Last Updated on May 14, 2023 by Dave Farquhar
The C:\Windows\Logs directory has tons of useful information in it, but it’s all in the obscure ETL file format. What’s an ETL file, why did Microsoft switch to this format, and how do you open the file to read it?
ETL stands for Event Trace Log, and they contain information from kernel events generated by Tracelog. Windows uses them because they are more efficient than logging in plaintext, and you can open ETL files in Event Viewer, but it’s also possible to convert them into XML, CSV, or plaintext for troubleshooting.
Why Microsoft switched from plaintext to ETL files
Back in my day, Windows logged events related to Windows updates in plaintext files in the C:\Windows directory. When a security analyst complained I was missing a patch, I could look for the appropriate KB log in the Windows directory and look for errors. Knowing how to do this quickly made me their favorite sysadmin.
Admittedly, these files could get numerous and huge. And while I needed them somewhat frequently, the rest of the team saw them as useless files that just took up space in the Windows directory and on the never-enough-room-on-it C drive.
Microsoft switched to the ETL format because the files are more compact and it can write them faster, improving server performance. Most people never notice them now, but they still contain invaluable information like what files failed to update, or if the system wanted to reboot but couldn’t.
If you need to know what’s in the ETL file, you’ll probably be jealous that all I used to have to do was double-click on the file and it would open in Notepad. Let’s talk about how to open ETL files, or, better yet, convert ETL to a more useful format so you can read them easily.
How to open an ETL file in Event Viewer
The easiest way is probably to open the ETL file in Event Viewer. Click Start, then type Event Viewer and open the Event Viewer utility. Then click Action > Open Saved Log and navigate to C:\Windows\Logs to open the ETL file you’re interested in.
But at least in the case of Windows Update logs, they don’t contain a lot of useful information, whether you view them in legacy format or let Event Viewer convert to the newest format when it prompts you.
To surface the most useful information out of an ETL file so you can read it, you really need to convert it to another format.
Converting an ETL file to XML or CSV
You can convert an ETL file to XML with the built-in command tracerpt. Running it is easy enough. Open a command prompt as administrator, then run the command tracerpt WindowsUpdatex.y.z.etl, substituting your filename of course. The utility will output two files, dumpfile.xml and summary.txt.
To output them in the more useful CSV format, which you can read in Excel with all of its searching, sorting and filtering capabilities, use something like this:
tracerpt WindowsUpdatex.y.z.etl -o update.csv -of CSV
Once you have ETL files in CSV format, if you are investigating multiple updates or the same failed update on multiple machines, here’s a way to quickly merge them, or a way to merge them while preserving headers. That may help you to establish a pattern.
Converting an ETL file to a plaintext log
Call me old-fashioned, but I miss the old plaintext log file. Microsoft includes a Powershell utility to get those back. Sort of. At least in the case of Windows update logs.
Open Powershell and run the command Get-WindowsUpdateLog. It will tear through all of the EVT and ETL files in C:\Windows\Logs\WindowsUpdate and generate one big WindowsUpdate.log file on your desktop. This makes it harder to narrow your focus to a particular KB, but fear not. Open the file, then search for the KB you’re interested in.
I find this easier than wrangling all of the ETL files on the system. The resulting file can be huge, but with everything in a single file, I can find the information I need on whatever missing KB I need to deal with. Knowing what went wrong with a given KB makes it much easier to fix that missing update. Notepad++ generally does a better job of handling huge textfiles than the Notepad app that comes with Windows.
I use the data from ETL files to troubleshoot patches that fail to fully apply. Here’s another trick I use when you get an error message that the update is already on the system, when your vuln scanner says it’s not.
Whatever strategy you use to manage updates, if you want to actually find and troubleshoot failures, being able to dig into, read, interpret, and act on the data in ETL files is an indispensable skill.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.