Microsoft Windows Update

Windows Update is a Windows system service that manages the updates for the Windows operating system. Updates and patches are scheduled to be released through Windows Update on every second Tuesday of the month.

Windows Update logs are accessible in two ways depending on the version of your operating system:

  • Via Event Tracing for Windows (ETW), for Windows 10, Windows Server 2016 and Windows Server 2019.

  • Via the file system, in the the earlier versions of Windows.

Log collection via Event Tracing for Windows

The im_etw module of NXLog allows collecting Windows Update logs from Windows 10, Windows Server 2016 and Windows Server 2019.

Example 1. Collecting Windows Update logs with ETW

The following configuration collects Windows Update logs using the im_etw module. The collected logs are then converted to JSON using the xm_json extension module.

nxlog.conf
<Extension _json>
    Module    xm_json
</Extension>

<Input in_etw>
    Module    im_etw
    Provider  Microsoft-Windows-WindowsUpdateClient
    Exec      to_json();
</Input>
Output sample
{
  "SourceName": "Microsoft-Windows-WindowsUpdateClient",
  "ProviderGuid": "{945A8954-C147-4ACD-923F-40C45405A658}",
  "EventID": 38,
  "Version": 0,
  "Channel": 16,
  "OpcodeValue": 17,
  "TaskValue": 1,
  "Keywords": "4611686018427388544",
  "EventTime": "2019-06-06T15:08:01.098200+02:00",
  "ExecutionProcessID": 820,
  "ExecutionThreadID": 2440,
  "EventType": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "Domain": "NT AUTHORITY",
  "AccountName": "SYSTEM",
  "UserID": "S-1-5-18",
  "AccountType": "User",
  "EventReceivedTime": "2019-06-06T15:08:01.847001+02:00",
  "SourceModuleName": "in_etw",
  "SourceModuleType": "im_etw"
}

File-based log collection

Prior to the release of Windows Server 2016 and Windows 10, all Windows Update logs were stored in the WindowsUpdate.log file under the %SystemRoot% directory.

Although this log file is deprecated, it can still be generated as described in the Generating WindowsUpdate.log Microsoft article.

Example 2. Collecting Windows Update logs from Microsoft Windows Server 2008 and 2012

The following configuration collects and parses logs using the im_file module. The parser section is based on the description of the Windows Update log files section of the Microsoft documentation.

nxlog.conf
<Extension _json>
    Module    xm_json
</Extension>

define windowsupdate /(?x)(?<Date>([\d\-]+))\s+ \
                        (?<Time>([\d\:]+))\s+ \
                        (?<PID>\d{3,5})\s+ \
                        (?<TID>([\d\w]+))\s+ \
                        (?<Category>(\w+))\s+ \
                        (?<Message>(.*)) /

<Input windowsupdate>
    Module     im_file
    File       'C:\Windows\WindowsUpdate.log'
    <Exec>
        $raw_event =~ %windowsupdate%;
        $EventTime = ($Date + ' ' + $Time);
        to_json();
    </Exec>
</Input>
Input sample
2019-06-06	18:22:14:390	1012	1080	DnldMgr	PurgeContentForPatchUpdates removing unused directory "b7c04a03c3650087ddea456a018dba62"
Output sample
{
  "EventReceivedTime": "2019-06-06T18:22:14.843037+02:00",
  "SourceModuleName": "windowsupdate",
  "SourceModuleType": "im_file",
  "Category": "DnldMgr",
  "Date": "2019-06-06",
  "Message": "PurgeContentForPatchUpdates removing unused directory \"b7c04a03c3650087ddea456a018dba62\"",
  "PID": "1012",
  "TID": "1080",
  "Time": "18:22:14:390",
  "EventTime": "2019-06-06 18:22:14:390"
}
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here.

Last revision: 22 January 2020