Windows Update Logs and Their Usage For Troubleshooting

Product Version: 6.5.0.0 

Overview

Windows Update generates several logs that provide detailed insights into update detection, download, installation, and notification events. These logs are essential for troubleshooting issues at different stages of the Windows Update process.

By understanding the purpose of each log, administrators can quickly identify the root cause of update failures and take corrective actions.

Key Windows Update Logs

1. windowsupdate.log

Location: C:\Windows\Logs\WindowsUpdate

• From Windows 8.1 onwards, the Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.

• This log contains detailed information useful for identifying causes of Windows Update errors.

• Use Case: When you receive update error messages or need to troubleshoot failed updates.

2. UpdateSessionOrchestration.etl

Location: C:\ProgramData\USOShared\Logs

• Managed by the Update Orchestrator Service (Windows 10 onward), which sequences update activities including download, installation, and reboot triggers.

• Events are recorded in .etl files.

• Use Cases:

  • Updates are available but download does not start.

  • Updates are downloaded but installation does not trigger.

  • Updates are installed but the system does not prompt for reboot.

3. NotificationUxBroker.etl

Location: C:\ProgramData\USOShared\Logs 

• Captures events from NotificationUxBroker.exe, responsible for displaying update-related notifications (toasts or banners).

• Use Case: Confirm whether update notifications were triggered on the device.

4. CBS.log

Location: %systemroot%\Logs\CBS

• Provides detailed information on update installation within the Windows Servicing Stack.

• Use Case: Troubleshoot issues specifically related to update installation failures.

Generating windowsupdate.log

On modern Windows versions, windowsupdate.log is no longer generated in real-time. Instead, it must be manually created by merging ETW trace files.

PowerShell Command:

Get-WindowsUpdateLog

Note:

• Running Get-WindowsUpdateLog creates a static copy of the log at that moment.

• Unlike older versions, it does not update continuously. Run the command again to refresh the log.

Windows Update Log Components

windowsupdate.log contains entries from various Windows Update engine components. Some key components include:

Tip: Filter out irrelevant components to focus on entries that are relevant to your troubleshooting scenario

Windows Update Log Structure

Each entry in windowsupdate.log typically contains:

• Timestamps: When the event occurred

• Process ID / Thread ID: Identifies the process/thread generating the log entry

• Component Name: The specific Windows Update component reporting the message

• Update Identifiers:

  • Update ID and Revision Number

  • Revision ID

  • Local ID

.

Note: Terminology may vary across components. Cross-check related entries for a full understanding of the event sequence

Summary & Best Practices

• Choose the appropriate log file based on the stage of update failure (detection, download, installation, notification).

• Generate windowsupdate.log using Get-WindowsUpdateLog when needed.

• Understand component roles to narrow down issues efficiently.

• Filter out irrelevant components to avoid information overload.