Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows 10 setup log file locations
This article describes where to locate these log files and which log files are most useful for troubleshooting each setup phase of Windows 7, of Windows Server 2008 R2, and of Windows Vista.
Original product version: В Windows 10 — all editions, Windows Server 2019, Windows Server 2016
Original KB number: В 927521
Introduction
Windows setup log files are in different locations on the hard disk. These locations depend on the setup phase.
Support for Windows Vista without any service packs installed ended on April 13, 2010. To continue receiving security updates for Windows, make sure you’re running Windows Vista with Service Pack 2 (SP2). For more information, see Windows XP support has ended.
Down-level phase
The downlevel phase is the Windows setup phase that is running within the previous operating system. The following table lists important log files in this setup phase.
| Log file | Description |
|---|---|
| C:\WINDOWS\setupapi.log | Contains information about device changes, driver changes, and major system changes, such as service pack installations and hotfix installations. This log file is used only by Microsoft Windows XP and earlier versions. |
| C:$WINDOWS. BT\Sources\Panther\setupact.log | Contains information about setup actions during the installation. |
| C:$WINDOWS. BT\Sources\Panther\setuperr.log | Contains information about setup errors during the installation. |
| C:$WINDOWS. BT\Sources\Panther\miglog.xml | Contains information about the user directory structure. This information includes security identifiers (SIDs). |
| C:$WINDOWS. BT\Sources\Panther\PreGatherPnPList.log | Contains information about the initial capture of devices that are on the system during the downlevel phase. |
Windows Preinstallation Environment phase
The Windows Preinstallation Environment (Windows PE or WinPE) phase is the Windows setup phase that occurs after the restart at the end of the downlevel phase, or when you start the computer by using the Windows installation media. The following table lists important log files in this setup phase.
| Log file | Description |
|---|---|
| X:$WINDOWS. BT\Sources\Panther\setupact.log | Contains information about setup actions during the installation. |
| X:$WINDOWS. BT\Sources\Panther\setuperr.log | Contains information about setup errors during the installation. |
| X:$WINDOWS. BT\Sources\Panther\miglog.xml | Contains information about the user directory structure. This information includes security identifiers (SIDs). |
| X:$WINDOWS. BT\Sources\Panther\PreGatherPnPList.log | Contains information about the initial capture of devices that are on the system during the downlevel phase. |
| or | |
| C:$WINDOWS. BT\Sources\Panther\setupact.log | Contains information about setup actions during the installation. |
| C:$WINDOWS. BT\Sources\Panther\setuperr.log | Contains information about setup errors during the installation. |
| C:$WINDOWS. BT\Sources\Panther\miglog.xml | Contains information about the user directory structure. This information includes security identifiers (SIDs). |
| C:$WINDOWS. BT\Sources\Panther\PreGatherPnPList.log | Contains information about the initial capture of devices that are on the system during the downlevel phase. |
You may also see a log file in the X:\WINDOWS directory. The Setupact.log file in this directory contains information about the progress of the initial options that are selected on the Windows installation screen. The Windows installation screen appears when you start the computer by using the Windows installation media. After you select Install now from the Windows installation screen, the Setup.exe file starts, and this log file is no longer used.
Online configuration phase
The online configuration phase (the first boot phase) starts when you receive the following message:
Please wait a moment while Windows prepares to start for the first time.
During this phase, basic hardware support is installed. If it’s an upgrade installation, data and programs are also migrated. The following table lists important log files in this setup phase.
| Log file | Description |
|---|---|
| C:\WINDOWS\PANTHER\setupact.log | Contains information about setup actions during the installation. |
| C:\WINDOWS\PANTHER\setuperr.log | Contains information about setup errors during the installation. |
| C:\WINDOWS\PANTHER\miglog.xml | Contains information about the user directory structure. This information includes security identifiers (SIDs). |
| C:\WINDOWS\INF\setupapi.dev.log | Contains information about Plug and Play devices and driver installation. |
| C:\WINDOWS\INF\setupapi.app.log | Contains information about application installation. |
| C:\WINDOWS\Panther\PostGatherPnPList.log | Contains information about the capture of devices that are on the system after the online configuration phase. |
| C:\WINDOWS\Panther\PreGatherPnPList.log | Contains information about the initial capture of devices that are on the system during the downlevel phase. |
Windows Welcome phase
The Windows Welcome phase includes the following options and events:
- It provides the options to create user accounts.
- It provides the option to specify a name for the computer.
- The Windows System Assessment Tool (Winsat.exe) finishes performance testing to determine the Windows Experience Index rating.
The Windows Welcome phase is the final setup phase before a user signs in. The following table lists important log files in this setup phase.
| Log file | Description |
|---|---|
| C:\WINDOWS\PANTHER\setupact.log | Contains information about setup actions during the installation. |
| C:\WINDOWS\PANTHER\setuperr.log | Contains information about setup errors during the installation. |
| C:\WINDOWS\PANTHER\miglog.xml | Contains information about the user directory structure. This information includes security identifiers (SIDs). |
| C:\WINDOWS\INF\setupapi.dev.log | Contains information about Plug and Play devices and driver installation. |
| C:\WINDOWS\INF\setupapi.app.log | Contains information about application installation. |
| C:\WINDOWS\Panther\PostGatherPnPList.log | Contains information about the capture of devices that are on the system after the online configuration phase. |
| C:\WINDOWS\Panther\PreGatherPnPList.log | Contains information about the initial capture of devices that are on the system during the downlevel phase. |
| C:\WINDOWS\Performance\Winsat\winsat.log | Contains information about the Windows System Assessment Tool performance testing results. |
Rollback phase
If a Windows upgrade installation fails, and you’ve successfully rolled back the installation to the previous operating system desktop, there are several log files that you can use for troubleshooting. The following table lists important log files in this phase.
Log files
Applies to
This is a 400 level topic (advanced).
See Resolve Windows 10 upgrade errors for a full list of topics in this article.
Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is setupact.log. The log files are located in a different folder depending on the Windows Setup phase. Recall that you can determine the phase from the extend code.
Also see the Windows Error Reporting section in this document for help locating error codes and log files.
The following table describes some log files and how to use them for troubleshooting purposes:
| Log file | Phase: Location | Description | When to use |
| setupact.log | Down-Level: $Windows. BT\Sources\Panther | Contains information about setup actions during the downlevel phase. | All down-level failures and starting point for rollback investigations. This is the most important log for diagnosing setup issues. |
| OOBE: $Windows. BT\Sources\Panther\UnattendGC | Contains information about actions during the OOBE phase. | Investigating rollbacks that failed during OOBE phase and operations – 0x4001C, 0x4001D, 0x4001E, 0x4001F. | |
| Rollback: $Windows. BT\Sources\Rollback | Contains information about actions during rollback. | Investigating generic rollbacks — 0xC1900101. | |
| Pre-initialization (prior to downlevel): Windows | Contains information about initializing setup. | If setup fails to launch. | |
| Post-upgrade (after OOBE): Windows\Panther | Contains information about setup actions during the installation. | Investigate post-upgrade related issues. | |
| setuperr.log | Same as setupact.log | Contains information about setup errors during the installation. | Review all errors encountered during the installation phase. |
| miglog.xml | Post-upgrade (after OOBE): Windows\Panther | Contains information about what was migrated during the installation. | Identify post upgrade data migration issues. |
| BlueBox.log | Down-Level: Windows\Logs\Mosetup | Contains information communication between setup.exe and Windows Update. | Use during WSUS and WU down-level failures or for 0xC1900107. |
| Supplemental rollback logs: Setupmem.dmp setupapi.dev.log Event logs (*.evtx) | $Windows. BT\Sources\Rollback | Additional logs collected during rollback. | Setupmem.dmp: If OS bug checks during upgrade, setup will attempt to extract a mini-dump. Setupapi: Device install issues — 0x30018 Event logs: Generic rollbacks (0xC1900101) or unexpected reboots. |
Log entry structure
A setupact.log or setuperr.log entry (files are located at C:\Windows) includes the following elements:
- The date and time — 2016-09-08 09:20:05.
- The log level — Info, Warning, Error, Fatal Error.
- The logging component — CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS.
- The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are particularly useful for troubleshooting Windows Setup errors.
- The message — Operation completed successfully.
See the following example:
| Date/Time | Log level | Component | Message |
|---|---|---|---|
| 2016-09-08 09:23:50, | Warning | MIG | Could not replace object C:\Users\name\Cookies. Target Object cannot be removed. |
Analyze log files
The following instructions are meant for IT professionals. Also see the Upgrade error codes section in this guide to familiarize yourself with result codes and extend codes.
To analyze Windows Setup log files:
- Determine the Windows Setup error code. This code should be returned by Windows Setup if it is not successful with the upgrade process.
- Based on the extend code portion of the error code, determine the type and location of a log files to investigate.
- Open the log file in a text editor, such as notepad.
- Using the result code portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the «abort» and abandoning» text strings described in step 7 below.
- To find the last occurrence of the result code:
- Scroll to the bottom of the file and click after the last character.
- Click Edit .
- Click Find .
- Type the result code.
- Under Direction select Up.
- Click Find Next.
- When you have located the last occurrence of the result code, scroll up a few lines from this location in the file and review the processes that failed just prior to generating the result code.
- Search for the following important text strings:
- Shell application requested abort
- Abandoning apply due to error for object
- Decode Win32 errors that appear in this section.
- Write down the timestamp for the observed errors in this section.
- Search other log files for additional information matching these timestamps or errors.
For example, assume that the error code for an error is 0x8007042B — 0x2000D. Searching for «8007042B» reveals the following content from the setuperr.log file:
Some lines in the text below are shortened to enhance readability. The date and time at the start of each line (ex: 2016-10-05 15:27:08) is shortened to minutes and seconds, and the certificate file name which is a long text string is shortened to just «CN.»
The first line indicates there was an error 0x00000570 with the file C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN] (shown below):
The error 0x00000570 is a Win32 error code corresponding to: ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable.
Therefore, Windows Setup failed because it was not able to migrate the corrupt file C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18[CN]. This file is a local system certificate and can be safely deleted. Searching the setupact.log file for additional details, the phrase «Shell application requested abort» is found in a location with the same timestamp as the lines in setuperr.log. This confirms our suspicion that this file is the cause of the upgrade failure:
This analysis indicates that the Windows upgrade error can be resolved by deleting the C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18[CN] file. Note: In this example, the full, unshortened file name is C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f.
