Tail Windows Update Log Server 2016+ / Windows 10

Sometimes you have to patch mission critical Windows servers and you want to see what’s going on in the background. The modern windows update dialogue provides little verbosity, especially when compared to apt or yum in the Linux world.

In the Windows 7 / Server 2012 days I used to just tail C:\Windows\WindowsUpdate.log and watch the update process, especially when troubleshooting, or when updates were hanging on install. Nowadays if you open that file, you get the following message:

Windows Update logs are now generated using ETW (Event Tracing for Windows).
Please run the Get-WindowsUpdateLog PowerShell command to convert ETW traces into a readable WindowsUpdate.log.

For more information, please visit https://go.microsoft.com/fwlink/?LinkId=518345

As we can see, Microsoft have ditched text based logging in favour of ETW based logging. The link provided takes you to an article on Windows Update log files which lists out the various log files and what they do. If you want a concise log that is the same as what you got in Server 2012, then you have to run Get-WindowsUpdateLog which will spit out that familiar log file. This is no good in my situation, as that generated log file would be for the point in time it was generated, not a dynamically updated log file being written to during updates.

Since I don’t care really about the log contents and I just want to see some verbosity in the update process while its happening, I went through the other logs listed and came across the CBS log. CBS stands for Component based servicing and it provides output on update installation…. great!

When reviewing the log, I identified that the lines containing the strings Appl and FOD make up the majority of the hundreds, or thousands of entries, when running a tail. I filtered these out and it seems that what’s left is mostly operational logging to do with the update engine. Since my goal is to watch Windows Update progress to ensure something is happening, I wrote a quick PowerShell one liner:

Get-Content -Path $env:WinDir\Logs\CBS\CBS.log -Tail 10 -Wait | Select-String -Pattern 'Appl:|FOD:' -NotMatch

This command will get last 10 lines of the CBS log file, wait for new entries to be written, filter out Appl and FOD and write the results to the console.

If I want to get more details after patching is complete, I can always run Get-WindowsUpdateLog.

This may stop working at any point of course if Microsoft change something, but for now, it gives me peace knowing that the update stuck at 23% for 47 minutes is actually being installed and I’m not about to have a long night… or not too long anyway.

Thanks for reading – Jesse

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s