deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

change ms.topic

Browse Source
This commit is contained in:
Aaron Czechowski 2024-08-27 17:09:31 -07:00
parent 3133fcefcf
commit aabde95994
1 changed files with 99 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
windows/deployment/update/windows-update-logs.md
View File

@ -3,7 +3,7 @@ title: Windows Update log files
description: Learn about the Windows Update log files and how to merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: troubleshooting
ms.topic: reference
author: mestew
ms.author: mstewart
manager: aaroncz
@ -18,10 +18,8 @@ ms.date: 12/08/2023
# Windows Update log files
The following table describes the log files created by Windows Update.
|Log file|Location|Description|When to use |
|-|-|-|-|
|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update, you can use the information included in the Windowsupdate.log log file to troubleshoot the issue.|
@ -33,8 +31,8 @@ The following table describes the log files created by Windows Update.
To merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](/powershell/module/windowsupdate/get-windowsupdatelog?preserve-view=tru&view=win10-ps).
>[!NOTE]
>When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpdate.log unless you run **Get-WindowsUpdateLog** again.
> [!NOTE]
> When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpdate.log unless you run **Get-WindowsUpdateLog** again.
## Windows Update log components
@ -67,40 +65,44 @@ The Windows Update engine has different component names. The following are some
- DataStore - Caching update data locally
- IdleTimer - Tracking active calls, stopping a service
>[!NOTE]
>Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what's important.
> [!NOTE]
> Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what's important.
## Windows Update log structure
The Windows update log structure is separated into four main identities:
- Time Stamps
- Process ID and Thread ID
- Component Name
- Update Identifiers
- Update ID and Revision Number
- Revision ID
- Local ID
- Inconsistent terminology
- Time stamps
- Process ID and thread ID
- Component name
- Update identifiers
- Update ID and revision number
- Revision ID
- Local ID
- Inconsistent terminology
The WindowsUpdate.log structure is discussed in the following sections.
### Time stamps
The time stamp indicates the time at which the logging occurs.
- Messages are usually in chronological order, but there may be exceptions.
- A pause during a sync can indicate a network problem, even if the scan succeeds.
- A long pause near the end of a scan can indicate a supersedence chain issue.
![Windows Update time stamps.](images/update-time-log.png)
### Process ID and thread ID
The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log.
- The first four digits, in hex, are the process ID.
- The next four digits, in hex, are the thread ID.
- Each component, such as the USO, Windows Update engine, COM API callers, and Windows Update installer handlers, has its own process ID.
![Windows Update process and thread IDs.](images/update-process-id.png)
### Component name
Search for and identify the components that are associated with the IDs. Different parts of the Windows Update engine have different component names. Some of them are as follows:
- ProtocolTalker - Client-server sync
@ -112,7 +114,6 @@ Search for and identify the components that are associated with the IDs. Differe
![Windows Update component name.](images/update-component-name.png)
### Update identifiers
The following items are update identifiers:
@ -120,13 +121,13 @@ The following items are update identifiers:
#### Update ID and revision number
There are different identifiers for the same update in different contexts. It's important to know the identifier schemes.
- Update ID: A GUID (indicated in the previous screenshot) assigned to a given update at publication time
- Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service
- Revision numbers are reused from one update to another (not a unique identifier).
- The update ID and revision number are often shown together as "{GUID}.revision."
![Windows Update update identifiers.](images/update-update-id.png)
#### Revision ID
- A Revision ID (don't confuse this value with "revision number") is a serial number issued when an update is initially published or revised on a given service.
@ -143,14 +144,16 @@ There are different identifiers for the same update in different contexts. It's
- You can find the local IDs that a client is using by getting the client's %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file
#### Inconsistent terminology
- Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs.
- Recognize IDs by form and context:
- GUIDs are update IDs
- Small integers that appear alongside an update ID are revision numbers
- Large integers are typically revision IDs
- Small integers (especially in Datastore) can be local IDs
- GUIDs are update IDs
- Small integers that appear alongside an update ID are revision numbers
- Large integers are typically revision IDs
- Small integers (especially in Datastore) can be local IDs
![Windows Update inconsisten terminology.](images/update-inconsistent.png)
## Windows Setup log files analysis using SetupDiag tool
SetupDiag is a diagnostic tool that can be used for analysis of logs related to installation of Windows Updates. For detailed information, see [SetupDiag](../upgrade/setupdiag.md).
SetupDiag is a diagnostic tool that can be used for analysis of logs related to installation of Windows Updates. For more information, see [SetupDiag](../upgrade/setupdiag.md).