WindowsUpdate

Windowsv1

Author: Rick van Dreunen

description

Windows Update Logs

paths

4 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: WindowsUpdate
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle artifact collection with robocopy
function Collect-Artifact {
    param (
        [string]$SourceDir,
        [string]$FolderName,
        [string]$FileMask = "*"
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    robocopy "$SourceDir" "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS | Out-Null
}

# 1. Windows Update Session Orchestrator logs
Collect-Artifact -SourceDir "C:\ProgramData\USOShared\Logs\System\" -FileMask "*.etl" -FolderName "Windows_Update_Session_Orchestrator_logs"

# 2. Windows Update logs
Collect-Artifact -SourceDir "C:\Windows\Logs\WindowsUpdate\" -FileMask "WindowsUpdate*.etl" -FolderName "Windows_Update_logs"

# 3. Windows Component-Based Servicing logs
Collect-Artifact -SourceDir "C:\Windows\Logs\CBS\" -FileMask "CBS*.log" -FolderName "Windows_Component_Based_Servicing_logs"

# 4. Windows Update History
Collect-Artifact -SourceDir "C:\Windows\SoftwareDistribution\DataStore" -FolderName "Windows_Update_History"

Write-Host "Collection complete!" -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-logs

// description

// paths

// collection commands

// references

description

paths

collection commands

references