Windows Update uses Event Tracing for Windows (ETW) to generate diagnostic logs in Windows 11/10, and save them in the .etl file format. The reason why this has been done is that it reduces disk space usage as well as improves performance.
One fallout of this method is that the Windows Update logs are not immediately readable. You need to decode the .etl file, which is the format these logs are saved in.
Read Windows Update logs in Windows 11/10
To read the Windows Update logs in Windows 11/10, Microsoft suggests the following method:
- Download Windows Symbol Package and install them using the method outlined here. Install these symbols to say, C:\symbols.
- Download Tracefmt.exe tool by following the instructions here. Tracefmt (Tracefmt.exe) is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. Tracefmt can display the messages in the Command Prompt window or save them in a text file.
Now open a command prompt with administrative rights and create a temporary folder, named %systemdrive%\WULogs. Now copy Tracefmt.exe to this directory.
Now, Run the following commands one after the other:
cd /d %systemdrive%\WULogs
copy %windir%\Logs\WindowsUpdate\* %systemdrive%\WULogs\
tracefmt.exe -o windowsupate.log <each windows update log delimited by space> -r c:\Symbols
The method does look tedious and Microsoft has promised that they would improve things, in the final version of Windows 10. Full details can be found at KB3036646.
UPDATE: Well things have improved in Windows 11/10 now.
Use PowerShell to read Windows Update logs
The WindowsUpdate.log is still located in C:\Windows, however, when you open the file C:\Windows\WindowsUpdate.log, you will only see the following information:
Windows Update logs are now generated using ETW (Event Tracing for Windows). Please run the Get-WindowsUpdateLog PowerShell command to convert ETW traces into a readable WindowsUpdate.log.
In order to read the WindowsUpdate.log in Windows 10, you will need to use Windows PowerShell cmdlet to re-create the WindowsUpdate.log the way we normally view it.
So open a PowerShell window, type Get-WindowsUpdateLog and hit Enter.
BONUS INFORMATION
Windows Update Log File formatting has been improved
When Microsoft released Windows 10, it substituted the Windows Update log file date log file from a plain text to a binary file format. The Windows Update log file is typically required by Developers and IT professionals to read vital information while debugging applications. The preferred format for the Update log file is text so that it can be opened using the plain text editor, or processed using the text editing tools.
However, with Microsoft replacing with an unreadable binary format, a new PowerShell cmdlet, Get-WindowsUpdateLog, was added to format the binary file and convert to the preferred text format.
This process required users to either connect to the Microsoft Symbol Server to get the latest symbol files or they needed to download the latest Windows symbol files before running the Get-WindowsUpdateLog cmdlet. However, the process would not lead to success if the latest symbols were unavailable at the Microsoft Symbol Server at the time of connection, thus throwing formatting issues in the formatted text files.
This issue has been sorted out now
Connection to Microsoft Symbol Server not required
With the release of Windows 10 v 1709, Microsoft has improved the overall Windows update log file access. Establishing a connection to the Microsoft Symbol Server to get the symbols is no longer required. Though, users will still have to run the Get-WindowsUpdateLog PowerShell cmdlet to translate the Windows Update log from its binary format into readable text files.
Observe the screenshots and you will find that though the computer has no network connection at all (see the icon at the bottom right), the Get-WindowsUpdateLog worked successfully.
What are Symbol files
For curious minds, here is an explanation. When applications, libraries, drivers, or operating systems are linked, the linker that creates the .exe and .dll files also create a number of additional files known as symbol files.
Symbol files are identified with the extension .pdb. They hold a variety of data which are not actually needed when running the binaries, but which could be very useful in the debugging process. symbol files typically contain,
- Global variables
- Local variables
- Function names and the addresses of their entry points
- Frame pointer omission (FPO) records
- Source-line numbers
Read next: Where to look for your Windows Update History.
From the “Windows 2000” logs are a mess. Text files scattered across multiple folders, event viewer that is a challenge to make filters and now we have it. Well it is the Linux logs, all in text file within a single folder.
Got as far as “tracefmt.exe -o windowsupate.log -r c:Symbols
The system cannot find the file specified.”
If it would specify which file not found, that might help me sort things.
Pretty sure I followed instructions correctly..
Thanks anyway. Good guide for me.
Hmm.. According to cmd admin:
“C:WINDOWSsystem32>tracefmt.exe -?
‘tracefmt.exe’ is not recognized as an internal or external command,
operable program or batch file.”
(So… That would be the file it can’t find?)
With Visual Studio 2015 installed, I can find five instances of tracefmt.exe on my machine – plus the one copied to C:WULogs.
I have been referred to Windows Performance Toolkit instead of Visual Studio. I’m assuming as a way to get tracefmt, but haven’t confirmed that.
Well, this works:
C:WINDOWSsystem32>cd c:WULogs
c:WULogs>tracefmt.exe -?
Microsoft (R) TraceFmt.Exe (10.0.10240.16384)
® Microsoft Corporation. All rights reserved. etc…
Leaving me to ponder; Is it c:Symbols it can’t find and, if so, why?
OK. I’m none too familiar with using Command Prompt. It might help to explain that “” is to be entirely replaced with the name of an update log file or a list of such files – each “delimited” by a space.
EG:
c:WULogs>tracefmt.exe -o windowsupate.log WindowsUpdate.20151021.094343.590.1.etl WindowsUpdate.20151021.110734.126.1.etl WindowsUpdate.20151021.115208.590.1.etl -r c:Symbols
They appear as separate lines here, but they are separated by a space only.
Even then, I’m still stuck with “Access denied” on this command following an on screen message “This app can’t run on your PC
To find a version for your PC, check with the software publisher.”
Tracefmt.exe in use originates with Visual Studio 2015 and I’m running Windows 10 Pro x64. VS actually installs tracefmt in five different locations, some labelled with “8.1”. That’s tho OS from which I upgraded to 10, so maybe…
Also, Windows Performance Toolkit was suggested to me as an alternative to VS. Tho, I haven’t yet checked it out.
Tracefmt.exe in C:Program Files (x86)Windows Kits8.1binx64 is a different version to the one in C:Program Files (x86)Windows Kits10binx64.
Also, running the 8.1 copy in Compatability Mode for 8 seems somewhat successful.
Tho, I seem to be ‘reading’ non-existent .etl’s atm. I’ll have to have another look at that…
Run tracefmt as Administrator, the copy in WULogs that is.
Works for version 10.
Output is partly legible, more so than the with the standard method.
tracefmt takes centuries to install. I installed this and hoped in a command prompt with administrator privledges I could run tracefmt.exe command
tracefmt
and it would give a message… showing that the exe exist?
I downloaded this which took forever by the way but no avail..
wdksetup.exe
I got this far…
I had a folder called wulogs with the ETL files… I hunted and found tracefmt.exe finally after installing that pack wdksetup.exe
C:Userszerou_000wulogs>”C:Program Files (x86)Microsoft SDKsWindowsv7.1ABinx64TraceFmt.exe” -o Windowsupdate.log
Examining C:Program Files (x86)Microsoft SDKsWindowsv7.1ABinx64default.tmf for message formats, none found, file not found
Searching for TMF files on path: (null)
Logfile C:Logfile.Etl:
OS version 0.0.0 (Currently running on 6.2.9200)
Start Time 0024-00-00-54168:142:00.000
End Time Not set (Logger may not have been stopped).
Timezone is (Bias is 0mins)
BufferSize 0 B
Maximum File Size 0 MB
Buffers Written Not set (Logger may not have been stopped).
Logger Mode Settings (0) Logfile Mode is not set
ProcessorCount 0
Error processing trace entry with status=0x6 (GetLastError=0x0)
Error Closing Trace 0 with status=6 (GetLastError=0x0)
Processing completed Buffers: 0, Events: 0, EventsLost: 0 :: Format Errors: 0, Unknowns: 0
Event traces dumped to C:Userszerou_000wulogsWindowsupdate.log
Event Summary dumped to C:Userszerou_000wulogsWindowsupdate.log.sum
…Unfortunately my output is unusable.. windowsupdate.log is completely empty …
where are the raw ETL files for windows update stored
You should update this post, since it’s now a LOT easier. All yo uhave to do now is run ‘Get-WindowsUpdateLog’ from PowerShell, and it cruches the files into a standard text file.
Thanks for the nudge. I had forgotten about this post.
Although there are claims this was fixed by a Microsoft patch, I’m still getting the same unreadable log file after running get-windowsupdatelog. Is there a particular windows update that fixed this that I might be missing?