How to Export Windows Update Logs for Troubleshooting
🔍 WiseChecker

How to Export Windows Update Logs for Troubleshooting

by

Quick fix: Open Terminal (Admin) and run Get-WindowsUpdateLog. PowerShell merges all ETL trace logs and writes a readable WindowsUpdate.log to your Desktop within a minute. The log contains every Windows Update Agent event with timestamps, error codes, and detailed sub-component breakdowns.

Windows Update is failing with cryptic error codes (0x80070002, 0x800F0922, 0x80240034). The Settings UI shows just a generic “Updates failed to install” message. To get the real story, you need the Windows Update log — which since Windows 10 isn’t a plain text file anymore but a series of ETL trace files that require a PowerShell cmdlet to decode.

Symptom: Need to troubleshoot Windows Update failures and want the detailed log file the Settings UI doesn’t expose.
Affects: Windows 11 (and Windows 10 1607+).
Fix time: ~10 minutes.

ADVERTISEMENT

What causes this

Pre-Windows 10, Windows Update wrote a plain-text C:\Windows\WindowsUpdate.log. Starting with Windows 10 1607, the agent writes binary ETL (Event Trace Log) files to C:\Windows\Logs\WindowsUpdate\ for performance. To read them, you need Get-WindowsUpdateLog, which merges and decodes the ETLs into a single readable text file.

The merged log shows every Windows Update Agent operation: scan attempts, download progress, install attempts, and exact error codes with internal function names. Cross-referencing error codes with Microsoft KB articles solves most update failures.

Method 1: Generate the WindowsUpdate.log via PowerShell

The standard route.

  1. Open Terminal (Admin): right-click Start → Terminal (Admin).
  2. Run: 
    Get-WindowsUpdateLog

    The cmdlet decodes all ETL files and writes WindowsUpdate.log to your Desktop. Takes 30–90 seconds.

  3. The log appears at %USERPROFILE%\Desktop\WindowsUpdate.log. Open with Notepad or your preferred text editor.
  4. For a specific output location: 
    Get-WindowsUpdateLog -LogPath "C:\temp\WindowsUpdate.log"
  5. For just the last day’s entries: pipe through Select-String: 
    Select-String -Path "$env:USERPROFILE\Desktop\WindowsUpdate.log" -Pattern (Get-Date).ToString("yyyy/MM/dd")
  6. Search for errors: look for entries containing FATAL, ERROR, or 0x80 (error code prefix). These pinpoint where the update agent failed.

This is the canonical method — the same one Microsoft Support requests when troubleshooting update issues.

ADVERTISEMENT

Method 2: Extract specific error context and timestamps

For finding the cause of a specific failed update.

  1. Note the time the update failed (from Settings → Update history).
  2. Run Get-WindowsUpdateLog as in Method 1.
  3. Open WindowsUpdate.log in Notepad. Use Ctrl + F to search for the time of failure.
  4. Read the lines surrounding the failure timestamp. Look for:
    • Error code patterns: HRESULT: 0x80070002 (file not found), 0x800F0922 (installation script failed), 0x80240034 (download failed).
    • Function names: CWuaDownload::Begin, CUpdateInstaller::Install. Tells you which phase failed.
    • Update IDs: GUIDs that map to specific KB articles. Search the GUID in browser to find which KB is failing.
  5. For more readable timestamps and structured analysis: import the log into a structured viewer. PowerShell: 
    Get-Content "$env:USERPROFILE\Desktop\WindowsUpdate.log" | Where-Object { $_ -match "FATAL|ERROR|0x80" } | Out-GridView

    Opens a sortable, filterable grid of error lines.

  6. Save filtered errors for sharing with support: 
    Get-Content WindowsUpdate.log | Select-String -Pattern "FATAL|ERROR" | Out-File update-errors.txt

This pinpoints the exact failure for cross-reference with Microsoft documentation.

Method 3: Examine related event log entries

For when the merged log doesn’t have enough context — specifically for service-level or scheduled task issues.

  1. Open Event Viewer (eventvwr.msc).
  2. Navigate to Applications and Services Logs → Microsoft → Windows → WindowsUpdateClient → Operational. This log shows Update Client operations — download, install, failure events.
  3. Also check Microsoft → Windows → WindowsUpdate → Eventlog → Update orchestration for the Orchestrator’s scheduling decisions.
  4. Filter for Errors and Critical events (right pane → Filter Current Log → tick Error and Critical).
  5. For more depth: Applications and Services Logs → Microsoft → Windows → Servicing → Operational. Shows component-based servicing events — useful when updates fail during install rather than download.
  6. Export logs for archival or sharing: right-click a log → Save All Events As → choose .evtx for native format or .txt for cross-platform reading.
  7. For SetupDiag tool (a Microsoft official troubleshooter): download from Microsoft, run as admin. It parses recent setup logs and reports the most likely cause of an upgrade or update failure in plain English.

Event Viewer provides higher-level context that the merged log doesn’t always show.

How to verify the fix worked

  • The WindowsUpdate.log file exists on your Desktop with a current timestamp.
  • Open the file. Last entries should be from within the past few hours (assuming the Update Agent has been active).
  • Error codes you found correlate with results from Microsoft Search or docs.microsoft.com — specifically the “Windows Update common errors” page.

If none of these work

If Get-WindowsUpdateLog fails or produces an empty file, the cause is one of several. Symbol server unreachable: the cmdlet downloads symbol files for decoding ETLs. If your firewall blocks msdl.microsoft.com, it fails. Workaround: Get-WindowsUpdateLog -SymbolServer "" to skip symbols. Result is less readable but available. ETL files missing: check C:\Windows\Logs\WindowsUpdate\. If empty, the Update Agent hasn’t logged recently — trigger an update check first (UsoClient ScanInstallWait), wait for it to log, then re-run Get-WindowsUpdateLog. For deeper debugging: run SetupDiag.exe from Microsoft (free download). It pattern-matches your logs against known issues and reports likely fixes. For Insider builds with experimental Update Agent versions, use Feedback Hub to submit logs to Microsoft directly. For corporate-managed PCs: WSUS or SCCM logs are at C:\Windows\CCM\Logs\ or C:\WSUS\. Different log structure from standalone WindowsUpdate logs. Consult IT or the SCCM admin guide.

Bottom line: Get-WindowsUpdateLog in PowerShell produces a readable Windows Update log on your Desktop. Search for error codes and timestamps to pinpoint failures, then cross-reference with Microsoft KB articles.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You