This article is intended for IT professionals. It explains how to examine the Windowsupdate.log for troubleshooting Windows Update issues. For Home users, please see Windows Update Troubleshooter.
If you receive an error message when you run Windows Update (WU), you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.
Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs. This method improves performance and reduces disk space usage. However, the logs are not immediately readable as written. The logs must be decoded so that they can be read as text files.
To merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file, see Get-WindowsUpdateLog.
Note When you run the Get-WindowsUpdate.log cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpate.log unless you run Get-WindowsUpdateLog again.
Windows Update log components
The WU engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file:
- AGENT- Windows Update agent
- AU - Automatic Updates is performing this task
- AUCLNT- Interaction between AU and the logged-on user
- CDM- Device Manager
- CMPRESS- Compression agent
- COMAPI- Windows Update API
- DRIVER- Device driver information
- DTASTOR- Handles database transactions
- EEHNDLER- Expression handler that's used to evaluate update applicability
- HANDLER- Manages the update installers
- MISC- General service information
- OFFLSNC- Detects available updates without network connection
- PARSER- Parses expression information
- PT- Synchronizes updates information to the local datastore
- REPORT- Collects reporting information
- SERVICE- Startup/shutdown of the Automatic Updates service
- SETUP- Installs new versions of the Windows Update client when it is available
- SHUTDWN- Install at shutdown feature
- WUREDIR- The Windows Update redirector files
- WUWEB- The Windows Update ActiveX control
- ProtocolTalker - Client-server sync
- DownloadManager - Creates and monitors payload downloads
- Handler, Setup - Installer handlers (CBS, and so on)
- EEHandler - Evaluating update applicability rules
- DataStore - Caching update data locally
- IdleTimer - Tracking active calls, stopping a service
Note: Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what’s important.
Windows Update log structure
The Windows update log structure is separated into four main identities:
- Time Stamps
- Process ID and Thread ID
- Component Name
- Update Identifiers
- Update ID and Revision Number
- Revision ID
- Local ID
- Inconsistent terminology
The WindowsUpdate.log structure is discussed in the following sections.
How Windows Update scanning works
Question: Why isn’t "update X" getting offered?
Note the update ID (a GUID) of the missing update.
Go to Microsoft Update Catalog.
Do a search that finds the update.
Click the update’s title to view the details window for the update.
Look at the updateid in the address bar
Open the log file and search for the ID that you noted. If this number is found, skip ahead to “Child update IDs”. If the ID is not found, one of two things occurred:
- The update hasn’t been approved (not even for scan) on the Windows Server Update Service (WSUS) server.
- A prerequisite hasn’t been met.
Note Neither of these conditions will occur on WU or MU unless the update is geotargeted. For WSUS and System Center Configuration Manager, this condition requires a server-side investigation.
Most updates have one or more prerequisites. If an update’s prerequisites have not been met, the service generally won’t tell the client about the update. Therefore, the update won’t be listed in the log. As soon as you know the update ID of the prerequisites, look in the log for those IDs to determine why they are evaluated as “not applicable”
If a prerequisite’s ID is not listed in the log, the prerequisite has its own set of prerequisites that have not been met. In this situation, work your way up the chain until you find the prerequisites that are being evaluated on the client.
Additionally, review the Publishing XML. It contains the Update ID and all the other information that you must have to further investigate this situation.