Event Logs

The Windows Event Log is another useful place to go to for a quick investigation into AU installations, pending installations, or client reboots. The AU client logs everything to the System Event log under one of two Event Log sources:

■ Windows Update Agent

■ NtServicePack

Windows Update Agent

You can use your Event log file to filter by "source," and to show only one of the three event sources at a time. If you are filtering using Windows Update Agent, you will probably see many events relating to the successful installation of an update, and whether or not that update required a reboot. Figure 7.25 shows an Event ID 22 displaying a successful installation requiring a reboot, which will take place in the default setting of 5 minutes.

Figure 7.25 Computer Will Restart in 5 Minutes

Event Properties

Event J


9^25/2005 Source: Windows Update Agent

12:21:3S AM Category: Installation

Information Event ID; 22 N/A

Computer; XPNQSP Description:

Restart Required: To complete Ihe installation of Ihe following updates, ihe compute* will be restarted within 5 minutes:

• Security Update for Windows XP (KB890859)

• Security U pdafe for Windows XP (KB 391711 )

• Security Update foe Windows XP (KB371250)

• Security U pdate fee Windows XP (KB 393086)

■ Cumulative Security Update for Internet Explorer G Service Pack 1

(KB 896727)

Security U pdate foe Windows XP (KB 893588) Data; ff Bytes C Words

0000: S7 69 6e 33 32 48 SZ 6S 0008: 73 7S 6c 74 3d 30 78 30 0010: 30 30 30 30 30 30 30 20

Win32HRe suit. = 0x0 0000000


The Event ID is a good place to search when investigating a computer reboot. Another place to look for a computer restart is in the System Event log. Search for "Event ID 6006" in conjunction with "Event ID 6005," with significant time lapses in between. This event shows the stopping and starting of the Event log, and is always shown after a machine is restarted.

Event ID 18 shows that an update has been downloaded and is pending installation. It also shows the scheduled installation's date and time. Event ID 19 shows the successful installation of an update. Event 21 shows a successful installation that was unable to restart due to a logged-on administrator. This event warns you that until the computer is restarted, the updates have not taken effect and your computer is still vulnerable.

Best Practices According to Microsoft

■ If you decide not to reboot your computers after you install critical- or security-related updates, your computer will not be patched yet and will still be vulnerable to bugs. Event ID 21 warns you if the computer is set to not reboot.

■ It is recommended that reboots be scheduled after critical- or security-related installations occur, by using either the AU option to reboot or by generating a custom reboot script.

Some Independent Advice_

Be forewarned when using the Deadlines feature for approving AUs for your clients. Although your servers may be set to download and install updates during downtime hours, if you schedule a deadline for an update in the middle of the day, that installation will override all client settings and possibly reboot your server during production hours. Be sure you have downtime approved before using Deadlines during production hours

If the AU client could not contact your WSUS server, you may see an Event ID 16 (see Figure 7.26), which may be an indication that there is a problem with that client's network card.

If you only see this error on one client, check the following:

■ Make sure that the client has the correct WSUS URL for the WSUS server that is configured.

■ Make sure that the client is pointed to the correct DNS server, and that it can successfully ping and resolve the WSUS server by name.

■ Test to see if the client can get to any other servers or URLs.

■ Use the ClientDiag.exe tool to troubleshoot further.

Figure 7.26 AU Client Unable to Connect to WSUS Server Error

Figure 7.26 AU Client Unable to Connect to WSUS Server Error


The NtServicePack Event Source is used to show specific Microsoft "hotfixes" that have been successfully installed. Service Packs fall under this category and result in an Event ID 4363. Successful hotfix installations show Event ID 4377. The following are examples of a failed installation and the correlating Event IDs:

■ Event ID 4373 Signifies that a signature was not present in the subject of a particular hotfix installation.

■ Event ID 4367 Signifies a failed installation with a warning stating that the machine is only partially updating. A log file called xpsp1htm.log is created for more detailed investigation and can be located under the %windir% directory.

Was this article helpful?

0 0


  • Robel
    How to check system restart log in windows 2012 server?
    3 years ago
  • Crassus Galbassi
    How to check windows update server logs?
    7 months ago
  • Monika
    How to have wsus componenet use event log?
    6 months ago
    When we restart a service what it shows in event logs on windows servers?
    2 months ago

Post a comment