{"id":31098,"date":"2022-12-21T11:41:12","date_gmt":"2022-12-21T06:11:12","guid":{"rendered":"http:\/\/198.58.113.91\/blog\/?p=31098"},"modified":"2025-04-11T08:55:40","modified_gmt":"2025-04-11T03:25:40","slug":"collect-diagnostic-logs-windows","status":"publish","type":"post","link":"https:\/\/www.winhelponline.com\/blog\/collect-diagnostic-logs-windows\/","title":{"rendered":"How to Collect Diagnostic Logs in Windows"},"content":{"rendered":"<p>There are many different types of diagnostic logs in Windows. Each log is to diagnose a specific component. The Windows Update client creates the Windows Update ETL or Windows Update log files, the Component-Based Servicing uses &#8220;cbs.log&#8221;, and the DISM tool writes to &#8220;dism.log&#8221;, etc.<!--more--><\/p>\n<p>Besides the native logs, you can use specialized tools (e.g., Autoruns, FRST64, Process Monitor, etc.) to collect information for troubleshooting.<\/p>\n<div id=\"toc\">\n<p><strong>Contents<\/strong><\/p>\n<ul>\n<li><a href=\"#cbs\">CBS and DISM logs<\/a><\/li>\n<li><a href=\"#setupdiag\">Windows Setup<\/a><\/li>\n<li><a href=\"#msinfo32\">System Information Tool (MSINFO32.exe)<\/a><\/li>\n<li><a href=\"#autoruns\">Autoruns<\/a><\/li>\n<li><a href=\"#frst\">Farbar Recovery Scan Tool<\/a><\/li>\n<li><a href=\"#evtx\">Windows Event logs<\/a><\/li>\n<\/ul>\n<\/div>\n<h2><a id=\"cbs\"><\/a>CBS and DISM Logs<\/h2>\n<p>The <strong>CBS log<\/strong> is used by Component Based Servicing (<code>TrustedInstaller.exe<\/code>), which is responsible for applying updates and features. Every update you install or every component you remove or repair (using DISM or PowerShell) is recorded in the CBS.log. Additionally, the System File Checker (<code>Sfc.exe<\/code>) logs the repair operations in CBS.log. The CBS.log file is located here:<\/p>\n<pre>C:\\Windows\\Logs\\CBS\\<\/pre>\n<div class=\"qt\">When the CBS.log file size becomes huge, Windows archives the contents of the log into separate CAB files. The archived log files (.CAB) have the following naming convention:<br \/>\n<code>CbsPersist_&lt;timestamp&gt;.cab<\/code>Example:<code>CbsPersist_20221220170129.cab<\/code><\/div>\n<p>The <strong>DISM log<\/strong> is created when you run the DISM.exe console tool. It contains the summary of events that occurred when running a DISM command. The DISM.log file is located here:<\/p>\n<pre>C:\\Windows\\Logs\\DISM\\<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-9189\" src=\"https:\/\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/08\/information-icon.png\" alt=\"\" width=\"24\" height=\"24\" \/><em>When DISM installs or repairs a component or feature, it logs the details into CBS.log. Hence it&#8217;s recommended to collect both CBS and DISM logs for analysis.<\/em><\/p>\n<h4>Collecting the CBS and DISM logs<\/h4>\n<p>To collect the CBS and DISM logs so you can share them with someone, follow these steps:<\/p>\n<ol>\n<li>Open the folder &#8220;<code>C:\\Windows\\Logs\\<\/code>&#8220;<\/li>\n<li>Select the two folders, namely, <strong>CBS<\/strong> and <strong>DISM<\/strong>.<\/li>\n<li>Right-click on the selection, and click Send to \u2192 Compressed (zipped) folder.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-31099\" src=\"https:\/\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/cbs-logs-collect.png\" alt=\"CBS send to compressed folder\" width=\"575\" height=\"235\" \/><br \/>\nIf you&#8217;re using Windows 11, click &#8220;Show more options&#8221; in the right-click menu, and click Send to \u2192 Compressed (zipped) folder. Alternatively, click the &#8220;Compress to ZIP file&#8221; option in the fast context menu.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-31100\" src=\"https:\/\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/cbs-logs-windows-11.png\" alt=\"CBS create zip folder\" width=\"766\" height=\"472\" \/><\/li>\n<li>Click Yes when you see the following prompt:<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-31101\" src=\"https:\/\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/cbs-logs-windows-11-2.png\" alt=\"create zip folder on desktop\" width=\"421\" height=\"157\" \/><br \/>\n<em>Windows cannot create the Compressed (zipped) Folder here. <\/em><em>Do you want it to be placed on the desktop instead?<\/em><\/li>\n<\/ol>\n<p>That&#8217;s it. The Zip file is saved to your desktop.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-31102\" src=\"https:\/\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/cbs-logs-windows-11-3.png\" alt=\"CBS and DISM logs zipped\" width=\"564\" height=\"277\" \/><\/p>\n<div class=\"qt\">\n<h4><a id=\"cbs_ps\"><\/a>Command-line method to collect CBS and DISM logs<\/h4>\n<p>To collect the CBS and DISM logs and automatically save them to a .zip file on your desktop, open PowerShell admin and run this command:<\/p>\n<pre class=\"powershell\">GCI -Path 'c:\\windows\\logs\\cbs\\*.*',  'c:\\windows\\logs\\dism\\dism.log' | Compress-Archive -destination (join-path ([environment]::GetFolderPath('Desktop')) \\CBS.zip) -update<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/powershell-collect-cbs-dism-logs-zip.png\" alt=\"powershell collect cbs and dism logs into a .zip file\" width=\"752\" height=\"121\" class=\"alignnone size-full wp-image-77910\" \/><\/p>\n<p>This creates the CBS.zip file on your desktop.\n<\/p><\/div>\n<hr>\n<h2><a id=\"setupdiag\"><\/a>Windows Setup Logs<\/h2>\n<p>Windows Setup creates log files for all actions that occur during installation. If you&#8217;re experiencing problems installing Windows, check the log files to help troubleshoot the installation. The log file names and the locations are mentioned in the article\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/troubleshoot\/windows-client\/deployment\/windows-setup-log-file-locations\" target=\"_blank\" rel=\"noopener\">Windows setup log file locations &#8211; Windows Client<\/a>.<\/p>\n<p>The best way to collect the setup logs is by running <strong>SetupDiag<\/strong>.\u00a0SetupDiag is a diagnostic tool that can be used to obtain details about why a Windows 10\/11 upgrade was unsuccessful.<\/p>\n<p>Download <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/deployment\/upgrade\/setupdiag\"><strong>SetupDiag<\/strong><\/a><\/p>\n<p>SetupDiag works by examining Windows Setup log files. It attempts to parse these log files to determine the root cause of a failure to update or upgrade the computer to Windows 10. or 11. SetupDiag can be run on the computer that failed to update, or you can export logs from the computer to another location and run SetupDiag in offline mode.<\/p>\n<p>The tool collects the setup logs and saves them into a zip file named Logs.zip on your desktop.<\/p>\n<h2><a id=\"msinfo32\"><\/a>System Information Tool (MSINFO32.exe) log<\/h2>\n<p>The built-in Microsoft System Information (Msinfo32.exe) tool in Windows gathers information about your computer. It displays a comprehensive view of your hardware, system components, and software environment, which you can use to diagnose computer issues. <strong>REF:<\/strong> <a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/description-of-microsoft-system-information-msinfo32-exe-tool-10d335d8-5834-90b4-8452-42c58e61f9fc\" target=\"_blank\" rel=\"noopener\">Description of Microsoft System Information (Msinfo32.exe) Tool<\/a>.<\/p>\n<p>You can view the list of services and drivers and their configuration, the loaded modules list, and other helpful information using MSINFO32. The MSINFO32.exe report can be generated by pressing Ctrl + S and saving the entries to an .NFO file. Make sure to run the tool as administrator.<\/p>\n<p>For detailed information, check out the post\u00a0<a href=\"https:\/\/www.winhelponline.com\/blog\/msinfo32-generate-system-info-report\/\">Generate a System Information Report using MSINFO32<\/a><\/p>\n<h2><a id=\"autoruns\"><\/a>Autoruns Log (.ARN)<\/h2>\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/sysinternals\/downloads\/autoruns\" target=\"_blank\" rel=\"noopener\">Autoruns<\/a> (from Microsoft Sysinternals), which has the most comprehensive knowledge of <a href=\"https:\/\/www.winhelponline.com\/blog\/clean-boot-windows-autoruns\/\">auto-starting locations<\/a> of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer, and media players.\u00a0Autoruns is an excellent tool that can be used to locate and remove malware from the startup launch points on the computer.<\/p>\n<p>Here is how to save the Autoruns log if you wish to send it to someone for analysis.<\/p>\n<ol>\n<li>Download <a href=\"https:\/\/live.sysinternals.com\/autoruns.exe\" target=\"_blank\" rel=\"noopener\">Autoruns<\/a> from Microsoft, and run it as administrator.<\/li>\n<li>In the Autoruns window, press &#8220;Esc&#8221; to stop the entries from loading.<\/li>\n<li>From the Options menu, click &#8220;Scan Options&#8230;&#8221;<\/li>\n<li>Click &#8220;Verify code signatures&#8221; to enable it.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-33638\" src=\"https:\/\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/autoruns-code-signatures.png\" alt=\"Autoruns verify code signatures\" width=\"298\" height=\"173\" \/><\/li>\n<li>Click Rescan, and wait for the entries to populate.<\/li>\n<li>Once the items are loaded, press Ctrl + S and save the entries to an .ARN file.<\/li>\n<li>Zip the .ARN file and upload it on OneDrive\/Dropbox.<\/li>\n<\/ol>\n<h2><a id=\"frst\"><\/a>Farbar Recovery Scan Tool<\/h2>\n<p>Farbar Recovery Scan Tool, or FRST, is a powerful tool that runs on all Windows Operating Systems. The main objective of this tool is to diagnose malware issues, but you can do much more with this tool. Both 32-bit and 64-bit versions of the Farbar Recovery Scan Tool are available. Please pick the version that matches your operating system&#8217;s <a href=\"https:\/\/www.winhelponline.com\/blog\/find-windows-10-build-version-edition-bit\/\">bit type<\/a>.<\/p>\n<p>Download Farbar Recovery Scan Tool (FRST64.exe) from the following link:<\/p>\n<pre>https:\/\/www.bleepingcomputer.com\/download\/farbar-recovery-scan-tool\/<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-38061\" src=\"https:\/\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/farbar.png\" alt=\"Farbar Recovery Scan Tool - FRST - FRST64.exe\" width=\"551\" height=\"348\" \/><\/p>\n<ul>\n<li>Run the Farbar Recovery Scan Tool. [FRST.exe (32-bit) or FRST64.exe (64-bit)]<\/li>\n<li>Leave it at the default settings unless otherwise instructed, and click &#8220;<strong>Scan<\/strong>&#8220;.<\/li>\n<li>Share the two logs, <strong>FRST.txt<\/strong> and <strong>Addition.txt<\/strong>, with the support personnel trying to help you.<\/li>\n<\/ul>\n<h4>How does it work?<\/h4>\n<p>FRST64.exe doesn&#8217;t remove anything when you click &#8220;Scan&#8221;. It only scans all the launch points, services, and drivers and outputs them to the log file(s). After seeing the logs, the support technician will prepare a <strong>fixlist.txt<\/strong> file containing some directives. Then, the <strong>fixlist.txt<\/strong> script needs to be executed using the Farbar Recovery Scan Tool. Here are the instructions.<\/p>\n<ul>\n<li>After sharing <strong>FRST.txt<\/strong> and <strong>Addition.txt<\/strong> with the support technician, wait for him to prepare a <strong>fixlist.txt<\/strong> file for you.<\/li>\n<li>Once available, get the <strong>fixlist.txt<\/strong> from the technician.<\/li>\n<li>Make sure FRST64.exe and FixList.txt are in the <strong>same<\/strong> folder.<\/li>\n<li>Launch FRST64.exe and click &#8220;<strong>Fix<\/strong>&#8220;.<\/li>\n<li>Share the output log file (FixLog.txt) with the support technician. This log file will contain the result of each operation specified in fixlist.txt.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2><a id=\"evtx\"><\/a>Windows Event logs<\/h2>\n<p>Event logs store records of significant events on behalf of the system and applications running on the system. You can export an event log via the Event Viewer console.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.winhelponline.com\/blog\/wp-content\/uploads\/2023\/06\/export-event-log-1.png\" alt=\"export event logs evtx\" width=\"744\" height=\"510\" class=\"alignnone size-full wp-image-50680\" \/><\/p>\n<p>For more information, see the article <a href=\"https:\/\/www.winhelponline.com\/blog\/export-event-logs-event-viewer\/\">How to Export Windows Event Logs from Event Viewer<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There are many different types of diagnostic logs in Windows. Each log is to diagnose a specific component. The Windows Update client creates the Windows Update ETL or Windows Update log files, the Component-Based Servicing uses &#8220;cbs.log&#8221;, and the DISM tool writes to &#8220;dism.log&#8221;, etc.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[6,8,869],"tags":[160,983,951],"class_list":["post-31098","post","type-post","status-publish","format-standard","hentry","category-utilities","category-windows-10","category-windows-11","tag-dism","tag-farbar","tag-logs"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":80040,"url":"https:\/\/www.winhelponline.com\/blog\/dism-error-1-incorrect-function\/","url_meta":{"origin":31098,"position":0},"title":"[Fix] DISM Error 1: Incorrect Function","author":"Ramesh","date":"December 22, 2025","format":false,"excerpt":"When you run the component store cleanup or install a Feature-On-Demand package using DISM, the error code 1 may appear. C:\\Windows\\System32>DISM \/Online \/Cleanup-Image \/StartComponentCleanup Deployment Image Servicing and Management tool Version: 10.0.26100.5074 Image Version: 10.0.26100.7171 [===========================70.0%======== ] Error: 1 Incorrect function. The DISM log file can be found at C:\\WINDOWS\\Logs\\DISM\\dism.log\u2026","rel":"","context":"In &quot;Windows 10&quot;","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":31441,"url":"https:\/\/www.winhelponline.com\/blog\/error-0x800703e6-998-dism-windows-update\/","url_meta":{"origin":31098,"position":1},"title":"Errors 0x800703e6 (998) in DISM and Windows Update","author":"Ramesh","date":"January 2, 2023","format":false,"excerpt":"Symptoms Installing Windows Updates results in the error 0x800703e6 on a Windows 10 or 11 computer. The user is unable to install new updates or uninstall a previously installed update. Attempting to repair (in-place upgrade) the Windows installation using the Media Creation tool or the Update Assistant tool may fail\u2026","rel":"","context":"In &quot;Windows 10&quot;","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"cbscore.dll corrupt - file information","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2023\/01\/cbscore-dll-corrupted.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":19552,"url":"https:\/\/www.winhelponline.com\/blog\/error-0x80073712-windows-update-windows-10\/","url_meta":{"origin":31098,"position":2},"title":"How to Fix Windows Update Error 0x80073712","author":"Ramesh","date":"October 26, 2020","format":false,"excerpt":"When installing a cumulative update, .NET framework update, or a feature update, the error 0x80073712 occurs and stops the installation process. Here is the full error message verbatim: Some update files are missing or have problems. We'll try to download the update again later. Error code: (0x80073712). Cause The error\u2026","rel":"","context":"In &quot;Windows 10&quot;","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"80073712 windows update error","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/10\/80073712.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/10\/80073712.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/10\/80073712.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/10\/80073712.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":80286,"url":"https:\/\/www.winhelponline.com\/blog\/dism-error-1726-component-store-cleanup\/","url_meta":{"origin":31098,"position":3},"title":"DISM Error 1726 during Component Store Cleanup","author":"Ramesh","date":"February 20, 2026","format":false,"excerpt":"When you attempt to clean up the component store using the following DISM command on a Windows 11 24H2 or 25H2 system, the error code 1726 may occur. DISM \/Online \/Cleanup-Image \/StartComponentCleanup Deployment Image Servicing and Management tool Version: 10.0.26100.5074 Image Version: 10.0.26200.7462 [== 5.8% ] Error: 1726 The remote\u2026","rel":"","context":"In &quot;Windows 11&quot;","block_context":{"text":"Windows 11","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-11\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6740,"url":"https:\/\/www.winhelponline.com\/blog\/error-0x800f0954-net-framework-3-5-optional-feature-dism\/","url_meta":{"origin":31098,"position":4},"title":"[Fix] Error 0x800F0954 Installing .NET Framework 3.5 or Any Optional Feature","author":"Ramesh","date":"November 6, 2018","format":false,"excerpt":"When you attempt to install .NET Framework 3.5 or any other optional feature using \"Windows Features\" (optionalfeatures.exe) dialog or using DISM command-line, error 0x800F0954 may popup. After enabling .NET Framework 3.5 and clicking OK, the following error may appear: Windows couldn't complete the requested changes. The changes couldn't be completed.\u2026","rel":"","context":"In &quot;Windows 10&quot;","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"enable feature .net framework 3.5","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2018\/07\/net-framework-features.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":45978,"url":"https:\/\/www.winhelponline.com\/blog\/wfs-exe-missing-not-found\/","url_meta":{"origin":31098,"position":5},"title":"Error: WFS.exe is missing in Windows 10\/11","author":"Ramesh","date":"May 14, 2023","format":false,"excerpt":"When you try to launch Windows Fax and Scan by running its executable WFS.exe, you may encounter the following error: Windows cannot find 'c:\\windows\\system32\\wfs.exe'. Make sure you typed the name correctly, and then try again. The file wfs.exe may be missing in the Windows\\System32 folder. You may be wondering how\u2026","rel":"","context":"In &quot;Windows 10&quot;","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"wfs optional features","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2023\/05\/wfs-fax-scan-install.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2023\/05\/wfs-fax-scan-install.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2023\/05\/wfs-fax-scan-install.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/31098","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/comments?post=31098"}],"version-history":[{"count":0,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/31098\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/media?parent=31098"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/categories?post=31098"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/tags?post=31098"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}