0

In Windows 10, the Windows Update client uses event tracing rather than writing to a text file like it did in previous versions of Windows. This can make troubleshooting problems with client machines difficult.

The Get-WindowsUpdateLog cmdlet doesn't always work. In particular, it doesn't seem to work properly when run remotely, or when the target machine doesn't have direct internet access. I've also seen reports of other problems whose cause is less clear.

Is there a more reliable and flexible option?

Harry Johnston
  • 5,875
  • 4
  • 35
  • 52

3 Answers3

2

Starting from 1709 being offline (read: no access to the symbols servers) shouldn't be a liability anymore. You can just use Get-WindowsUpdateLog-LogPath .\WindowsUpdate.log from powershell.

Or alternatively, if you don't like that:

FOR %i IN (C:\Windows\Logs\WindowsUpdate\*.etl) DO tracerpt %i -of csv -o %~ni.csv
copy *.csv WindowsUpdate.csv

(tracerpt seems somehow limited into creating single log files with more than ~4000 entries)

mirh
  • 160
  • 6
  • Looks like `tracerpt` is built-in at least as far back as 1607. I can't get it to process the Windows Update logs on 1607, but it is there. So your suggestion should work from 1709 onwards. – Harry Johnston Sep 26 '19 at 04:01
  • Duh, you seem right. I was swayed by my windows.old folder, but if I check the ISO (even going as far back as XP!) it is there. Anyway, I don't think you should have deleted the old answer with `tracefmt`. I don't actually know what's the difference between that and the *Event Trace Report Tool*, but having some supported solution even for <1709 (also W8.1, I guess) would had its merit. – mirh Sep 26 '19 at 11:08
  • I deleted the old answer because `tracefmt` doesn't work on the Windows Update logs any more. Either something was broken by one of the 2018 updates, or the necessary symbols are no longer on the Microsoft servers, I'm not sure which. – Harry Johnston Sep 26 '19 at 18:59
  • It *might* be something like that (after all they did change [a lot of](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-symbols) stuff around that time), but it might also be something as stupid as a [bad dll](https://www.reddit.com/r/sysadmin/comments/7yw7cl/getwindowsupdatelog_windows_server_2016/). Or even simpler, people forgetting to pass the -i switch to either tracefmt or tracerpt (and with the **7** binaries mentioned in the SymChk step of your Offline Symbols article, not ***6***, because that's what Get-WindowsUpdateLog actually does) – mirh Sep 27 '19 at 12:38
  • I've undeleted my old answer and added a note explaining that it no longer works. Someone might know how to fix it, I guess. – Harry Johnston Sep 29 '19 at 20:21
0

This answer no longer works. Undeleted at mirh's request and because it may serve as a reference point for future research. Use mirh's answer or my new answer instead.

Using tracefmt as described below was based on Microsoft blog posts and worked when I posted it in early 2018 but stopped working sometime later that year. It doesn't appear to work any more, even for Windows 1709 or later.

You can convert the event trace logs into plain text using tracefmt from the Windows 10 SDK.

First, copy the files from C:\Windows\Logs\WindowsUpdate on the target machine to a convenient location on your admin machine.

Open a command line window, change to the directory containing the copy of the trace files, and run the following command:

for %i in (*.etl) do "c:\Program Files (x86)\Windows Kits\10\bin\x64\tracefmt.exe" -o %~ni.txt -r srv*c:\symbols*https://msdl.microsoft.com/download/symbols %i

The admin machine must have the Windows 10 SDK installed and needs direct internet access. It does not need to be running Windows 10 itself.

You may then wish to combine the logs together into a single file:

copy *.txt WindowsUpdate.log
Harry Johnston
  • 5,875
  • 4
  • 35
  • 52
0

For Windows Server 2016 or Windows 2016 LTSB, this Microsoft article describes how to use the Get-WindowsUpdateLog command on a machine that doesn't have access to the Microsoft symbol server.

The simplest option is to copy the .etl files from C:\Windows\Logs\WindowsUpdate on the offline machine to your (online) admin machine and then use the -ETLPath option to point Get-WindowsUpdateLog towards the copied files.

Harry Johnston
  • 5,875
  • 4
  • 35
  • 52