dfirhub

WindowsUpdate

Windowsv1

Author: Rick van Dreunen

description

Windows Update Logs

paths

4 paths
EventLogsWindows Update Session Orchestrator logs
C:\ProgramData\USOShared\Logs\System\*.etl
EventLogsWindows Update logs
C:\Windows\Logs\WindowsUpdate\WindowsUpdate*.etl
EventLogsWindows Component-Based Servicing logs
C:\Windows\Logs\CBS\CBS*.log
EventLogsWindows Update History
C:\Windows\SoftwareDistribution\DataStore
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: WindowsUpdate
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle directory creation and copying
function Collect-Artifact {
    param (
        [string]$SourcePath,
        [string]$FolderName
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    if (-not (Test-Path -Path $FullDest)) {
        New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
    }
    Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}

# 1. Windows Update Session Orchestrator logs
Collect-Artifact -SourcePath "C:\ProgramData\USOShared\Logs\System\\*.etl" -FolderName "Windows_Update_Session_Orchestrator_logs"

# 2. Windows Update logs
Collect-Artifact -SourcePath "C:\Windows\Logs\WindowsUpdate\\WindowsUpdate*.etl" -FolderName "Windows_Update_logs"

# 3. Windows Component-Based Servicing logs
Collect-Artifact -SourcePath "C:\Windows\Logs\CBS\\CBS*.log" -FolderName "Windows_Component_Based_Servicing_logs"

# 4. Windows Update History
Collect-Artifact -SourcePath "C:\Windows\SoftwareDistribution\DataStore\*" -FolderName "Windows_Update_History"

Write-Host "Collection complete!" -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references