change ms.topic

windows/deployment/update/windows-update-logs.md

@@ -3,25 +3,23 @@ title: Windows Update log files
 description: Learn about the Windows Update log files and how to merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file.
 ms.service: windows-client
 ms.subservice: itpro-updates
-ms.topic: troubleshooting
+ms.topic: reference
 author: mestew
 ms.author: mstewart
 manager: aaroncz
 ms.collection:
   - highpri
   - tier2
-appliesto: 
+appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 12/08/2023
 ---
 
 # Windows Update log files
 
-
 The following table describes the log files created by Windows Update.
 
-
 |Log file|Location|Description|When to use |
 |-|-|-|-|
 |windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update, you can use the information included in the Windowsupdate.log log file to troubleshoot the issue.|
@@ -31,126 +29,131 @@ The following table describes the log files created by Windows Update.
 
 ## Generating WindowsUpdate.log
 
-To merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](/powershell/module/windowsupdate/get-windowsupdatelog?preserve-view=tru&view=win10-ps). 
+To merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](/powershell/module/windowsupdate/get-windowsupdatelog?preserve-view=tru&view=win10-ps).
+
+> [!NOTE]
+> When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpdate.log unless you run **Get-WindowsUpdateLog** again.
 
->[!NOTE]
->When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpdate.log unless you run **Get-WindowsUpdateLog** again. 
- 
 ## Windows Update log components
 
-The Windows Update engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file: 
+The Windows Update engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file:
 
-- AGENT- Windows Update agent 
+- AGENT- Windows Update agent
-- AU - Automatic Updates is performing this task 
+- AU - Automatic Updates is performing this task
-- AUCLNT- Interaction between AU and the logged-on user 
+- AUCLNT- Interaction between AU and the logged-on user
-- CDM- Device Manager 
+- CDM- Device Manager
-- CMPRESS- Compression agent 
+- CMPRESS- Compression agent
-- COMAPI- Windows Update API 
+- COMAPI- Windows Update API
-- DRIVER- Device driver information 
+- DRIVER- Device driver information
-- DTASTOR- Handles database transactions 
+- DTASTOR- Handles database transactions
-- EEHNDLER- Expression handler that's used to evaluate update applicability 
+- EEHNDLER- Expression handler that's used to evaluate update applicability
-- HANDLER- Manages the update installers 
+- HANDLER- Manages the update installers
-- MISC- General service information 
+- MISC- General service information
-- OFFLSNC- Detects available updates without network connection 
+- OFFLSNC- Detects available updates without network connection
-- PARSER- Parses expression information 
+- PARSER- Parses expression information
-- PT- Synchronizes updates information to the local datastore 
+- PT- Synchronizes updates information to the local datastore
-- REPORT- Collects reporting information 
+- REPORT- Collects reporting information
-- SERVICE- Startup/shutdown of the Automatic Updates service 
+- SERVICE- Startup/shutdown of the Automatic Updates service
-- SETUP- Installs new versions of the Windows Update client when it's available 
+- SETUP- Installs new versions of the Windows Update client when it's available
-- SHUTDWN- Install at shutdown feature 
+- SHUTDWN- Install at shutdown feature
-- WUREDIR- The Windows Update redirector files 
+- WUREDIR- The Windows Update redirector files
-- WUWEB- The Windows Update ActiveX control 
+- WUWEB- The Windows Update ActiveX control
-- ProtocolTalker - Client-server sync 
+- ProtocolTalker - Client-server sync
-- DownloadManager - Creates and monitors payload downloads 
+- DownloadManager - Creates and monitors payload downloads
-- Handler, Setup -  Installer handlers (CBS, and so on) 
+- Handler, Setup -  Installer handlers (CBS, and so on)
-- EEHandler -  Evaluating update applicability rules 
+- EEHandler -  Evaluating update applicability rules
-- DataStore - Caching update data locally 
+- DataStore - Caching update data locally
-- IdleTimer - Tracking active calls, stopping a service 
+- IdleTimer - Tracking active calls, stopping a service
- 
->[!NOTE]
->Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what's important. 
- 
-## Windows Update log structure 
-The Windows update log structure is separated into four main identities: 
 
-- Time Stamps 
+> [!NOTE]
-- Process ID and Thread ID 
+> Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what's important.
-- Component Name 
-- Update Identifiers    
-   - Update ID and Revision Number 
-   - Revision ID 
-   - Local ID 
-   - Inconsistent terminology 
 
-The WindowsUpdate.log structure is discussed in the following sections. 
+## Windows Update log structure
 
-### Time stamps  
+The Windows update log structure is separated into four main identities:
-The time stamp indicates the time at which the logging occurs. 
+
-- Messages are usually in chronological order, but there may be exceptions. 
+- Time stamps
-- A pause during a sync can indicate a network problem, even if the scan succeeds. 
+- Process ID and thread ID
-- A long pause near the end of a scan can indicate a supersedence chain issue.   
+- Component name
+- Update identifiers
+  - Update ID and revision number
+  - Revision ID
+  - Local ID
+  - Inconsistent terminology
+
+The WindowsUpdate.log structure is discussed in the following sections.
+
+### Time stamps
+
+The time stamp indicates the time at which the logging occurs.
+
+- Messages are usually in chronological order, but there may be exceptions.
+- A pause during a sync can indicate a network problem, even if the scan succeeds.
+- A long pause near the end of a scan can indicate a supersedence chain issue.
    ![Windows Update time stamps.](images/update-time-log.png)
 
+### Process ID and thread ID
 
-### Process ID and thread ID  
+The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log.
-The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log. 
+
-- The first four digits, in hex, are the process ID. 
+- The first four digits, in hex, are the process ID.
-- The next four digits, in hex, are the thread ID. 
+- The next four digits, in hex, are the thread ID.
-- Each component, such as the USO, Windows Update engine, COM API callers, and Windows Update installer handlers, has its own process ID.   
+- Each component, such as the USO, Windows Update engine, COM API callers, and Windows Update installer handlers, has its own process ID.
    ![Windows Update process and thread IDs.](images/update-process-id.png)
 
+### Component name
 
-### Component name  
+Search for and identify the components that are associated with the IDs. Different parts of the Windows Update engine have different component names. Some of them are as follows:
-Search for and identify the components that are associated with the IDs. Different parts of the Windows Update engine have different component names. Some of them are as follows: 
 
-- ProtocolTalker - Client-server sync 
+- ProtocolTalker - Client-server sync
-- DownloadManager - Creates and monitors payload downloads 
+- DownloadManager - Creates and monitors payload downloads
-- Handler, Setup - Installer handlers (CBS, etc.) 
+- Handler, Setup - Installer handlers (CBS, etc.)
-- EEHandler - Evaluating update applicability rules 
+- EEHandler - Evaluating update applicability rules
-- DataStore - Caching update data locally 
+- DataStore - Caching update data locally
-- IdleTimer - Tracking active calls, stopping service 
+- IdleTimer - Tracking active calls, stopping service
 
 ![Windows Update component name.](images/update-component-name.png)
 
-
+### Update identifiers
-### Update identifiers  
 
 The following items are update identifiers:
 
-#### Update ID and revision number 
+#### Update ID and revision number
 
-There are different identifiers for the same update in different contexts. It's important to know the identifier schemes. 
+There are different identifiers for the same update in different contexts. It's important to know the identifier schemes.
-- Update ID: A GUID (indicated in the previous screenshot) assigned to a given update at publication time 
+
-- Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service 
+- Update ID: A GUID (indicated in the previous screenshot) assigned to a given update at publication time
-- Revision numbers are reused from one update to another (not a unique identifier). 
+- Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service
-- The update ID and revision number are often shown together as "{GUID}.revision." 
+- Revision numbers are reused from one update to another (not a unique identifier).
+- The update ID and revision number are often shown together as "{GUID}.revision."
    ![Windows Update update identifiers.](images/update-update-id.png)
 
-
 #### Revision ID
 
-- A Revision ID (don't confuse this value with "revision number") is a serial number issued when an update is initially published or revised on a given service. 
+- A Revision ID (don't confuse this value with "revision number") is a serial number issued when an update is initially published or revised on a given service.
-- An existing update that is revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a new revision ID that isn't related to the previous ID. 
+- An existing update that is revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a new revision ID that isn't related to the previous ID.
-- Revision IDs are unique on a given update source, but not across multiple sources. 
+- Revision IDs are unique on a given update source, but not across multiple sources.
-- The same update revision might have different revision IDs on Windows Update and WSUS. 
+- The same update revision might have different revision IDs on Windows Update and WSUS.
-- The same revision ID might represent different updates on Windows Update and WSUS. 
+- The same revision ID might represent different updates on Windows Update and WSUS.
 
 #### Local ID
 
-- Local ID is a serial number issued by a given Windows Update client when an update is received from a service. 
+- Local ID is a serial number issued by a given Windows Update client when an update is received from a service.
-- Typically seen in debug logs, especially involving the local cache for update info (Datastore) 
+- Typically seen in debug logs, especially involving the local cache for update info (Datastore)
-- Different client PCs assign different Local IDs to the same update 
+- Different client PCs assign different Local IDs to the same update
-- You can find the local IDs that a client is using by getting the client's %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file 
+- You can find the local IDs that a client is using by getting the client's %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file
 
-#### Inconsistent terminology 
+#### Inconsistent terminology
-- Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs. 
+
-- Recognize IDs by form and context: 
+- Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs.
-    
+- Recognize IDs by form and context:
-   - GUIDs are update IDs 
+
-   - Small integers that appear alongside an update ID are revision numbers 
+  - GUIDs are update IDs
-   - Large integers are typically revision IDs 
+  - Small integers that appear alongside an update ID are revision numbers
-   - Small integers (especially in Datastore) can be local IDs 
+  - Large integers are typically revision IDs
+  - Small integers (especially in Datastore) can be local IDs
       ![Windows Update inconsisten terminology.](images/update-inconsistent.png)
 
 ## Windows Setup log files analysis using SetupDiag tool
-SetupDiag is a diagnostic tool that can be used for analysis of logs related to installation of Windows Updates. For detailed information, see [SetupDiag](../upgrade/setupdiag.md).
+
+SetupDiag is a diagnostic tool that can be used for analysis of logs related to installation of Windows Updates. For more information, see [SetupDiag](../upgrade/setupdiag.md).