Microsoft-Windows-WUSA
11 events across 2 channels
Event ID 1: DebugMessage.
#Event ID 2: Windows update UpdateTitle was successfully installed.
#Event ID 3: Windows update UpdateTitle could not be installed because of error ErrorCode "ErrorString" (Command line: "CommandLine").
#Description
Windows update UpdateTitle could not be installed because of error ErrorCode "ErrorString" (Command line: "CommandLine").
Message #
Fields #
| Name | Description |
|---|---|
UpdateTitle UnicodeString | |
ErrorCode UInt32 | |
ErrorString UnicodeString | |
CommandLine UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WUSA",
"guid": "09608C12-C1DA-4104-A6FE-B959CF57560A",
"event_source_name": "",
"event_id": 3,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-02-17T05:28:30.595643+00:00",
"event_record_id": 12,
"correlation": {},
"execution": {
"process_id": 12988,
"thread_id": 7580
},
"channel": "Setup",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"UpdateTitle": "",
"ErrorCode": 2147942402,
"ErrorString": "The system cannot find the file specified.",
"CommandLine": "C:\\Windows\\system32\\wusa.exe C:\\Windows\\Temp\\Windows6.1-KB3033929-x64.msu /quiet /norestart"
},
"message": ""
}
Event ID 4: Windows update UpdateTitle requires a computer restart to complete the installation.
#Event ID 5: This computer will restart to complete the installation of Windows update UpdateTitle (Command line: "CommandLine").
#Event ID 6: The Windows Modules Installer must be updated before you can install this package (Command line: "CommandLine").
#Event ID 7: Windows update UpdateTitle was successfully uninstalled.
#Event ID 8: Windows update UpdateTitle could not be uninstalled because of error ErrorCode "ErrorString" (Command line: "CommandLine").
#Description
Windows update UpdateTitle could not be uninstalled because of error ErrorCode "ErrorString" (Command line: "CommandLine").
Message #
Fields #
| Name | Description |
|---|---|
UpdateTitle UnicodeString | |
ErrorCode UInt32 | |
ErrorString UnicodeString | |
CommandLine UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WUSA",
"guid": "{09608c12-c1da-4104-a6fe-b959cf57560a}",
"event_source_name": "",
"event_id": 8,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-09 10:09:12.598618+00:00",
"event_record_id": 171,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 3292,
"thread_id": 6984
},
"channel": "Setup",
"computer": "tel2-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1000"
}
},
"event_data": {
"UpdateTitle": "",
"ErrorCode": "2147942487",
"ErrorString": "The parameter is incorrect.",
"CommandLine": "\"C:\\Windows\\system32\\wusa.exe\" /uninstall /kb:5031988 /quiet /norestart "
},
"message": "Windows update could not be uninstalled because of error 2147942487 \"The parameter is incorrect.\" (Command line: \"\"C:\\Windows\\system32\\wusa.exe\" /uninstall /kb:5031988 /quiet /norestart \")"
}
Event ID 9: Windows update UpdateTitle requires a computer restart to finish uninstalling.
#Event ID 10: This computer will restart to finish uninstalling Windows update UpdateTitle (Command line: "CommandLine").
#Event ID 11: This operation cannot be completed.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 09608c12-c1da-4104-a6fe-b959cf57560a
Defined in wusa.exe, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.4946, captured 2026-06-02