Microsoft-Windows-WindowsUpdateClient
69 events across 3 channels
Event ID 16 — Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the...
Message #
Event ID 17 — Installation Ready: The following updates are downloaded and ready for installation.
#Message #
Fields #
| Name | Description |
|---|---|
updatelist UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WindowsUpdateClient",
"guid": "945A8954-C147-4ACD-923F-40C45405A658",
"event_source_name": "",
"event_id": 17,
"version": 0,
"level": 4,
"task": 2,
"opcode": 12,
"keywords": 9223372036854775828,
"time_created": "2016-09-20T12:50:52.357570Z",
"event_record_id": 8223,
"correlation": {},
"execution": {
"process_id": 908,
"thread_id": 3440
},
"channel": "System",
"computer": "IE10Win7",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"updatelist": {
"#attributes": {
"xmlns:auto-ns3": "http://schemas.microsoft.com/win/2004/08/events",
"xmlns": "http://manifests.microsoft.com/win/2004/08/windows/eventlog"
},
"#text": "\n- Definition Update for Windows Defender - KB915597 (Definition 1.227.2715.0)"
}
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 18 — Installation Ready: The following updates are downloaded and ready for installation.
#Description
Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on schedinstalldate at schedinstalltime: updatelist.
Message #
Fields #
| Name | Description |
|---|---|
schedinstalldate UnicodeString | — |
schedinstalltime UnicodeString | — |
updatelist UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WindowsUpdateClient",
"guid": "945A8954-C147-4ACD-923F-40C45405A658",
"event_source_name": "",
"event_id": 18,
"version": 0,
"level": 4,
"task": 2,
"opcode": 12,
"keywords": 9223372036854775828,
"time_created": "2013-10-23T16:30:45.848500Z",
"event_record_id": 427,
"correlation": {},
"execution": {
"process_id": 916,
"thread_id": 1220
},
"channel": "System",
"computer": "IE8Win7",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"schedinstalldate": "Thursday, October 24, 2013",
"schedinstalltime": "3:00 AM",
"updatelist": "\n- Security Update for Windows 7 (KB979309)"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 19 — Installation Successful: Windows successfully installed the following update: updateTitle.
#Description
Installation Successful: Windows successfully installed the following update: updateTitle.
Message #
Fields #
| Name | Description |
|---|---|
updateTitle UnicodeString | — |
updateGuid GUID | — |
updateRevisionNumber UInt32 | — |
serviceGuid GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WindowsUpdateClient",
"guid": "945A8954-C147-4ACD-923F-40C45405A658",
"event_source_name": "",
"event_id": 19,
"version": 1,
"level": 4,
"task": 1,
"opcode": 13,
"keywords": 9223372036854775832,
"time_created": "2023-11-06T01:42:44.375524+00:00",
"event_record_id": 2172,
"correlation": {
"ActivityID": "E4DB489E-1037-0002-14D2-F0E43710DA01"
},
"execution": {
"process_id": 18812,
"thread_id": 1728
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"updateTitle": "9NCBCSZSJRSB-SpotifyAB.SpotifyMusic",
"updateGuid": "D8A73235-4C83-49DE-B455-6ED151F874F8",
"updateRevisionNumber": 1,
"serviceGuid": "855E8A7C-ECB4-4CA3-B045-1DFA50104289"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 20 — Installation Failure: Windows failed to install the following update with error errorCode: updateTitle.
#Description
Installation Failure: Windows failed to install the following update with error errorCode: updateTitle.
Message #
Fields #
| Name | Description |
|---|---|
errorCode HexInt32 | — |
updateTitle UnicodeString | — |
updateGuid GUID | — |
updateRevisionNumber UInt32 | — |
serviceGuid GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WindowsUpdateClient",
"guid": "945A8954-C147-4ACD-923F-40C45405A658",
"event_source_name": "",
"event_id": 20,
"version": 1,
"level": 2,
"task": 1,
"opcode": 13,
"keywords": 9223372036854775848,
"time_created": "2022-04-07T08:22:10.869049+00:00",
"event_record_id": 829,
"correlation": {},
"execution": {
"process_id": 4952,
"thread_id": 6860
},
"channel": "System",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"errorCode": "0x8024200b",
"updateTitle": "VMware, Inc. - System - 9.8.18.0",
"updateGuid": "B5857A80-FD07-4A9D-9ADF-2A3A6DB94B7E",
"updateRevisionNumber": 1,
"serviceGuid": "8B24B027-1DEE-BABB-9A95-3517DFB9C552"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 21 — Restart Required: To complete the installation of the following updates, the computer must be restarted.
#Description
Restart Required: To complete the installation of the following updates, the computer must be restarted. Until this computer has been restarted, Windows cannot search for or download new updates: updatelist.
Message #
Fields #
| Name | Description |
|---|---|
updatelist UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WindowsUpdateClient",
"guid": "945A8954-C147-4ACD-923F-40C45405A658",
"event_source_name": "",
"event_id": 21,
"version": 0,
"level": 4,
"task": 2,
"opcode": 15,
"keywords": 9223372036854775872,
"time_created": "2013-10-23T17:27:37.645375Z",
"event_record_id": 832,
"correlation": {},
"execution": {
"process_id": 916,
"thread_id": 700
},
"channel": "System",
"computer": "IE8Win7",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"updatelist": {
"#attributes": {
"xmlns:auto-ns3": "http://schemas.microsoft.com/win/2004/08/events",
"xmlns": "http://manifests.microsoft.com/win/2004/08/windows/eventlog"
},
"#text": "\n- Update for Windows 7 (KB2502285)\n- Security Update for Windows 7 (KB2790113)\n- Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 x86 (KB2604114)\n- Update for Windows 7 (KB2779562)\n- Update for Windows 7 (KB2387530)\n- Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 x86 (KB2756920)\n- Update for Windows 7 (KB2541014)\n- Update for Windows 7 (KB2533552)\n- Security Update for Windows 7 (KB2691442)\n- Security Update for Windows 7 (KB979688)\n- Update for Windows 7 (KB979538)\n- Security Update for Windows 7 (KB2511455)\n- Security Update for Windows 7 (KB2506212)\n- Security Update for Windows 7 (KB979309)\n- Update for Windows 7 (KB2748349)\n- Security Update for Windows 7 (KB2658846)\n- Update for Rights Management Services Client for Windows 7 (KB979099)\n- Update for Windows 7 (KB2640148)\n- Security Update for Windows 7 (KB2442962)\n- Security Update for Windows 7 (KB2281679)\n- Security Update for Windows 7 (KB2712808)\n- Update for Windows 7 (KB2467023)\n- Update f"
}
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 22 — Restart Required: To complete the installation of the following updates, the computer will be restarted within restarttime minutes: updatelist.
#Description
Restart Required: To complete the installation of the following updates, the computer will be restarted within restarttime minutes: updatelist.
Message #
Fields #
| Name | Description |
|---|---|
restarttime UnicodeString | — |
updatelist UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WindowsUpdateClient",
"guid": "945A8954-C147-4ACD-923F-40C45405A658",
"event_source_name": "",
"event_id": 22,
"version": 0,
"level": 4,
"task": 2,
"opcode": 15,
"keywords": 9223372036854775872,
"time_created": "2016-08-20T16:04:47.930031Z",
"event_record_id": 6399,
"correlation": {},
"execution": {
"process_id": 876,
"thread_id": 1932
},
"channel": "System",
"computer": "IE10Win7",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"restarttime": "15",
"updatelist": "\n- Security Update for Windows 7 (KB3042058)"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 23 — Uninstallation Successful: Windows successfully uninstalled the following update: updateTitle.
Event ID 24 — Uninstallation Failure: Windows failed to uninstall the following update with error errorCode: updatelist.
Event ID 25 — Windows Update failed to check for updates with error errorCode.
Event ID 26 — Windows Update successfully found updateCount updates.
#Description
Windows Update successfully found updateCount updates.
Message #
Fields #
| Name | Description |
|---|---|
updateCount UInt32 | — |
serviceGuid GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WindowsUpdateClient",
"guid": "945A8954-C147-4ACD-923F-40C45405A658",
"event_source_name": "",
"event_id": 26,
"version": 1,
"level": 4,
"task": 1,
"opcode": 11,
"keywords": 4611686018427387922,
"time_created": "2023-11-06T01:39:17.045430+00:00",
"event_record_id": 59,
"correlation": {},
"execution": {
"process_id": 18812,
"thread_id": 21064
},
"channel": "Microsoft-Windows-WindowsUpdateClient/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"updateCount": 2,
"serviceGuid": "855E8A7C-ECB4-4CA3-B045-1DFA50104289"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 27 — Automatic Updates is now paused.
#Description
Automatic Updates is now paused.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WindowsUpdateClient",
"guid": "945A8954-C147-4ACD-923F-40C45405A658",
"event_source_name": "",
"event_id": 27,
"version": 0,
"level": 4,
"task": 1,
"opcode": 16,
"keywords": 9223372036854775936,
"time_created": "2013-10-23T17:27:37.707875Z",
"event_record_id": 833,
"correlation": {},
"execution": {
"process_id": 916,
"thread_id": 700
},
"channel": "System",
"computer": "IE8Win7",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 28 — Automatic Updates is now resumed.
#Description
Automatic Updates is now resumed.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WindowsUpdateClient",
"guid": "945A8954-C147-4ACD-923F-40C45405A658",
"event_source_name": "",
"event_id": 28,
"version": 0,
"level": 4,
"task": 1,
"opcode": 16,
"keywords": 9223372036854775936,
"time_created": "2014-11-25T22:35:30.778875Z",
"event_record_id": 3655,
"correlation": {},
"execution": {
"process_id": 840,
"thread_id": 1460
},
"channel": "System",
"computer": "IE8Win7",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 29 — Windows Update lost connectivity.
Description
Windows Update lost connectivity.
Message #
Event ID 30 — Windows Update established connectivity.
Description
Windows Update established connectivity.
Message #
Event ID 31 — Windows Update failed to download an update.
#Description
Windows Update failed to download an update.
Message #
Fields #
| Name | Description |
|---|---|
updateTitle UnicodeString | — |
errorCode HexInt32 | — |
updateGuid GUID | — |
updateRevisionNumber UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WindowsUpdateClient",
"guid": "945A8954-C147-4ACD-923F-40C45405A658",
"event_source_name": "",
"event_id": 31,
"version": 1,
"level": 2,
"task": 1,
"opcode": 12,
"keywords": 4611686018427387940,
"time_created": "2022-04-07T08:33:16.220136+00:00",
"event_record_id": 14,
"correlation": {},
"execution": {
"process_id": 4864,
"thread_id": 3684
},
"channel": "Microsoft-Windows-WindowsUpdateClient/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"updateTitle": "2022-03 Cumulative Update for Microsoft server operating system version 21H2 for x64-based Systems (KB5011558)",
"errorCode": "0xc1900401",
"updateGuid": "B5CA12E1-1491-494D-9A17-229D1C97ED05",
"updateRevisionNumber": 1
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 32 — Windows Update cannot connect to the server.
Event ID 33 — Windows Update was unable to connect to proxy server serverName because valid credentials (user name and password) were required, but were either not avail...
Event ID 34 — The Windows Update Client Core component failed to install a self-update with error errorCode.
Event ID 35 — The Windows Update Client Auxillary component failed to install a self-update with error errorCode.
Event ID 36 — The Windows Update Client Core component was successfully updated from version version1 to version version2.
Event ID 37 — The Windows Update Client Auxillary was successfully updated from version version1 to version version2.
Event ID 38 — Windows Update received a service stop request.
Description
Windows Update received a service stop request.
Message #
Event ID 39 — Windows Update received a service shutdown request.
Description
Windows Update received a service shutdown request.
Message #
Event ID 40 — An update was detected.
Event ID 41 — An update was downloaded.
#Description
An update was downloaded.
Message #
Fields #
| Name | Description |
|---|---|
updateTitle UnicodeString | — |
updateGuid GUID | — |
updateRevisionNumber UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WindowsUpdateClient",
"guid": "945A8954-C147-4ACD-923F-40C45405A658",
"event_source_name": "",
"event_id": 41,
"version": 1,
"level": 4,
"task": 1,
"opcode": 12,
"keywords": 4611686018427387924,
"time_created": "2023-11-06T01:42:12.437587+00:00",
"event_record_id": 61,
"correlation": {},
"execution": {
"process_id": 18812,
"thread_id": 21064
},
"channel": "Microsoft-Windows-WindowsUpdateClient/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"updateTitle": "9NCBCSZSJRSB-SpotifyAB.SpotifyMusic",
"updateGuid": "D8A73235-4C83-49DE-B455-6ED151F874F8",
"updateRevisionNumber": 1
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 42 — There has been a change in the health of Windows Update.
Event ID 43 — Installation Started: Windows has started installing the following update: updateTitle.
#Description
Installation Started: Windows has started installing the following update: updateTitle.
Message #
Fields #
| Name | Description |
|---|---|
updateTitle UnicodeString | — |
updateGuid GUID | — |
updateRevisionNumber UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WindowsUpdateClient",
"guid": "945A8954-C147-4ACD-923F-40C45405A658",
"event_source_name": "",
"event_id": 43,
"version": 1,
"level": 4,
"task": 1,
"opcode": 13,
"keywords": 9223372036854784008,
"time_created": "2023-11-06T01:42:37.654583+00:00",
"event_record_id": 2171,
"correlation": {
"ActivityID": "E4DB489E-1037-0002-37CE-F0E43710DA01"
},
"execution": {
"process_id": 18812,
"thread_id": 1728
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"updateTitle": "9NCBCSZSJRSB-SpotifyAB.SpotifyMusic",
"updateGuid": "D8A73235-4C83-49DE-B455-6ED151F874F8",
"updateRevisionNumber": 1
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 44 — Windows Update started downloading an update.
#Description
Windows Update started downloading an update.
Message #
Fields #
| Name | Description |
|---|---|
updateTitle UnicodeString | — |
updateGuid GUID | — |
updateRevisionNumber UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WindowsUpdateClient",
"guid": "945A8954-C147-4ACD-923F-40C45405A658",
"event_source_name": "",
"event_id": 44,
"version": 1,
"level": 4,
"task": 1,
"opcode": 12,
"keywords": 9223372036854784004,
"time_created": "2023-11-06T01:40:33.103900+00:00",
"event_record_id": 2165,
"correlation": {},
"execution": {
"process_id": 18812,
"thread_id": 21064
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"updateTitle": "9NCBCSZSJRSB-SpotifyAB.SpotifyMusic",
"updateGuid": "D8A73235-4C83-49DE-B455-6ED151F874F8",
"updateRevisionNumber": 1
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 101 —
Fields #
| Name | Description |
|---|---|
CallInternalId UInt32 | — |
Event ID 102 —
Fields #
| Name | Description |
|---|---|
CallInternalId UInt32 | — |
callerAppName UnicodeString | — |
searchCriteria UnicodeString | — |
packedScanData UInt32 | — |
clientVersion UInt32 | — |
Event ID 103 —
Fields #
| Name | Description |
|---|---|
updateGuid GUID | — |
Event ID 104 —
Fields #
| Name | Description |
|---|---|
updateGuid GUID | — |
updateId UnicodeString | — |
bytesTransferred UInt32 | — |
Event ID 105 —
Fields #
| Name | Description |
|---|---|
updateGuid GUID | — |
Event ID 106 —
Fields #
| Name | Description |
|---|---|
updateGuid GUID | — |
callerAppName UnicodeString | — |
updateId UnicodeString | — |
packedInstallData UInt32 | — |
handlerResultCode UInt32 | — |
Event ID 107 —
Fields #
| Name | Description |
|---|---|
CallInternalId UInt32 | — |
callerAppName UnicodeString | — |
searchCriteria UnicodeString | — |
packedScanData UInt32 | — |
resultCode UInt32 | — |
Event ID 108 —
Fields #
| Name | Description |
|---|---|
CallInternalId UInt32 | — |
callerAppName UnicodeString | — |
searchCriteria UnicodeString | — |
packedScanData UInt32 | — |
clientVersion UInt32 | — |
Event ID 109 —
Fields #
| Name | Description |
|---|---|
updateGuid GUID | — |
updateId UnicodeString | — |
bytesTransferred UInt32 | — |
resultCode UInt32 | — |
Event ID 110 —
Fields #
| Name | Description |
|---|---|
updateGuid GUID | — |
updateId UnicodeString | — |
bytesTransferred UInt32 | — |
Event ID 111 —
Fields #
| Name | Description |
|---|---|
updateGuid GUID | — |
callerAppName UnicodeString | — |
updateId UnicodeString | — |
packedInstallData UInt32 | — |
handlerResultCode UInt32 | — |
Event ID 112 —
Fields #
| Name | Description |
|---|---|
updateGuid GUID | — |
callerAppName UnicodeString | — |
updateId UnicodeString | — |
packedInstallData UInt32 | — |
handlerResultCode UInt32 | — |
Event ID 113 —
Event ID 114 —
Event ID 115 —
Event ID 116 —
Event ID 118 —
Fields #
| Name | Description |
|---|---|
updateGuid GUID | — |
updateId UnicodeString | — |
bytesTransferred UInt32 | — |
Event ID 119 —
Fields #
| Name | Description |
|---|---|
CallInternalId UInt32 | — |
Event ID 120 —
Fields #
| Name | Description |
|---|---|
CallInternalId UInt32 | — |
callerAppName UnicodeString | — |
searchCriteria UnicodeString | — |
packedScanData UInt32 | — |
clientVersion UInt32 | — |
Event ID 121 —
Fields #
| Name | Description |
|---|---|
CallInternalId UInt32 | — |
callerAppName UnicodeString | — |
searchCriteria UnicodeString | — |
packedScanData UInt32 | — |
resultCode UInt32 | — |
Event ID 122 —
Fields #
| Name | Description |
|---|---|
updateGuid GUID | — |
Event ID 123 —
Fields #
| Name | Description |
|---|---|
updateGuid GUID | — |
callerAppName UnicodeString | — |
updateId UnicodeString | — |
packedInstallData UInt32 | — |
handlerResultCode UInt32 | — |
Event ID 124 —
Fields #
| Name | Description |
|---|---|
updateGuid GUID | — |
callerAppName UnicodeString | — |
updateId UnicodeString | — |
packedInstallData UInt32 | — |
handlerResultCode UInt32 | — |
Event ID 125 —
Fields #
| Name | Description |
|---|---|
CallInternalId UInt32 | — |
Event ID 126 —
Fields #
| Name | Description |
|---|---|
CallInternalId UInt32 | — |
callerAppName UnicodeString | — |
searchCriteria UnicodeString | — |
packedScanData UInt32 | — |
clientVersion UInt32 | — |
Event ID 127 —
Fields #
| Name | Description |
|---|---|
CallInternalId UInt32 | — |
callerAppName UnicodeString | — |
searchCriteria UnicodeString | — |
packedScanData UInt32 | — |
resultCode UInt32 | — |
Event ID 128 —
Fields #
| Name | Description |
|---|---|
CallInternalId UInt32 | — |
Event ID 129 —
Fields #
| Name | Description |
|---|---|
CallInternalId UInt32 | — |
Event ID 130 —
Fields #
| Name | Description |
|---|---|
CallInternalId UInt32 | — |
Event ID 131 —
Fields #
| Name | Description |
|---|---|
CallInternalId UInt32 | — |
Event ID 209 —
Fields #
| Name | Description |
|---|---|
pdcActivationId UInt32 | — |
description UnicodeString | — |
accessType UInt8 | — |
isInteractiveOrAPIDriven Boolean | — |
stopIdleTimer Boolean | — |
networkRefCount UInt32 | — |
systemRefCount UInt32 | — |
Event ID 210 —
Fields #
| Name | Description |
|---|---|
pdcActivationId UInt32 | — |
description UnicodeString | — |
accessType UInt8 | — |
isInteractiveOrAPIDriven Boolean | — |
stopIdleTimer Boolean | — |
networkRefCount UInt32 | — |
systemRefCount UInt32 | — |
Event ID 211 —
Fields #
| Name | Description |
|---|---|
pdcActivationId UInt32 | — |
description UnicodeString | — |
accessType UInt8 | — |
isInteractiveOrAPIDriven Boolean | — |
stopIdleTimer Boolean | — |
networkRefCount UInt32 | — |
systemRefCount UInt32 | — |