрибута Security UserID. Скопируйте его.
- Чтобы конвертировать SID пользователя в имя учетной записи, выполните команду:
wmic useraccount where sid='S-1-5-21-506968642-4209078585-1781862235-1001' get name
Команда вернет имя пользователя, который инициировал установку или удаление программы.
Если нужно извлечь события установки/удаления программ из журнала событий с помощью PoweShell, воспользуйтесь командлетом Get-WinEvent. Например, вывести журнал успешных установок программ:
Get-WinEvent -FilterHashtable @{LogName="Application";ID=11707;ProviderName='MsiInstaller'} | Select TimeCreated,Message
В Windows есть еще более удобный инструмент, который позволяет в одном окне показать историю установки/удаления/обновления программ, включай приложения Microsoft Store, а также историю установки обновлений Windows. Речь о Мониторе стабильности системы (Reliability Monitor).
Reliability Monitor – это отдельный апплет в классической панели управления Windows, который в графическом виде отображает индекс стабильности системы и подробные сведения о событиях, которые могли повлиять на стабильность ОС (сбои в программах, установка/удаление приложений и прочее).
Чтобы открыть Reliability Monitor, перейдите в панель управления -> Security and Maintenance, нажмите на ссылку View reliability history в разделе Maintenance (или просто выполните команду (
perfmon /rel
).
Здесь в разрезе по дням/неделям можно посмотреть какие обновления, программы и UWP приложения устанавливались или удалялись. Подробную информацию о событии можно получить, нажав на кнопку View technical retails.
Для построения отчетов об установке/удалении приложений из монитора стабильности можно использовать PowerShell. Следующий скрипт выведет в графическую таблицу Out-GridView все события установки, удаления и обновления программ, Windows Updates, APPX/MSIX на компьютере за последние
7
дней.
$DaysAgo = (Get-Date).AddDays(-7)
$RealiabilityFilter= "TimeGenerated > '$DaysAgo' and (SourceName='Microsoft-Windows-WindowsUpdateClient' or SourceName='MsiInstaller')"
Get-CimInstance -ClassName Win32_ReliabilityRecords -filter $RealiabilityFilter|Select TimeGenerated,ProductName,User,message |Out-GridView
С помощью встроенных фильтров Out-GridView можно отфильтровать все связанные события по конкретному приложению, определенному событию или пользователю.
Windows upgrades used to be something you only had to worry about every few years. But in the Windows 10 era, each twice-yearly feature update is essentially a full upgrade.
When an upgrade or feature update fails, Windows Setup typically doesn’t provide any obvious indication of the underlying problem. But it does keep detailed records of every activity as it works, and if you know how to read setup log files, you can often pinpoint the issue.
These log files are typically saved in a compressed folder called Panther. (The exact location of the Panther folder when an upgrade fails depends on what stage Setup was in when the failure occurred.) If Setup fails and rolls back to the previous Windows version, the log files are stored in a folder called $windows.~bt\Sources\Rollback.
Reading raw log files requires expert skills and specialized tools. A much simpler option is to use a new diagnostic utility, SetupDiag.exe, which is designed specifically to read log files and generate a report identifying the most likely problems.
You’ll find full instructions for using SetupDiag at this page, which also includes a download link.
Copy SetupDiag.exe to its own folder and double-click to identify setup problems on the current PC. The program is smart enough to look in locations where log files are commonly saved, so you don’t need to specify any command-line switches for the tool.
If you’re diagnosing a problem on a different PC, copy the folders containing the log files to a local folder. Then run SetupDiag using the /Mode:Offline switch and the /LogsPath:<folder> parameter, replacing <folder> with the name of the location where you copied the log files.
The output for SetupDiag is a plain text file that is saved in the same folder as the program file. You can open the results file in any text editor, including Notepad, to examine its output and figure out what to do next.
PREVIOUS AND RELATED CONTENT
Need more details about the right way to do a clean Windows 10 install? See these previous articles:
FAQ
Windows 10 tip: Create a recovery drive
If your Windows 10 PC is operating perfectly right now, great. Take advantage of the opportunity to create a recovery drive so you have a way to perform repairs if something ever goes wrong.
After Windows 10 upgrade, do these seven things immediately
You’ve just upgraded to the most recent version of Windows 10. Before you get back to work, use this checklist to ensure that your privacy and security settings are correct and that you’ve cut annoyances to a bare minimum.
How to install, reinstall, upgrade and activate Windows 10
Here’s everything you need to know before you repair, reinstall, or upgrade Windows 10, including details about activation and product keys.
Windows 10 tip: Repair your Windows 10 installation
Performing a clean install or a reset means you have to reinstall apps and desktop programs and start over with settings and preferences. If you suspect Windows has become damaged, there’s a less drastic solution: Run Setup to repair Windows. Here’s how.
Editorial standards
Download Windows Speedup Tool to fix errors and make PC run faster
When Microsoft rolls an update for Windows 11/10, the upgrade process creates tons of log files in every step. These log files are useful for analysis if there is any Upgrade problem. While it may not find it easy to analyze, it’s a gold mine for IT admins. In this post, we will discuss the Log files that are created when you upgrade to a new version of Windows. We have also included when or in which phase these log files are created.
Here are some terminologies you would see in the list below:
- Down-Level: It is the first phase of the Upgrade process, and since this phase runs on the source OS, upgrade errors are not typically seen except in the log files. It also ensures that the Windows setup source and the destination drive are accessible.
- OOBE: Out of the box experience.
- Rollback: Its when the setup decides to go back to the initial stage.
- Dumps: Its an extremely useful file where all the debugging information is written when the computer stops unexpectedly because of a Stop error (also known as a “blue screen,” system crash, or bug check) or during a Windows Upgrade process.
Below is the list of log files, their location, why are they created, and when you should use these log files. While they are meant for IT admins, anyone who is interested can do their bit of analysis.
| Log file | Phase: Location | Description | When to use |
| setupact.log | Down-Level: $Windows.~BT\Sources\Panther |
List of set up actions to be taken during the downlevel phase. | It contains all the down-level failures and starting point for rollback investigations. Without it, failures would be stuck forever. |
| OOBE: $Windows.~BT\Sources\Panther\ UnattendGC |
It contains the unattended setup experience and contains details about actions during the OOBE phase. | Investigating rollbacks that failed during OOBE phase and operations . Error Code 0x4001C, 0x4001D, 0x4001E, 0x4001F. | |
| Rollback: $Windows.~BT\Sources\Rollback |
It includes instructions for rollback. | Investigating generic rollbacks – 0xC1900101. | |
| Pre-initialization (prior to downlevel): Windows |
Contains information about initializing the setup. | If the setup fails to launch. | |
| Post-upgrade (after OOBE): Windows\Panther |
Instructions to follow during the installation. | The log helps to investigate post-upgrade related issues. | |
| setuperr.log | Same as setupact.log | Data about setup errors during the installation. | Review all errors encountered during the installation phase. |
| miglog.xml | Post-upgrade (after OOBE): Windows\Panther |
List of items migrated during the installation. | Identify post upgrade data migration issues. |
| BlueBox.log | Down-Level: Windows\Logs\Mosetup |
Information on what will be communicated between the setup.exe and Windows Update. | Use during WSUS and WU down-level failures or for 0xC1900107. |
| Supplemental rollback logs: Setupmem.dmp setupapi.dev.log Event logs (*.evtx) |
$Windows.~BT\Sources\Rollback | Additional logs collected during rollback. | Setupmem.dmp: Created when there is an OS bug. Setupapi: When Windows fails to install on the device – 0x30018 Event logs: Generic rollbacks (0xC1900101) or unexpected reboots. |
List of Log files are created when the upgrade is successful or failure
For every event, a log file is generated. Log files are created even when an upgrade fails and the computer restarts for the second time or when there is a rollback. Here is the list:
Log files created when an upgrade is successful
- C:\Windows\Panther\Setupact.log
- C:\Windows\panther\setuperr.log
- C:\Windows\inf\setupapi.app.log
- C:\Windows\inf\setupapi.dev.log
- C:\Windows\panther\PreGatherPnPList.log
- C:\Windows\panther\PostApplyPnPList.log
- C:\Windows\panther\miglog.xml
Log files created when an upgrade fails during installation before the computer restarts for the second time
- C:\$Windows.~BT\Sources\panther\setupact.log
- C:\$Windows.~BT\Sources\panther\miglog.xml
- C:\Windows\setupapi.log
- [Windows 11:] C:\Windows\Logs\MoSetup\BlueBox.log
Log files created when an upgrade fails during installation after the computer restarts for the second time
- C:\Windows\panther\setupact.log
- C:\Windows\panther\miglog.xml
- C:\Windows\inf\setupapi.app.log
- C:\Windows\inf\setupapi.dev.log
- C:\Windows\panther\PreGatherPnPList.log
- C:\Windows\panther\PostApplyPnPList.log
- C:\Windows\memory.dmp
Log files created when an upgrade fails, and then you restore the desktop
- C:\$Windows.~BT\Sources\panther\setupact.log
- C:\$Windows.~BT\Sources\panther\miglog.xml
- C:\$Windows.~BT\sources\panther\setupapi\setupapi.dev.log
- C:\$Windows.~BT\sources\panther\setupapi\setupapi.app.log
- C:\Windows\memory.dmp
The following log files are created when an upgrade fails, and the installation rollback is initiated:
- C:\$Windows.~BT\Sources\Rollback\setupact.log
- C:\$Windows.~BT\Sources\Rollback\setupact.err
Read more about them on Microsoft here and here.
We hope this post was informative enough to make you aware of the type of log files, memory dumps, and locations of those files that are not easy to find.
Read: Fix Windows Upgrade Failed Errors.
Ashish holds a Bachelor’s in Computer Engineering and is a veteran Windows. He has been a Microsoft MVP (2008-2010) and excels in writing tutorials to improve the day-to-day experience with your devices.
A lot happens in the background when you upgrade Windows 10 to a new version. All of it is automated and of little interest to the user or admin unless something goes wrong.
If the worst case scenario happens, you end up with an unusable version of Windows 10 or the previous version of Windows if the rollback was successful.
Error codes may point you in the right direction, but more often than not it is essential to analyze log files that Windows creates during the upgrade process.
Windows would not be Windows if you’d simply have to open a single log file for the analysis. The upgrade process creates different logs depending on the state it is in and saves those logs into different locations on the hard drive on top of that.
Windows 10 upgrade log files
The most important upgrade logs are setupact.log and setuperr.log which you find in different locations depending on the upgrade stage.
There are other logs that you may find useful as well. The following table lists log file names, locations, and descriptions:
| Log file name | Location | Description |
| setupact.log | $Windows.~BT\Sources\Panther | Downlevel phase |
| setupact.log | $Windows.~BT\Sources\Panther\UnattendGC | OOBE phase |
| setupact.log | $Windows.~BT\Sources\Rollback | Rollback log |
| setupact.log | Windows | Initializing Setup |
| setupact.log | Windows\Panther | Setup Actions |
| setuperr.log | $Windows.~BT\Sources\Panther | Downlevel phase |
| setuperr.log | $Windows.~BT\Sources\Panther\UnattendGC | OOBE phase |
| setuperr.log | $Windows.~BT\Sources\Rollback | Rollback log |
| setuperr.log | Windows | Initializing Setup |
| setuperr.log | Windows\Panther | Setup Actions |
| miglog.xml | Windows\Panther | Post Upgrade |
| BlueBox.log | Windows\Logs\Mosetup | Downlevel |
| Setupmem.dmp | $Windows.~BT\Sources\Rollback | Rollback |
| setupapi.dev.log | $Windows.~BT\Sources\Rollback | Rollback |
| *.evtx | $Windows.~BT\Sources\Rollback | Rollback |
Microsoft suggests to use the logs in different situations.
The following table highlights the suggestions:
| Log file name | Location | Suggestions |
| setupact.log | $Windows.~BT\Sources\Panther | All down-level failures and rollback investigations |
| setupact.log | $Windows.~BT\Sources\Panther\UnattendGC | OOBE phase rollbacks, 0x4001C, 0x4001D, 0x4001E, 0x4001F |
| setupact.log | $Windows.~BT\Sources\Rollback | Generic rollbacks, 0xC1900101 |
| setupact.log | Windows | Setup launch failures |
| setupact.log | Windows\Panther | Post-upgrade issues |
| setuperr.log | $Windows.~BT\Sources\Panther | Complete error listing |
| setuperr.log | $Windows.~BT\Sources\Panther\UnattendGC | Complete error listing |
| setuperr.log | $Windows.~BT\Sources\Rollback | Complete error listing |
| setuperr.log | Windows | Complete error listing |
| setuperr.log | Windows\Panther | Complete error listing |
| miglog.xml | Windows\Panther | Post-upgrade issues |
| BlueBox.log | Windows\Logs\Mosetup | WSUS and WU down-level failures, 0xC1900107 |
| Setupmem.dmp | $Windows.~BT\Sources\Rollback | Mini-dump |
| setupapi.dev.log | $Windows.~BT\Sources\Rollback | Device install issues, 0x30018 |
| *.evtx | $Windows.~BT\Sources\Rollback | Generic rollbacks, 0xC1900101 |
The two important log files setupact.log and setuperr.log use the following format:
- Date and time.
- Log Level (Info, Warning, Error, Fatal Error)
- Logging Component (CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS)
- Message
Microsoft suggests to look at SP (Setup Platform), MIG (Migration Engine) and CONX (Compatibility Information) entries in particular for troubleshooting issues.
Using the error code and log files
Windows displays an error code (usually) when an upgrade or installation fails. Use the extend code of the error to identify the log file that you should look at.
Open the log file in question, and search for the error code that Windows Setup displayed on the screen.
Additional information about troubleshooting errors are available on the Microsoft Docs website.
Now You: How do you analyze upgrade errors on Windows?
Related articles
- How to analyze Windows 10 upgrade errors
- Make sure to check default apps and settings after the recent Windows 10 update
- Microsoft releases tool to block Windows 10 updates
- Run Disk Cleanup after the Windows 10 upgrade to free space
- Windows Upgrade Error Codes Decrypted
Summary
Article Name
Windows 10 upgrade log files list
Description
The guide provides you with a list of upgrade related error logs that Windows 10 generates during the various phases of the upgrade process.
Author
Martin Brinkmann
Publisher
Ghacks Technology News
Logo
Advertisement