Microsoft-Windows-WindowsUpdateClient

69 events across 3 channels

Event ID	Title	Channel
16	Unable to Connect: Windows is unable to connect to the automatic updates service …	System
17	Installation Ready: The following updates are downloaded and ready for …	System
18	Installation Ready: The following updates are downloaded and ready for …	System
19	Installation Successful: Windows successfully installed the following update.	System
20	Installation Failure: Windows failed to install the following update with error …	System
21	Restart Required: To complete the installation of the following updates, the …	System
22	Restart Required: To complete the installation of the following updates, the …	System
23	Uninstallation Successful: Windows successfully uninstalled the following …	System
24	Uninstallation Failure: Windows failed to uninstall the following update with …	System
25	Windows Update failed to check for updates with error %1.	Operational
26	Windows Update successfully found %1 updates.	Operational
27	Automatic Updates is now paused.	System
28	Automatic Updates is now resumed.	System
29	Windows Update lost connectivity.	Operational
30	Windows Update established connectivity.	Operational
31	Windows Update failed to download an update.	Operational
32	Windows Update cannot connect to the server.	System
33	Windows Update was unable to connect to proxy server %1 because valid …	System
34	The Windows Update Client Core component failed to install a self-update with …	Operational
35	The Windows Update Client Auxillary component failed to install a self-update …	Operational
36	The Windows Update Client Core component was successfully updated from version …	Operational
37	The Windows Update Client Auxillary was successfully updated from version %1 to …	Operational
38	Windows Update received a service stop request.	Operational
39	Windows Update received a service shutdown request.	Operational
40	An update was detected.	Operational
41	An update was downloaded.	Operational
42	There has been a change in the health of Windows Update.	Operational
43	Installation Started: Windows has started installing the following update.	System
44	Windows Update started downloading an update.	System
101		Analytic
102		Analytic
103		Analytic
104		Analytic
105		Analytic
106		Analytic
107		Analytic
108		Analytic
109		Analytic
110		Analytic
111		Analytic
112		Analytic
113		Analytic
114		Analytic
115		Analytic
116		Analytic
118		Analytic
119		Analytic
120		Analytic
121		Analytic
122		Analytic
123		Analytic
124		Analytic
125		Analytic
126		Analytic
127		Analytic
128		Analytic
129		Analytic
130		Analytic
131		Analytic
209		Analytic
210		Analytic
211		Analytic
212	Revert Successful: Windows successfully reverted the following update.	System
213	Revert Failure: Windows failed to revert the following update with error %1: %2.	System
214	Revert Started: Windows has started reverting the following update.	System
215	Uninstallation started: Windows has started uninstallnig the following update.	System
216	Commit Successful: Windows successfully committed the following update.	System
217	Commit Failure: Windows failed to commit the following update with error %1: %2.	System
218	Commit Started: Windows has started committing the following update.	System

Event ID 16 — Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the...

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System

Message

Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Sigma Rules

Windows Update Error
Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.

Event ID 17 — Installation Ready: The following updates are downloaded and ready for installation.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System
Level: 4
Samples: 1

Message

Installation Ready: The following updates are downloaded and ready for installation. To install the updates, an administrator should log on to this computer and Windows will prompt with further instructions: %1

Fields

Name	Description
`updatelist`	—

Example Event

system:
  provider: Microsoft-Windows-WindowsUpdateClient
  guid: 945A8954-C147-4ACD-923F-40C45405A658
  event_source_name: ''
  event_id: 17
  version: 0
  level: 4
  task: 2
  opcode: 12
  keywords: 9223372036854775828
  time_created: '2016-09-20T12:50:52.357570Z'
  event_record_id: 8223
  correlation: {}
  execution:
    process_id: 908
    thread_id: 3440
  channel: System
  computer: IE10Win7
  security:
    user_id: S-1-5-18
user_data:
  updatelist:
    '#attributes':
      xmlns:auto-ns3: http://schemas.microsoft.com/win/2004/08/events
      xmlns: http://manifests.microsoft.com/win/2004/08/windows/eventlog
    '#text': '

      - Definition Update for Windows Defender - KB915597 (Definition 1.227.2715.0)'

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 18 — Installation Ready: The following updates are downloaded and ready for installation.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System
Level: 4
Samples: 1

Message

Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on %1 at %2: %3

Fields

Name	Description
`schedinstalldate`	—
`schedinstalltime`	—
`updatelist`	—

Example Event

system:
  provider: Microsoft-Windows-WindowsUpdateClient
  guid: 945A8954-C147-4ACD-923F-40C45405A658
  event_source_name: ''
  event_id: 18
  version: 0
  level: 4
  task: 2
  opcode: 12
  keywords: 9223372036854775828
  time_created: '2013-10-23T16:30:45.848500Z'
  event_record_id: 427
  correlation: {}
  execution:
    process_id: 916
    thread_id: 1220
  channel: System
  computer: IE8Win7
  security:
    user_id: S-1-5-18
event_data:
  schedinstalldate: ‎Thursday, ‎October ‎24, ‎2013
  schedinstalltime: 3:00 AM
  updatelist: '

    - Security Update for Windows 7 (KB979309)'

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 19 — Installation Successful: Windows successfully installed the following update.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System
Level: 4
Samples: 1

Message

Installation Successful: Windows successfully installed the following update: %1

Fields

Name	Description
`updateTitle`	—
`updateGuid`	—
`updateRevisionNumber`	—
`serviceGuid`	—

Example Event

system:
  provider: Microsoft-Windows-WindowsUpdateClient
  guid: 945A8954-C147-4ACD-923F-40C45405A658
  event_source_name: ''
  event_id: 19
  version: 1
  level: 4
  task: 1
  opcode: 13
  keywords: 9223372036854775832
  time_created: '2023-11-06T01:42:44.375524+00:00'
  event_record_id: 2172
  correlation:
    ActivityID: E4DB489E-1037-0002-14D2-F0E43710DA01
  execution:
    process_id: 18812
    thread_id: 1728
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  updateTitle: 9NCBCSZSJRSB-SpotifyAB.SpotifyMusic
  updateGuid: D8A73235-4C83-49DE-B455-6ED151F874F8
  updateRevisionNumber: 1
  serviceGuid: 855E8A7C-ECB4-4CA3-B045-1DFA50104289
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 20 — Installation Failure: Windows failed to install the following update with error %1: %2.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System
Level: 2
Samples: 1

Message

Installation Failure: Windows failed to install the following update with error %1: %2.

Fields

Name	Description
`errorCode`	—
`updateTitle`	—
`updateGuid`	—
`updateRevisionNumber`	—
`serviceGuid`	—

Example Event

system:
  provider: Microsoft-Windows-WindowsUpdateClient
  guid: 945A8954-C147-4ACD-923F-40C45405A658
  event_source_name: ''
  event_id: 20
  version: 1
  level: 2
  task: 1
  opcode: 13
  keywords: 9223372036854775848
  time_created: '2022-04-07T08:22:10.869049+00:00'
  event_record_id: 829
  correlation: {}
  execution:
    process_id: 4952
    thread_id: 6860
  channel: System
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  errorCode: '0x8024200b'
  updateTitle: VMware, Inc. - System - 9.8.18.0
  updateGuid: B5857A80-FD07-4A9D-9ADF-2A3A6DB94B7E
  updateRevisionNumber: 1
  serviceGuid: 8B24B027-1DEE-BABB-9A95-3517DFB9C552
message: ''

Sigma Rules

Windows Update Error
Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 21 — Restart Required: To complete the installation of the following updates, the computer must be restarted.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System
Level: 4
Samples: 1

Message

Restart Required: To complete the installation of the following updates, the computer must be restarted. Until this computer has been restarted, Windows cannot search for or download new updates: %1

Fields

Name	Description
`updatelist`	—

Example Event

system:
  provider: Microsoft-Windows-WindowsUpdateClient
  guid: 945A8954-C147-4ACD-923F-40C45405A658
  event_source_name: ''
  event_id: 21
  version: 0
  level: 4
  task: 2
  opcode: 15
  keywords: 9223372036854775872
  time_created: '2013-10-23T17:27:37.645375Z'
  event_record_id: 832
  correlation: {}
  execution:
    process_id: 916
    thread_id: 700
  channel: System
  computer: IE8Win7
  security:
    user_id: S-1-5-18
user_data:
  updatelist:
    '#attributes':
      xmlns:auto-ns3: http://schemas.microsoft.com/win/2004/08/events
      xmlns: http://manifests.microsoft.com/win/2004/08/windows/eventlog
    '#text': '

      - Update for Windows 7 (KB2502285)

      - Security Update for Windows 7 (KB2790113)

      - Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 x86 (KB2604114)

      - Update for Windows 7 (KB2779562)

      - Update for Windows 7 (KB2387530)

      - Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 x86 (KB2756920)

      - Update for Windows 7 (KB2541014)

      - Update for Windows 7 (KB2533552)

      - Security Update for Windows 7 (KB2691442)

      - Security Update for Windows 7 (KB979688)

      - Update for Windows 7 (KB979538)

      - Security Update for Windows 7 (KB2511455)

      - Security Update for Windows 7 (KB2506212)

      - Security Update for Windows 7 (KB979309)

      - Update for Windows 7 (KB2748349)

      - Security Update for Windows 7 (KB2658846)

      - Update for Rights Management Services Client for Windows 7 (KB979099)

      - Update for Windows 7 (KB2640148)

      - Security Update for Windows 7 (KB2442962)

      - Security Update for Windows 7 (KB2281679)

      - Security Update for Windows 7 (KB2712808)

      - Update for Windows 7 (KB2467023)

      - Update f'

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 22 — Restart Required: To complete the installation of the following updates, the computer will be restarted within %1 minutes: %2.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System
Level: 4
Samples: 1

Message

Restart Required: To complete the installation of the following updates, the computer will be restarted within %1 minutes: %2

Fields

Name	Description
`restarttime`	—
`updatelist`	—

Example Event

system:
  provider: Microsoft-Windows-WindowsUpdateClient
  guid: 945A8954-C147-4ACD-923F-40C45405A658
  event_source_name: ''
  event_id: 22
  version: 0
  level: 4
  task: 2
  opcode: 15
  keywords: 9223372036854775872
  time_created: '2016-08-20T16:04:47.930031Z'
  event_record_id: 6399
  correlation: {}
  execution:
    process_id: 876
    thread_id: 1932
  channel: System
  computer: IE10Win7
  security:
    user_id: S-1-5-18
event_data:
  restarttime: '15'
  updatelist: '

    - Security Update for Windows 7 (KB3042058)'

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 23 — Uninstallation Successful: Windows successfully uninstalled the following update.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System

Message

Uninstallation Successful: Windows successfully uninstalled the following update: %1

Fields

Name	Description
`updateTitle`	—
`updateGuid`	—
`updateRevisionNumber`	—
`serviceGuid`	—

Event ID 24 — Uninstallation Failure: Windows failed to uninstall the following update with error %1: %2.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System

Message

Uninstallation Failure: Windows failed to uninstall the following update with error %1: %2

Fields

Name	Description
`errorCode`	—
`updatelist`	—
`updateGuid`	—
`updateRevisionNumber`	—
`serviceGuid`	—

Sigma Rules

Windows Update Error
Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.

Event ID 25 — Windows Update failed to check for updates with error %1.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Operational

Message

Windows Update failed to check for updates with error %1.

Fields

Name	Description
`errorCode`	—
`serviceGuid`	—

Event ID 26 — Windows Update successfully found %1 updates.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Operational
Level: 4
Samples: 1

Message

Windows Update successfully found %1 updates.

Fields

Name	Description
`updateCount`	—
`serviceGuid`	—

Example Event

system:
  provider: Microsoft-Windows-WindowsUpdateClient
  guid: 945A8954-C147-4ACD-923F-40C45405A658
  event_source_name: ''
  event_id: 26
  version: 1
  level: 4
  task: 1
  opcode: 11
  keywords: 4611686018427387922
  time_created: '2023-11-06T01:39:17.045430+00:00'
  event_record_id: 59
  correlation: {}
  execution:
    process_id: 18812
    thread_id: 21064
  channel: Microsoft-Windows-WindowsUpdateClient/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  updateCount: 2
  serviceGuid: 855E8A7C-ECB4-4CA3-B045-1DFA50104289
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 27 — Automatic Updates is now paused.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System
Level: 4
Samples: 1

Message

Automatic Updates is now paused.

Example Event

system:
  provider: Microsoft-Windows-WindowsUpdateClient
  guid: 945A8954-C147-4ACD-923F-40C45405A658
  event_source_name: ''
  event_id: 27
  version: 0
  level: 4
  task: 1
  opcode: 16
  keywords: 9223372036854775936
  time_created: '2013-10-23T17:27:37.707875Z'
  event_record_id: 833
  correlation: {}
  execution:
    process_id: 916
    thread_id: 700
  channel: System
  computer: IE8Win7
  security:
    user_id: S-1-5-18
event_data: {}

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 28 — Automatic Updates is now resumed.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System
Level: 4
Samples: 1

Message

Automatic Updates is now resumed.

Example Event

system:
  provider: Microsoft-Windows-WindowsUpdateClient
  guid: 945A8954-C147-4ACD-923F-40C45405A658
  event_source_name: ''
  event_id: 28
  version: 0
  level: 4
  task: 1
  opcode: 16
  keywords: 9223372036854775936
  time_created: '2014-11-25T22:35:30.778875Z'
  event_record_id: 3655
  correlation: {}
  execution:
    process_id: 840
    thread_id: 1460
  channel: System
  computer: IE8Win7
  security:
    user_id: S-1-5-18
event_data: {}

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 29 — Windows Update lost connectivity.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Operational

Message

Windows Update lost connectivity.

Event ID 30 — Windows Update established connectivity.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Operational

Message

Windows Update established connectivity.

Event ID 31 — Windows Update failed to download an update.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Operational
Level: 2
Samples: 1

Message

Windows Update failed to download an update.

Fields

Name	Description
`updateTitle`	—
`errorCode`	—
`updateGuid`	—
`updateRevisionNumber`	—

Example Event

system:
  provider: Microsoft-Windows-WindowsUpdateClient
  guid: 945A8954-C147-4ACD-923F-40C45405A658
  event_source_name: ''
  event_id: 31
  version: 1
  level: 2
  task: 1
  opcode: 12
  keywords: 4611686018427387940
  time_created: '2022-04-07T08:33:16.220136+00:00'
  event_record_id: 14
  correlation: {}
  execution:
    process_id: 4864
    thread_id: 3684
  channel: Microsoft-Windows-WindowsUpdateClient/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  updateTitle: 2022-03 Cumulative Update for Microsoft server operating system version
    21H2 for x64-based Systems (KB5011558)
  errorCode: '0xc1900401'
  updateGuid: B5CA12E1-1491-494D-9A17-229D1C97ED05
  updateRevisionNumber: 1
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 32 — Windows Update cannot connect to the server.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System

Message

Windows Update cannot connect to the server. Please check the connection to server %1.

Fields

Name	Description
`serverName`	—

Event ID 33 — Windows Update was unable to connect to proxy server %1 because valid credentials (user name and password) were required, but were either not avail...

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System

Message

Windows Update was unable to connect to proxy server %1 because valid credentials (user name and password) were required, but were either not available or were incorrect. Please check your proxy credentials, and then try searching again for updates.

Fields

Name	Description
`serverName`	—

Event ID 34 — The Windows Update Client Core component failed to install a self-update with error %1.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Operational

Message

The Windows Update Client Core component failed to install a self-update with error %1.

Fields

Name	Description
`errorCode`	—

Event ID 35 — The Windows Update Client Auxillary component failed to install a self-update with error %1.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Operational

Message

The Windows Update Client Auxillary component failed to install a self-update with error %1.

Fields

Name	Description
`errorCode`	—

Event ID 36 — The Windows Update Client Core component was successfully updated from version %1 to version %2.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Operational

Message

The Windows Update Client Core component was successfully updated from version %1 to version %2.

Fields

Name	Description
`version1`	—
`version2`	—

Event ID 37 — The Windows Update Client Auxillary was successfully updated from version %1 to version %2.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Operational

Message

The Windows Update Client Auxillary was successfully updated from version %1 to version %2.

Fields

Name	Description
`version1`	—
`version2`	—

Event ID 38 — Windows Update received a service stop request.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Operational

Message

Windows Update received a service stop request.

Event ID 39 — Windows Update received a service shutdown request.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Operational

Message

Windows Update received a service shutdown request.

Event ID 40 — An update was detected.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Operational

Message

An update was detected.

Fields

Name	Description
`updateGuid`	—
`updateRevisionNumber`	—
`serviceGuid`	—

Event ID 41 — An update was downloaded.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Operational
Level: 4
Samples: 1

Message

An update was downloaded.

Fields

Name	Description
`updateTitle`	—
`updateGuid`	—
`updateRevisionNumber`	—

Example Event

system:
  provider: Microsoft-Windows-WindowsUpdateClient
  guid: 945A8954-C147-4ACD-923F-40C45405A658
  event_source_name: ''
  event_id: 41
  version: 1
  level: 4
  task: 1
  opcode: 12
  keywords: 4611686018427387924
  time_created: '2023-11-06T01:42:12.437587+00:00'
  event_record_id: 61
  correlation: {}
  execution:
    process_id: 18812
    thread_id: 21064
  channel: Microsoft-Windows-WindowsUpdateClient/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  updateTitle: 9NCBCSZSJRSB-SpotifyAB.SpotifyMusic
  updateGuid: D8A73235-4C83-49DE-B455-6ED151F874F8
  updateRevisionNumber: 1
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 42 — There has been a change in the health of Windows Update.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Operational

Message

There has been a change in the health of Windows Update.

Fields

Name	Description
`hc_stateid`	—
`restartDate`	—
`restartTime`	—

Event ID 43 — Installation Started: Windows has started installing the following update.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System
Level: 4
Samples: 1

Message

Installation Started: Windows has started installing the following update: %1

Fields

Name	Description
`updateTitle`	—
`updateGuid`	—
`updateRevisionNumber`	—

Example Event

system:
  provider: Microsoft-Windows-WindowsUpdateClient
  guid: 945A8954-C147-4ACD-923F-40C45405A658
  event_source_name: ''
  event_id: 43
  version: 1
  level: 4
  task: 1
  opcode: 13
  keywords: 9223372036854784008
  time_created: '2023-11-06T01:42:37.654583+00:00'
  event_record_id: 2171
  correlation:
    ActivityID: E4DB489E-1037-0002-37CE-F0E43710DA01
  execution:
    process_id: 18812
    thread_id: 1728
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  updateTitle: 9NCBCSZSJRSB-SpotifyAB.SpotifyMusic
  updateGuid: D8A73235-4C83-49DE-B455-6ED151F874F8
  updateRevisionNumber: 1
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 44 — Windows Update started downloading an update.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System
Level: 4
Samples: 1

Message

Windows Update started downloading an update.

Fields

Name	Description
`updateTitle`	—
`updateGuid`	—
`updateRevisionNumber`	—

Example Event

system:
  provider: Microsoft-Windows-WindowsUpdateClient
  guid: 945A8954-C147-4ACD-923F-40C45405A658
  event_source_name: ''
  event_id: 44
  version: 1
  level: 4
  task: 1
  opcode: 12
  keywords: 9223372036854784004
  time_created: '2023-11-06T01:40:33.103900+00:00'
  event_record_id: 2165
  correlation: {}
  execution:
    process_id: 18812
    thread_id: 21064
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  updateTitle: 9NCBCSZSJRSB-SpotifyAB.SpotifyMusic
  updateGuid: D8A73235-4C83-49DE-B455-6ED151F874F8
  updateRevisionNumber: 1
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 101 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`CallInternalId`	—

Event ID 102 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`CallInternalId`	—
`callerAppName`	—
`searchCriteria`	—
`packedScanData`	—
`clientVersion`	—

Event ID 103 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`updateGuid`	—

Event ID 104 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`updateGuid`	—
`updateId`	—
`bytesTransferred`	—

Event ID 105 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`updateGuid`	—

Event ID 106 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`updateGuid`	—
`callerAppName`	—
`updateId`	—
`packedInstallData`	—
`handlerResultCode`	—

Event ID 107 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`CallInternalId`	—
`callerAppName`	—
`searchCriteria`	—
`packedScanData`	—
`resultCode`	—

Event ID 108 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`CallInternalId`	—
`callerAppName`	—
`searchCriteria`	—
`packedScanData`	—
`clientVersion`	—

Event ID 109 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`updateGuid`	—
`updateId`	—
`bytesTransferred`	—
`resultCode`	—

Event ID 110 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`updateGuid`	—
`updateId`	—
`bytesTransferred`	—

Event ID 111 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`updateGuid`	—
`callerAppName`	—
`updateId`	—
`packedInstallData`	—
`handlerResultCode`	—

Event ID 112 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`updateGuid`	—
`callerAppName`	—
`updateId`	—
`packedInstallData`	—
`handlerResultCode`	—

Event ID 113 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Event ID 114 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Event ID 115 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Event ID 116 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Event ID 118 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`updateGuid`	—
`updateId`	—
`bytesTransferred`	—

Event ID 119 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`CallInternalId`	—

Event ID 120 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`CallInternalId`	—
`callerAppName`	—
`searchCriteria`	—
`packedScanData`	—
`clientVersion`	—

Event ID 121 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`CallInternalId`	—
`callerAppName`	—
`searchCriteria`	—
`packedScanData`	—
`resultCode`	—

Event ID 122 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`updateGuid`	—

Event ID 123 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`updateGuid`	—
`callerAppName`	—
`updateId`	—
`packedInstallData`	—
`handlerResultCode`	—

Event ID 124 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`updateGuid`	—
`callerAppName`	—
`updateId`	—
`packedInstallData`	—
`handlerResultCode`	—

Event ID 125 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`CallInternalId`	—

Event ID 126 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`CallInternalId`	—
`callerAppName`	—
`searchCriteria`	—
`packedScanData`	—
`clientVersion`	—

Event ID 127 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`CallInternalId`	—
`callerAppName`	—
`searchCriteria`	—
`packedScanData`	—
`resultCode`	—

Event ID 128 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`CallInternalId`	—

Event ID 129 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`CallInternalId`	—

Event ID 130 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`CallInternalId`	—

Event ID 131 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`CallInternalId`	—

Event ID 209 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`pdcActivationId`	—
`description`	—
`accessType`	—
`isInteractiveOrAPIDriven`	—
`stopIdleTimer`	—
`networkRefCount`	—
`systemRefCount`	—

Event ID 210 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`pdcActivationId`	—
`description`	—
`accessType`	—
`isInteractiveOrAPIDriven`	—
`stopIdleTimer`	—
`networkRefCount`	—
`systemRefCount`	—

Event ID 211 —

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: Analytic

Fields

Name	Description
`pdcActivationId`	—
`description`	—
`accessType`	—
`isInteractiveOrAPIDriven`	—
`stopIdleTimer`	—
`networkRefCount`	—
`systemRefCount`	—

Event ID 212 — Revert Successful: Windows successfully reverted the following update.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System

Message

Revert Successful: Windows successfully reverted the following update: %1

Fields

Name	Description
`updateTitle`	—
`updateGuid`	—
`updateRevisionNumber`	—
`serviceGuid`	—

Event ID 213 — Revert Failure: Windows failed to revert the following update with error %1: %2.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System

Message

Revert Failure: Windows failed to revert the following update with error %1: %2

Fields

Name	Description
`errorCode`	—
`updatelist`	—
`updateGuid`	—
`updateRevisionNumber`	—

Sigma Rules

Windows Update Error
Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.

Event ID 214 — Revert Started: Windows has started reverting the following update.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System

Message

Revert Started: Windows has started reverting the following update: %1

Fields

Name	Description
`updateTitle`	—
`updateGuid`	—
`updateRevisionNumber`	—

Event ID 215 — Uninstallation started: Windows has started uninstallnig the following update.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System

Message

Uninstallation started: Windows has started uninstallnig the following update: %1

Fields

Name	Description
`updateTitle`	—
`updateGuid`	—
`updateRevisionNumber`	—

Event ID 216 — Commit Successful: Windows successfully committed the following update.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System

Message

Commit Successful: Windows successfully committed the following update: %1

Fields

Name	Description
`updateTitle`	—
`updateGuid`	—
`updateRevisionNumber`	—
`serviceGuid`	—

Event ID 217 — Commit Failure: Windows failed to commit the following update with error %1: %2.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System

Message

Commit Failure: Windows failed to commit the following update with error %1: %2

Fields

Name	Description
`errorCode`	—
`updatelist`	—
`updateGuid`	—
`updateRevisionNumber`	—

Sigma Rules

Windows Update Error
Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.

Event ID 218 — Commit Started: Windows has started committing the following update.

Provider: Microsoft-Windows-WindowsUpdateClient
Channel: System

Message

Commit Started: Windows has started committing the following update: %1

Fields

Name	Description
`updateTitle`	—
`updateGuid`	—
`updateRevisionNumber`	—