The C:\Windows\Logs directory has tons of useful information in it, but it’s all in the obscure ETL file format. What’s an ETL file, why did Microsoft switch to this format, and how do you open the file to read it?
ETL stands for Event Trace Log, and they contain information from kernel events generated by Tracelog. Windows uses them because they are more efficient than logging in plaintext, and you can open them in Event Viewer, but it’s also possible to convert them into XML, CSV, or plaintext for troubleshooting.
Why Microsoft switched from plaintext to ETL files
Back in my day, Windows logged events related to Windows updates in plaintext files in the C:\Windows directory. When a security analyst complained I was missing a patch, I could look for the appropriate KB log in the Windows directory and look for errors. Knowing how to do this quickly made me their favorite sysadmin.
Admittedly, these files could get numerous and huge. And while I needed them somewhat frequently, the rest of the team saw them as useless files that just took up space in the Windows directory and on the never-enough-room-on-it C drive.
Microsoft switched to the ETL format because the files are more compact and it can write them faster, improving server performance. Most people never notice.
If you need to know what’s in the ETL file, you’ll probably be jealous that all I used to have to do was double-click on the file and it would open in Notepad. Let’s talk about how to open ETL files, or, better yet, convert ETL to a more useful format.
How to open an ETL file in Event Viewer
The easiest way is probably to open the ETL file in Event Viewer. Click Start, then type Event Viewer and open the Event Viewer utility. Then click Action > Open Saved Log and navigate to C:\Windows\Logs to open the ETL file you’re interested in.
But at least in the case of Windows Update logs, they don’t contain a lot of useful information, whether you view them in legacy format or let Event Viewer convert to the newest format when it prompts you.
Converting an ETL file to XML or CSV
You can convert an ETL file to XML with the built-in command tracerpt. Running it is easy enough. Open a command prompt as administrator, then run the command tracerpt WindowsUpdatex.y.z.etl, substituting your filename of course. The utility will output two files, dumpfile.xml and summary.txt.
To output them in the more useful CSV format, which you can read in Excel with all of its searching, sorting and filtering capabilities, use something like this:
tracerpt WindowsUpdatex.y.z.etl -o update.csv -of CSV
Once you have them in CSV format, if you are investigating multiple updates or the same failed update on multiple machines, here’s a way to quickly merge them, or a way to merge them while preserving headers. That may help you to establish a pattern.
Converting an ETL file to a plaintext log
Call me old-fashioned, but I miss the old plaintext log file. Microsoft includes a Powershell utility to get those back. Sort of. At least in the case of Windows update logs.
Open Powershell and run the command Get-WindowsUpdateLog. It will tear through all of the EVT files in C:\Windows\Logs\WindowsUpdate and generate one big WindowsUpdate.log file on your desktop. This makes it harder to narrow your focus to a particular KB, but fear not. Open the file, then search for the KB you’re interested in.
I find this easier than wrangling all of the ETL files on the system. The resulting file can be huge, but with everything in a single file, I can find the information I need on whatever missing KB I need to deal with. Knowing what file is failing makes it much easier to fix that missing update.
I use the data from ETL files to troubleshoot patches that fail to fully apply. Here’s another trick I use when you get an error message that the update is already on the system, when your vuln scanner says it’s not.
Whatever strategy you use to manage updates, if you want to actually find and troubleshoot failures, being able to dig into ETL files is an indispensable skill.