How to read Windows Update logs in Windows 10 Version 1607


In Windows 10 Version 1607, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs. This method improves performance and reduces disk space usage. However, the logs are not immediately readable as written.  To decode the resulting ETL files and create a single, text based log file, you can run the new Windows PowerShell cmdlet Get-WindowsUpdateLog. After you run this command, your ETL files will be decoded into a readable text log that is placed on the current user’s desktop.

Unfortunately this was a little problematic and was unreadable due to the symbols cache not being up to date.

The log file would look very similar to this…

  Unknown( 34): GUID=7b9bf239-47b9-3688-3a9e-14f09f262608 (No Format Information found).

The fix was to use a very convoluted route of downloading the symbols from MSDN and using a Visual Basic tool to debug them… Not good. This also didn’t work correctly.


As from the 10th of January the symbols have been re-indexed for build 14393.693 and now will display the WindowsUpdateLog correctly.

  • Check the build version from Settings->System->About
  • Check that KB3213986 is installed on the machine from Settings->Update & Security->Update History
  • Delete the WindowsUpdateLog folder from the temp directory from C:\Users\<<your_user_name>>\AppData\Local\Temp\WindowsUpdateLog
  • Start and elevated PowerShell command prompt from and run the following command. Get-WindowsUpdateLog -SymbolServer

The WindowsUpdateLog should now look more like this.

2017/02/16 09:21:52.4338908 11756 6208  ComApi          * START *   Install ClientId = Windows Defender (77BDAF73-B396-481F-9042-AD358843EC24)

2017/02/16 09:21:52.4338917 11756 6208  ComApi          Allow source prompts: Yes; Forced: No; Force quiet: Yes; Attempt close apps if necessary: No

2017/02/16 09:21:52.4338992 11756 6208  ComApi          Updates in request: 1

2017/02/16 09:21:52.4339038 11756 6208  ComApi          ServiceID = {7971F918-A847-4430-9279-4A52D1EFE18D} Third party service

2017/02/16 09:21:52.4727480 1140  8368  Agent           Beginning install of conventional work item

2017/02/16 09:21:52.4728677 11756 6208  ComApi          *QUEUED* Updates to install = 1

2017/02/16 09:21:52.4728681 11756 6208  ComApi          Install ClientId = Windows Defender (77BDAF73-B396-481F-9042-AD358843EC24)

There have been some reported issues with the log not completely being readable and the entries are only 80% complete. I will keep this updated to the outcome


  • If you encounter problems decoding the Windows Update log (for example, if you have multiple “GUID” entries that are displayed in the final text log), you may have to delete and then update your symbol cache. You can do this by deleting everything under the %temp%\windowsupdatelog folder.
  • Decoding the ETL files and converting them into a single textual log file requires access to the Microsoft public symbol server on the Internet.  If you have Internet access, no other action is required, the powershell cmdlet will automatically download the files needed for the conversion.
  • The first time that you run the Get-WindowsUpdateLog cmdlet, you may see the Microsoft Internet Symbol Store dialog box. To use the Get-WindowsUpdateLog cmdlet, you must accept the presented license terms to enable access to the public symbols that are used by the cmdlet.
  • If you previously downloaded a symbol cache, you can use the -SymbolServer switch to use those symbols instead of connecting to the Microsoft symbol server. In order to do this, you must be able to provide a UNC path for that symbol cache. For example:

\\<localmachinename>\c_drive\ path to local symbol cache

  • If you’re using Windows 10 Insider Preview, you may not always be able to decode the Windows Update log. Public symbols are published only for certain prerelease builds. Therefore, if public symbols are not available, you may be unable to successfully decode the log

Leave a Reply

Your email address will not be published. Required fields are marked *