Содержание

Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows 10 setup log file locations
Introduction
Down-level phase
Windows Preinstallation Environment phase
Online configuration phase
Windows Welcome phase
Rollback phase
Global Logger Trace Session
Limitations of the Global Logger Trace Session
Global Logger Registry Entries
Logging Mode Constants

Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows 10 setup log file locations

This article describes where to locate these log files and which log files are most useful for troubleshooting each setup phase of Windows 7, of Windows Server 2008 R2, and of Windows Vista.

Original product version: В Windows 10 — all editions, Windows Server 2019, Windows Server 2016
Original KB number: В 927521

Introduction

Windows setup log files are in different locations on the hard disk. These locations depend on the setup phase.

Support for Windows Vista without any service packs installed ended on April 13, 2010. To continue receiving security updates for Windows, make sure you’re running Windows Vista with Service Pack 2 (SP2). For more information, see Windows XP support has ended.

Down-level phase

The downlevel phase is the Windows setup phase that is running within the previous operating system. The following table lists important log files in this setup phase.

Log file	Description
C:\WINDOWS\setupapi.log	Contains information about device changes, driver changes, and major system changes, such as service pack installations and hotfix installations. This log file is used only by Microsoft Windows XP and earlier versions.
C:$WINDOWS. BT\Sources\Panther\setupact.log	Contains information about setup actions during the installation.
C:$WINDOWS. BT\Sources\Panther\setuperr.log	Contains information about setup errors during the installation.
C:$WINDOWS. BT\Sources\Panther\miglog.xml	Contains information about the user directory structure. This information includes security identifiers (SIDs).
C:$WINDOWS. BT\Sources\Panther\PreGatherPnPList.log	Contains information about the initial capture of devices that are on the system during the downlevel phase.

Windows Preinstallation Environment phase

The Windows Preinstallation Environment (Windows PE or WinPE) phase is the Windows setup phase that occurs after the restart at the end of the downlevel phase, or when you start the computer by using the Windows installation media. The following table lists important log files in this setup phase.

Log file	Description
X:$WINDOWS. BT\Sources\Panther\setupact.log	Contains information about setup actions during the installation.
X:$WINDOWS. BT\Sources\Panther\setuperr.log	Contains information about setup errors during the installation.
X:$WINDOWS. BT\Sources\Panther\miglog.xml	Contains information about the user directory structure. This information includes security identifiers (SIDs).
X:$WINDOWS. BT\Sources\Panther\PreGatherPnPList.log	Contains information about the initial capture of devices that are on the system during the downlevel phase.
or
C:$WINDOWS. BT\Sources\Panther\setupact.log	Contains information about setup actions during the installation.
C:$WINDOWS. BT\Sources\Panther\setuperr.log	Contains information about setup errors during the installation.
C:$WINDOWS. BT\Sources\Panther\miglog.xml	Contains information about the user directory structure. This information includes security identifiers (SIDs).
C:$WINDOWS. BT\Sources\Panther\PreGatherPnPList.log	Contains information about the initial capture of devices that are on the system during the downlevel phase.

You may also see a log file in the X:\WINDOWS directory. The Setupact.log file in this directory contains information about the progress of the initial options that are selected on the Windows installation screen. The Windows installation screen appears when you start the computer by using the Windows installation media. After you select Install now from the Windows installation screen, the Setup.exe file starts, and this log file is no longer used.

Online configuration phase

The online configuration phase (the first boot phase) starts when you receive the following message:

Please wait a moment while Windows prepares to start for the first time.

During this phase, basic hardware support is installed. If it’s an upgrade installation, data and programs are also migrated. The following table lists important log files in this setup phase.

Log file	Description
C:\WINDOWS\PANTHER\setupact.log	Contains information about setup actions during the installation.
C:\WINDOWS\PANTHER\setuperr.log	Contains information about setup errors during the installation.
C:\WINDOWS\PANTHER\miglog.xml	Contains information about the user directory structure. This information includes security identifiers (SIDs).
C:\WINDOWS\INF\setupapi.dev.log	Contains information about Plug and Play devices and driver installation.
C:\WINDOWS\INF\setupapi.app.log	Contains information about application installation.
C:\WINDOWS\Panther\PostGatherPnPList.log	Contains information about the capture of devices that are on the system after the online configuration phase.
C:\WINDOWS\Panther\PreGatherPnPList.log	Contains information about the initial capture of devices that are on the system during the downlevel phase.

Windows Welcome phase

The Windows Welcome phase includes the following options and events:

It provides the options to create user accounts.
It provides the option to specify a name for the computer.
The Windows System Assessment Tool (Winsat.exe) finishes performance testing to determine the Windows Experience Index rating.

The Windows Welcome phase is the final setup phase before a user signs in. The following table lists important log files in this setup phase.

Log file	Description
C:\WINDOWS\PANTHER\setupact.log	Contains information about setup actions during the installation.
C:\WINDOWS\PANTHER\setuperr.log	Contains information about setup errors during the installation.
C:\WINDOWS\PANTHER\miglog.xml	Contains information about the user directory structure. This information includes security identifiers (SIDs).
C:\WINDOWS\INF\setupapi.dev.log	Contains information about Plug and Play devices and driver installation.
C:\WINDOWS\INF\setupapi.app.log	Contains information about application installation.
C:\WINDOWS\Panther\PostGatherPnPList.log	Contains information about the capture of devices that are on the system after the online configuration phase.
C:\WINDOWS\Panther\PreGatherPnPList.log	Contains information about the initial capture of devices that are on the system during the downlevel phase.
C:\WINDOWS\Performance\Winsat\winsat.log	Contains information about the Windows System Assessment Tool performance testing results.

Rollback phase

If a Windows upgrade installation fails, and you’ve successfully rolled back the installation to the previous operating system desktop, there are several log files that you can use for troubleshooting. The following table lists important log files in this phase.

Global Logger Trace Session

A Global Logger trace session records events that occur during the boot process before the system is fully operational, such as events generated by device drivers. It is a reserved trace session that is built into Windows.

Global Logger trace sessions always write messages to a trace log. Global Logger does not support real-time trace sessions or buffered trace sessions.

Because Global Logger must be available early in the operating system boot process, it is started and configured by using registry entries (in the HKLM\SYSTEM\CurrentControlSet\Control\WMI\GlobalLogger subkey), instead of function calls. After starting, the Global Logger behaves like a regular event tracing session.

The Global Logger trace session uses a reserved session name, «GlobalLogger.» The control GUID is represented by the constant, GlobalLoggerGuid. You create a Global Logger trace session, and then restart the computer to start the trace session. Only one Global Logger trace session can run on the computer at a time.

To create a Global Logger trace session, use Tracelog. It automatically creates the registry subkey and entries that store trace session options. The Global Logger trace session starts when you restart the computer. For more information, see Tracelog Command Syntax.

To format the trace messages from a Global Logger trace session, use Tracefmt with system.tmf, a trace message format file included in the WDK.

Because the Global Logger session is triggered by registry entries, it runs every time that the entries appear in the registry. To prevent the Global Logger session from starting every time the system starts, set the value of the Start entry to 0 or delete all of the registry entries.

You can convert a Global Logger trace session to an NT Kernel Logger trace session, thereby tracing the kernel during the boot process. For information, see Boot-time Global Logger Session

Trace providers, such as kernel-mode drivers and user-mode applications, can log to the Global Logger trace session. This enables you to trace a driver or other trace provider during system boot. For information, see Logging to the Global Logger Session

Limitations of the Global Logger Trace Session

The Global Logger trace session is very useful, but it’s important to be aware of its limitations:

You can run only one Global Logger session at a time.

The Global Logger session does not send enable notification to providers.

The Global Logger registry entries remain in the registry and are effective until you reset or delete them manually, or use the tracelog -remove command. Until you reset them, the Global Logger session starts every time you start the system.

The Windows ACPI logger is permanently enabled for the Global Logger trace session. The trace messages from this logger appear in the trace log.

If a standard trace session starts while a driver is logging to the Global Logger session, the driver switches and starts logging to the standard trace session.

Global Logger Registry Entries

The following table shows the registry entries that configure the Global Logger session. These entries are in the HKLM\SYSTEM\CurrentControlSet\Control\WMI\GlobalLogger subkey. Only the Start entry is required.

In addition to the registry entries in this table, you can also add a ControlGUID subkey under the GlobalLogger subkey to represent a trace provider, such as a driver, that logs to the Global Logger trace session. For information, see Logging to the Global Logger Session.

Start

When set to 1 (on), the Global Logger session starts the next time the system starts.

0 = off, 1=on

BufferSize

Specifies the size of each buffer (in KB). The default value is 0x40 (64 KB).

ClockType

Specifies the timer used for trace message time stamps.

Beginning with Windows Vista, the default value is 1. On operating systems prior to Windows Vista, the default value is 2.

1 = Performance counter value (high resolution)

2 = System timer

3 = CPU cycle clock

EnableKernelFlags

Converts the Global Logger session to an NT Kernel Logger trace session and specifies the events included in the kernel trace.

FileCounter

Stores the number of event trace log files generated by Global Logger sessions.

The system increments this value until it reaches the value of FileMax. Then, it resets the value to 0.

This counter prevents the system from overwriting a Global Logger trace log file.

FileMax

Specifies the maximum number of event trace log files permitted on the system.

When the number of trace logs reaches the specified maximum, the system begins to overwrite the logs, beginning with the oldest.

The default value is 0, meaning that there is no maximum.

FileName

Path (optional) and file name of the event trace log file. The default is %SystemRoot%\System32\LogFiles\WMI\trace.log.

FlushTimer

Specifies how often (in seconds) the trace buffers are forcibly flushed. This forced flush is in addition to the automatic flush that occurs whenever a buffer is full and when the trace session stops.

The default value is 0. By default, buffers are flushed only when they are full.

The minimum flush time is 1 second.

LogFileMode

Specifies log session options.

Supported only in Windows Vista and later versions of Windows.

MaximumBuffers

Specifies the maximum number of buffers that can be allocated for the session. The default value is 0x19 (25).

MaximumFileSize

Specifies the maximum size of the event trace log file. By default, there is no maximum file size.

MinimumBuffers

Specifies the number of buffers allocated when the session starts. The default value is 0x3.

Status

Stores the return code from the attempt to start a Global Logger trace session.

If the session failed to start, the value of this entry is a Win32 error code. If the session started, the value of this entry is ERROR_SUCCESS.

These registry entries that you create remain in the registry and are effective until you delete them or change their values. Therefore, after the Global Logger session has run, use the tracelog -remove GlobalLogger command to set the value of the Start entry to 0 and delete the other Global Logger registry entries. Otherwise, the Global Logger session runs every time that you restart the computer, and the resulting log file can grow very large.

Logging Mode Constants

The following table displays the valid values for the LogFileMode registry entry in the HKLM\System\CurrentControlSet\Control\WMI\GlobalLogger subkey. This entry is used to set options for a Global Logger trace session, including those for real-time trace sessions, private trace sessions, circular logging, and buffering (no log). This registry entry is supported only in Windows Vista and later versions of Windows.

This registry entry corresponds to the LogFileMode member of the EVENT_TRACE_PROPERTIES structure. Its values correspond to the Logging Mode Constants. The EVENT_TRACE_PROPERTIES structure and the Logging Mode Constants are described in the Microsoft Windows SDK documentation.

This table is displayed here to show the hexadecimal values of the constants. Use these values or a sum of these values to represent the constant in the LogFileMode registry entry.