In Part 3 we looked at the architecture that Windows uses to process updates and service the operating System (OS)

In Part 4 we’ll take a look at the CBS logs and how to read them. This should help you understand how processing takes place when updates are available for deployment.

Tip: I would recommend using Notepad ++ to help analyse the CBS Logs

Starting

The best place to start if you are new to this is to install an update on a test computer, a monthly cumulative update for windows will do

  1. Open the Windows Event Logs and browse to the Setup log
  2. Use the Find option to track the update that has been installed

In the example below I’ve searched for KB4571756, You’ll notice 3 events:

  • Package KB4571756 was successfully changed to the Installed state. (3rd Event)
  • A reboot is necessary before package KB4571756 can be changed to the Installed state. (2nd Event)
  • Initiating changes for package KB4571756. Current state is Absent. Target state is Installed. Client id: UpdateAgentLCU. (1st Event)

There are a couple of useful statements in the logs that are worth taking not of:

  • Current state is Absent – This means that when the update has been passed to the CBS it has been evaluated and confirmed as not installed
  • Target state is Installed – This means the desired state of the update is to be installed
  • Client id: UpdateAgentLCU – This is the type of update handler that passed the update into CBS

CBS Log

Now you have located the log in the Setup Log you can cross refer the update and timestamps in the CBS Logs to track the activity. This can be useful in troubleshooting scenarios

  1. Open the CBS.log located at C:\Windows\Logs\CBS
  2. From the Setup Log we can see that KB4571756 was attempted install at 9/9/2020 6:49:52 AM
  3. From the Setup Log at 9/9/2020 6:56:49 AM we can see that a reboot was required to complete the install
  4. In Notepad ++, Ctrl+F to search the log
  5. Type: exec: proc, this will find processing cycles for updates and show the Started and Completed phases
  6. Use the Notepad ++ option Find All in Current Document

Below you can see the timestamps from the Setup Log are correlated successfully in the CBS logs

Tip: The CBS logs at a certain size or operations will get archived to a CBS Persist file in the same directory. If the entries you are looking for is not in the primary CBS Log then extract the logs from each CBS Persist file

In Part 5 we’ll look through the CBS log in more detail based on this servicing operation