Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to find information about Windows 8 Modern App updates.

Hey, Scripting Guy! Question Hey, Scripting Guy! I love my Windows 8 laptop, and I also love my Windows RT Surface. One of the things that is a bit annoying is that it seems every time I turn on the computer, or my Surface, the Store says that updates are available. I mean, dude, this is crazy. Every day it is a different app. I am wondering if this information is logged anywhere. Maybe it's my imagination, and it's not really every day. Can you help?

—EP

Hey, Scripting Guy! Answer Hello EP,

Microsoft Scripting Guy, Ed Wilson, is here. Well, things are humming right along in Charlotte, North Carolina. The weekend was warm, but a bit of rain kind of sogged our day. Today, I am anxiously watching for the package delivery truck, and so every time I hear a low engine rumble on my street, I jump up and look out the window to see if a delivery arrives. Why? Well, I am looking for my new laptop. It might not be here … after all, I have been watching for nearly a month, but hey, one can always hope. It is bound to be a day closer than it was yesterday.

Examining the event log

App updates are handled via Windows Update Client. As such, all automatic download information is recorded in the System event log. When the updates are downloaded, an Event ID 17 generates from the WindowsUpdateClient source. This means that the information you seek is available in the Windows event log. Examining one of these entries is always good first step. This is shown here.

 

Now that I know what I am looking for, I can use Windows PowerShell to query the System event log, look for Event ID 17, and return the event log entries. Here is the code I derived by using the Get-EventLog cmdlet.

Get-EventLog -LogName system -Newest 20 -InstanceId 17

When I run the command, a lot of information is displayed that I am not particularly interested in seeing. The command and the associated output are shown here.

Image of command output

The output is basically useless. Except for one thing—it lets me know that my initial supposition is incorrect. It appears that more than Windows Update has an event ID 17 defined. This is shown here.

25184 Feb 20 10:57  Information Microsoft-Windows...           17 Protocol NIC...

So, I need to change my query just a little bit. I need to specify the source of the event, which is: Microsoft-Windows-WindowsUpdateClient. The problem with this is that it is an awful lot of typing. Maybe it will accept a wildcard … hmmmm, I wonder. So, I modify my command as shown here.

Get-EventLog -LogName system -Newest 20 -InstanceId 17 -Source *update*

As seen in the image that follows, the query works, but it does not help on the actual information front, I am still missing the information I need.

Image of command output

Here is my revised query.

Get-EventLog -LogName system -Newest 20 -InstanceId 17 -source *update*| select timewritten,message | ft -AutoSize –Wrap

The command and the output associated with the command are shown here.

Image of command output

EP, that is all there is to using Windows PowerShell to find information about Windows 8 modern app updates. Join me tomorrow when I will talk about finding which apps are requiring the most updates.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy