Windows Setup Log Files and Event Logs

Windows® Setup creates log files for all actions that occur during installation. If you are experiencing problems installing Windows, consult the log files to troubleshoot the installation.

WindowsВ Setup log files are available in the following directories:

Log location before Setup can access the drive.

Log location when Setup rolls back in the event of a fatal error.

Log location of Setup actions after disk configuration.

Used to log Plug and Play device installations.

Location of memory dump from bug checks.

Location of log minidumps from bug checks.

Location of Sysprep logs.

WindowsВ Setup Event Logs

WindowsВ Setup includes the ability to review the WindowsВ Setup performance events in the Windows Event Log viewer. This enables you to more easily review the actions that occurred during WindowsВ Setup and to review the performance statistics for different parts of WindowsВ Setup. You can filter the log so as to view only relevant items that you are interested in. The WindowsВ Setup performance events are saved into a log file that is named Setup.etl, which is available in the %WINDIR%\Panther directory of all installations. To view the logs, you must use the Event Viewer included with the Windows media that corresponds to the version of the customized image that you are building.

To view the logs on a computer that does not include the corresponding kit, you must run a script from the root of the media that installs the Event Trace for Windows (ETW) provider. From the command line, type:

where D is the drive letter of the Windows DVD media.

To view the WindowsВ Setup event logs

Start the Event Viewer, expand the Windows Logs node, and then click System.

In the Actions pane, click Open Saved Log and then locate the Setup.etl file. By default, this file is available in the %WINDIR%\Panther directory.

The log file contents appear in the Event Viewer.

To Export the log to a file

From the command line, use the Wevtutil or Tracerpt commands to save the log to an .xml or text file. For information about how to use these tools, see the command-line Help. The following commands show examples of how to use the tools:

Exporting event logs with Windows PowerShell

Do you need to automate error reporting based on recent events and don’t want to use third-party tools? This article describes how to collect events from different sources and unite them in one document using standard Windows instruments only.

Recently I described how to export events into Excel format using our Event Log Explorer software. However, in some cases, using third-party software can be impossible. This may happen if your company doesn’t have budget to purchase event log utilities, or such utilities are restricted by the company’s rules. In any case, the task of regular exporting the recent events from different machines into one legible file is still crucial. That’s why I will show how you can get the events from different Windows machines and export them into one file for further investigation.

Let’s take the same task we solved previously. We have 4 Windows servers and we need to generate weekly reports of Error and Warning events in Application and System event logs. We should utilize only standard Windows instruments.

Instruments

Microsoft features Windows PowerShell as a framework to automate different administrative tasks and perform configuration management in Windows. My scripts require at least PowerShell version 3.0. If your PowerShell is outdated, you can update it by downloading Windows Management Framework from Microsoft’s site. To check PowerShell version simply type in PowerShell console:

In my case, PowerShell version = 3 which is OK.

Research

To access event logs, Windows PowerShell comes with Get-EventLog cmdlet:

First we need to define the start date (the date after which we will get events). This date is calculated as today minus 7 days:

Now we can read warning and error events from a log for the last week:

$el = get-eventlog -ComputerName Serv1 -log System -After $startdate -EntryType Error, Warning

Let’s check the result. Just type $el in the console. Yes, we can see events from the event log.
But how will we export the event log? Windows PowerShell doesn’t have cmdlets to export to Excel. But it supports export to CSV file. Let’s try it now:

Yes, it works, but multi-line descriptions ruined the output file.
Maybe export to XML will help?

But how to display it in clear way? Excel understands XML files, but I have no idea how to interpret it:

I guess we can make an XML transformation to convert this XML into more readable file, but I’m not an XML guru, but I have a more or less useful solution. We can solve our problem if we just export to CSV only several event properties (without event description):

$el |Select EntryType, TimeGenerated, Source, EventID | Export-CSV eventlog.csv -NoTypeInfo

Now we can read eventlog.csv in Excel without problems.

Putting all together

It’s time to write the PowerShell script.
Brief: we will read recent (7 days) error and warning events from Application and System event logs, join them, sort them by time and export to CSV format.

Scheduling the task

To run the script, we should run this command:

PowerShell.exe -ExecutionPolicy ByPass -File export-logs.ps1

We can open Windows scheduler GUI to make this task, or use PowerShell console:
Microsoft recommends this way to schedule a PowerShell script:

$Trigger=New-JobTrigger -Weekly -At “7:00AM” -DaysOfWeek “Monday”
Register-ScheduledJob -Name “Export Logs” -FilePath “C:\Test\export-logs.ps1” -Trigger $Trigger

But this may miswork, because it adds to Windows Task Scheduler the following action:

powershell.exe -NoLogo -NonInteractive -WindowStyle Hidden -Command “Import-Module PSScheduledJob; $jobDef = [Microsoft.PowerShell.ScheduledJob.ScheduledJobDefinition]::LoadFromStore(‘Export Logs’, ‘C:\Users\Michael\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs’); $jobDef.Run()”

If your policy prevents running PoweShell scripts, our export script won’t run because powershell parameters miss -ExecutionPolicy option.
That’s why I will use ScriptBlock instead of FilePath. This code does the trick:

Note that to run Register-ScheduledJob cmdlet, you need to start PowerShell elevated.
That’s all. Now you should have a task that runs every Monday at 7:00, collects events from your servers and exports them to CSV files.

Conclusion

As you can see, the problem of exporting events to Excel can be solved without third-party tools. This method is somewhat limited, but it works.

How-To Export Windows Event Logs

Purpose

When submitting a support case for technical assistance, it is sometimes necessary to upload relevant Windows event logs in addition to the Veeam logs. Event logs exported using default settings can be missing important information. This article describes three different methods of exporting Windows event logs and which logs tend to be most useful for certain types of support cases.

Solution

Below are the three common methods a Veeam Support Engineer may request you gather event logs for them. If they have specified a specific method, please use the requested method.

Click here to see what logs should be collected for common issues.

Method 1: Export EVTX with Display Information (MetaData)

An .evtx file alone does not contain the text of most events, so uploading an .evtx file without the associated Display Information can delay resolution of your support case. Even with the display information, an .evtx contains only the UTC time of the events and not the source time zone (Event viewer adjusts the displayed time to your local time zone).

Steps to Export .evtx with Display Information

1. Open Event Viewer (eventvwr.msc).
2. Locate the log to be exported in the left-hand column.
3. Right-click the name of the log and select Save All Events As…
4. Enter a file name that includes the log type and the server it was exported from.
   For example, when exporting the Application event log from server named HV01, enter Application_HV01.
5. In Save as type , select Event Files .
6. Include display information.

Be sure to include the LocaleMetaData folder when packaging logs for upload.

Please package all files into a single .zip archive. For information on uploading files to Support, see: Steps to Compile Logs

To export and then archive an event log from the command line, see: Archive an Event Log

Method 2: Export as CSV

1. Open Event Viewer (eventvwr.msc).
2. Locate the log to be exported in the left-hand column.
3. Right-click the name of the log and select Save All Events As…
4. Enter a file name that includes the log type and the server it was exported from.

For example, when exporting the Application event log from server named HV01, enter Application_HV01.

In Save as type , select CSV (Comma Separated) .

Please package all files into a single .zip archive. For information on uploading files to Support, see: Steps to Compile Logs

To export and then archive an event log from the command line, see: Archive an Event Log

Method 3: Collect entire log folder from Windows.

1. Navigate to C:\Windows\System32\winevt\Logs
2. Archive (ZIP\7z\RAR) the entire contents of the Logs folder.

Please package all files into a single .zip archive. For information on uploading files to Support, see: Steps to Compile Logs

To export and then archive an event log from the command line, see: Archive an Event Log

Which Logs to Export

Veeam Support will request logs as needed, but you can speed up resolution of a new case by checking to see if it falls into one of the categories below and uploading appropriate event logs during case creation.

• For Hyper-V Snapshot (Shadow Copy) Failures
  • Export the following event logs from the standalone Hyper-V host or from all cluster nodes:
    • Windows Logs > System
    • Windows Logs > Application
    • Applications and Services Logs>Microsoft>Hyper-V-VMMS>Admin
  • If Application-Aware Image Processing is enabled in the Backup or Replication job settings, test whether the failure occurs with that setting disabled.
  • If the problem occurs only when Application-Aware is enabled, export the Hyper-V-Integration log from the Hyper-V host managing the VM, then see Guest Processing Issues below.
    Note:For Hyper-V 2016 or newer this step can be skipped, as this section was removed in Server 2016.
    • Applications and Services Logs>Microsoft>Hyper-V-Integration>Admin
• For Guest Processing Issues
  Note: For “Guest Processing Skipped” seeKB1855.
  • Common examples include failure to truncate Exchange or SQL transaction logs, “VSSControl” error codes, and unexpected behavior occuring with the VM guest OS during backup.
  • Export these logs from the affected VM guest OS:
    • Windows Logs > System
    • Windows Logs > Application
  • You will typically also want to collect the Veeam VSS logs from the VM – see KB1789.
• For Problems with Backup Infrastructure Servers
  • In all scenarios below, export the following from the appropriate server. When in doubt, export from the Veeam Backup server:
    • Windows Logs > System
    • Windows Logs > Application
  • If the error message is:
    • «task failed unexpectedly” — Export events from the Veeam Backup server.
    • referring to backup files on a Windows server — Export events from the repository server.
    • referring to backup files on a CIFS/SMB share — Export events from the gateway server, or from the Veeam Backup server and all proxies if no gateway was specified in the repository settings.