Deleting old Windows update logs in 25H2


cereberus

cereberus

Well-known member
Guru
VIP
Local time
7:55 AM
Posts
8,559
OS
Windows 11 Pro + Win11 Canary VM.
I was doing a disk cleanup and found 900+MB of Windows update logs, but no matter what I tried (various online solutions), they would not be removed.

I tried safe mode - no joy.

I tried manually to delete them and here is where I began to suspect my issue lay. Most of the logs deleted fine but three or four logs (or so) would not get deleted.

Often logs cumulate i.e. new data is appended to existing logs any they just grow inexorably. So I write a simple batch file and then booted from Macrium Reflect, and run batch file from its PE Explorer, and that worked getting logs down to a few kb. All those stuborn logs got deleted.

Unfortunately, I see the logs have crept up again to 19.1 MB, and I tried to use batch file from Windows but back to stubborn files not being deleted.

So I guess I shall have to use my batch file using Macrium Reflect in preOS mode periodically.

I have no idea if outher users are experiencing this issue or if it is a bug in 25H2 but at least I have a workaround.


Code: 
c:

cd/

cd windows

del *.log /a /s /q /f

pause




1766485300894.webp
 

My Computer

System One

  • OS
    Windows 11 Pro + Win11 Canary VM.
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Zenbook 14
    CPU
    I9 13th gen i9-13900H 2.60 GHZ
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB soldered
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    laptop OLED screen
    Screen Resolution
    2880x1800 touchscreen
    Hard Drives
    1 TB NVME SSD (only weakness is only one slot)
    PSU
    Internal + 65W thunderbolt USB4 charger
    Case
    Yep, got one
    Cooling
    Stella Artois (UK pint cans - 568 ml) - extra cost.
    Keyboard
    Built in UK keybd
    Mouse
    Bluetooth , wireless dongled, wired
    Internet Speed
    900 mbs (ethernet), wifi 6 typical 350-450 mb/s both up and down
    Browser
    Edge
    Antivirus
    Defender
    Other Info
    TPM 2.0, 2xUSB4 thunderbolt, 1xUsb3 (usb a), 1xUsb-c, hdmi out, 3.5 mm audio out/in combo, ASUS backlit trackpad (inc. switchable number pad)

    Macrium Reflect Home V8
    Office 365 Family (6 users each 1TB onedrive space)
    Hyper-V (a vm runs almost as fast as my older laptop)
Good morning @cereberus,

It's my understanding that if you boot up into Linux, you can then delete any file in Windows. I am sure others can confirm.

Kind regards,

tecknot
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2 build 26200.8457
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkPad Workstation P72
    CPU
    Intel i7 8750H @ 2.2 GHz
    Motherboard
    Lenovo 01YU291
    Memory
    16 GB (all Samsung) DDR4-3200 SODIMM (non-ECC) PCIe 3
    Graphics Card(s)
    Intel UHD Graphics 630 & NVIDIA Quadro P600
    Sound Card
    Realtek ALC3286 & Focusrite Saffire 24 Pro DSP
    Monitor(s) Displays
    17.3"
    Screen Resolution
    3840x2160
    Hard Drives
    1TB SSD Samsung 860 EVO SATA 3
    1TB SSD Samsung 970 EVO M.2 NVMe PCIe 3 x 4
    2TB SSD Samsung 990 PRO M.2 NVMe PCIe 3 x 4
    PSU
    230W
    Cooling
    fan
    Keyboard
    UltraNav
    Mouse
    Kensington wireless Orbit
    Internet Speed
    640Mbps
    Browser
    DuckDuckGo and Firefox
    Antivirus
    Defender
    Other Info
    CM246 Chipset
Did you run Disk Clean up as Admin?
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Generic
    CPU
    AMD Ryzen 8700G
    Motherboard
    Gigabyte B650 UD AC
    Memory
    64 GB
    Graphics Card(s)
    Onboard
    Sound Card
    Onboard
    Monitor(s) Displays
    Del U2723QE
    Screen Resolution
    3840 x 2160
    Hard Drives
    Corsiar MP600 1TB
    PSU
    Silverstone 750 GOLD
    Case
    Silverstone FARA 513
Search for clean. It will show you diskcleaner. Start it. Choose the C-drive. There some options here, but *.old dir is a copy of Windows after a In-Place-Installment. It will not show up there. Click on clean systemfiles. Choose the C-drive again. In the following screen you can tag certain files like old Windows dirs. Update files etc. This is the only way this will work. Inside the Windows.old and other files or directory's; there are files owned by the TrustedInstaller. The highest user on a Windows system. If you try to delete these files as admin; you are getting a lot of errors because Admin can't delete these files (not enough rights) owned by the TrustedInstaller.
With this program it can because it will elevate itself to be the TrustedInstaller and deletes the files with no problems.
 

My Computer

System One

  • OS
    Win 11 Pro "25H2" Build 26200.8524, Zorin OS Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self built
    CPU
    Intel® Core™ i7-12700KF 12th Gen.
    Motherboard
    ASUS Prime Z690-A, BIOS v4505
    Memory
    32GB DDR5 5600-36 Vengeance
    Graphics Card(s)
    PCIe4.0 Asus NVIDIA RTX3060Ti
    Sound Card
    Onboard; Realtek
    Monitor(s) Displays
    34" LG 34UC79G-B Curved 21:9 144Hz
    Screen Resolution
    2560x1080 (No HDR)
    Hard Drives
    250Gb Samsung 870PRO NVMe (Win 11 Pro)
    1Tb Samsung 980PRO NVMe
    1Tb Samsung 970EVO NVMe
    2Tb Samsung 990PRO NVMe with heatsink.
    4Tb WDC WD40EZRZ Blue SATA (Int.)
    4Tb WDC WD40EZRZ Blue SATA (Int.)
    3Tb WDC WD30EFRZ Red SATA (Int.)
    256Gb Samsung 840PRO SSD (RHEL 9,5)
    256Gb Samsung 850PRO SSD (Zorin OS Pro 18)
    PSU
    Coolermaster 850W V2 Gold with internal 12cm exaust fan
    Case
    Be-Quiet Pure Base 600.
    Cooling
    3x Be-Quiet! 12/14cm "Silent Wings 4" casefans, 1x Arctic Freezer i35 CPU towerblock with fan.
    Keyboard
    Steelseries APEX 7 keyboard.
    Mouse
    Logitech G-502 Hero
    Internet Speed
    1Gb
    Browser
    Brave
    Antivirus
    F-Secure
    Other Info
    No Noise system.
    256Gb Kingston Travler USB 3.0 drive.
    64Gb Sandisk USB 3.2 drive. (Ventoy)
    8Gb Philips USB 3.0 drive. (Win. Inst.)
    8Gb Philips USB 3.0 drive. (Rescue disk)
    2Tb WD USB 3.0 Passport drive.
    USB Ext. 500Gb WD SATA drive.
    External USB 3.0 C.A. CD/DVD* burner.
tecknot said:
Good morning @cereberus,

It's my understanding that if you boot up into Linux, you can then delete any file in Windows. I am sure others can confirm.

Kind regards,

tecknot
Click to expand...
Sure but as I said, I boot into WinPE which worked.
 

My Computer

System One

  • OS
    Windows 11 Pro + Win11 Canary VM.
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Zenbook 14
    CPU
    I9 13th gen i9-13900H 2.60 GHZ
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB soldered
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    laptop OLED screen
    Screen Resolution
    2880x1800 touchscreen
    Hard Drives
    1 TB NVME SSD (only weakness is only one slot)
    PSU
    Internal + 65W thunderbolt USB4 charger
    Case
    Yep, got one
    Cooling
    Stella Artois (UK pint cans - 568 ml) - extra cost.
    Keyboard
    Built in UK keybd
    Mouse
    Bluetooth , wireless dongled, wired
    Internet Speed
    900 mbs (ethernet), wifi 6 typical 350-450 mb/s both up and down
    Browser
    Edge
    Antivirus
    Defender
    Other Info
    TPM 2.0, 2xUSB4 thunderbolt, 1xUsb3 (usb a), 1xUsb-c, hdmi out, 3.5 mm audio out/in combo, ASUS backlit trackpad (inc. switchable number pad)

    Macrium Reflect Home V8
    Office 365 Family (6 users each 1TB onedrive space)
    Hyper-V (a vm runs almost as fast as my older laptop)
hader said:
Search for clean. It will show you diskcleaner. Start it. Choose the C-drive. There some options here, but *.old dir is a copy of Windows after a In-Place-Installment. It will not show up there. Click on clean systemfiles. Choose the C-drive again. In the following screen you can tag certain files like old Windows dirs. Update files etc. This is the only way this will work. Inside the Windows.old and other files or directory's; there are files owned by the TrustedInstaller. The highest user on a Windows system. If you try to delete these files as admin; you are getting a lot of errors because Admin can't delete these files (not enough rights) owned by the TrustedInstaller.
With this program it can because it will elevate itself to be the TrustedInstaller and deletes the files with no problems.
Click to expand...
The first thing I tried of course! Still did not delete logs using Windows - I do not think it is a trusted installer issue - more that some logs are not being released properly but I have solved issue.

Actually I have another solution now as well. Image backup C drive specifically excluding log files and then immediately restoring image backup using Macrium Reflect. No real advantage though over manually deleting them in winpe mode.
 

My Computer

System One

  • OS
    Windows 11 Pro + Win11 Canary VM.
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Zenbook 14
    CPU
    I9 13th gen i9-13900H 2.60 GHZ
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB soldered
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    laptop OLED screen
    Screen Resolution
    2880x1800 touchscreen
    Hard Drives
    1 TB NVME SSD (only weakness is only one slot)
    PSU
    Internal + 65W thunderbolt USB4 charger
    Case
    Yep, got one
    Cooling
    Stella Artois (UK pint cans - 568 ml) - extra cost.
    Keyboard
    Built in UK keybd
    Mouse
    Bluetooth , wireless dongled, wired
    Internet Speed
    900 mbs (ethernet), wifi 6 typical 350-450 mb/s both up and down
    Browser
    Edge
    Antivirus
    Defender
    Other Info
    TPM 2.0, 2xUSB4 thunderbolt, 1xUsb3 (usb a), 1xUsb-c, hdmi out, 3.5 mm audio out/in combo, ASUS backlit trackpad (inc. switchable number pad)

    Macrium Reflect Home V8
    Office 365 Family (6 users each 1TB onedrive space)
    Hyper-V (a vm runs almost as fast as my older laptop)
I use a program called Hibituninstaller that has a junk file scanner that will remove all these files. It will do it directly within Windows
 

My Computers

System One System Two

  • OS
    Windows 11 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom Built
    CPU
    Intel i9 14900KF
    Motherboard
    ASUS Z790 ProArt Creator WiFi
    Memory
    64GB Corsair Vengeance RGB
    Graphics Card(s)
    MSI 4090 Suprim X
    Sound Card
    Onboard
    Monitor(s) Displays
    1 x Asus 24". 1 x Asus 32"
    Screen Resolution
    1920 x 1080 & 2560 x 1440
    Hard Drives
    Multiple
    PSU
    Corsair 1200HX
    Case
    Corsair 7000D RGB
    Cooling
    Corsair H150I Capellix XT
    Keyboard
    Corsair K70 RGB PRO
    Mouse
    Corsair M55 RGB Pro
    Internet Speed
    1000Mbps
    Browser
    Edge
    Antivirus
    Windows Default
  • Operating System
    Windows 11 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom Built
    CPU
    Intel i7 6800K
    Motherboard
    ASUS Z99 Deluxe
    Memory
    32GB DDR4 (Corsair)
    Graphics card(s)
    ASUS GTX 1080ti
    Sound Card
    Onboard
    Monitor(s) Displays
    1x Viewsonic 24" 1x LG 19"
    Screen Resolution
    1920 x 1080 & 1600 x 900
    Hard Drives
    3 x SATA SSD
    PSU
    650W Gigabyte Bronze
    Case
    Coolermaster HAF-X
    Cooling
    Noctua NH-15 Chroma black
    Keyboard
    Generic RGB
    Mouse
    Microsoft Basic
    Internet Speed
    1000Mbps
    Browser
    Edge
    Antivirus
    Windows Default
You need to stop Windows Event Log service.

capture_12242025_090122.webp

learn.microsoft.com

Windows Update log files

Learn about the Windows Update log files and how to merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file.
learn.microsoft.com

For a deeper cleanup, you need to stop some services and processes. I use this.

github.com

Windows/Windows Cleanup.bat at main · TairikuOokami/Windows

Windows. Contribute to TairikuOokami/Windows development by creating an account on GitHub.
github.com github.com
 

My Computer

System One

  • OS
    Home26H2Can
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 8600G (07/24)
    Motherboard
    ASROCK B650M-HDV/M.2 (07/24) BIOS 4.21 AGESA ComboAM5 1.3.0.1 (04/26)
    Memory
    2x32GB Kingston FURY DDR5 5600 MHz CL36 @5200 CL36 (07/24)
    Graphics Card(s)
    ASROCK Radeon RX 6600 Challenger D 8G @48FPS (08/24)
    Sound Card
    Creative Sound BlasterX AE-5 Plus (05/24)
    Monitor(s) Displays
    24" Philips 24M1N3200ZS/00 (05/24)
    Screen Resolution
    1920×1080@165Hz via DP1.4
    Hard Drives
    Kingston KC3000 NVMe 2TB (05/24)
    ADATA XPG GAMMIX S11 Pro 512GB (07/19)
    PSU
    Seasonic Core GM 550 Gold (04/24)
    Case
    Fractal Design Define 7 Mini with 3x Noctua NF-P14s/12@555rpm (04/24)
    Cooling
    Noctua NH-U12S with Noctua NF-P12 (04/24)
    Keyboard
    HP Pavilion Wired Keyboard 300 (07/24) + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (01/26)
    Internet Speed
    500/100 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge, Brave for YouTube, LibreWolf for FB
    Antivirus
    NextDNS blocking 1/3 Traffic
    Other Info
    Phone: Motorola Moto G86 (02/26)
    Backup: Hasleo Backup Suite (PreOS)
    Headphones: Sennheiser RS170 (09/10)
    Chair: Huzaro Force 4.4 Grey Mesh (05/24)
    Notifier: Xiaomi Mi Band 9 Milanese (10/24)
    FlexCore USB-C 3.2 Gen 1 (M) to LAN (F) (08/25)
cereberus said:
The first thing I tried of course! Still did not delete logs using Windows - I do not think it is a trusted installer issue - more that some logs are not being released properly but I have solved issue.

Actually I have another solution now as well. Image backup C drive specifically excluding log files and then immediately restoring image backup using Macrium Reflect. No real advantage though over manually deleting them in winpe mode.
Click to expand...
This clean option is only for old Windows stuff that isn't used any more or some backup's. It is the TrustedInstaller that owns many files in the Windows and Windows.old directory. (e.g. Just look inside the Component Store; C:\Windows\WinSxS. Admin can Read, Execute, Show you the content of the dirs. But can't delete them. Only TrustedInstaller can. It has all the rights) You can't delete them using Admin!

But as you would probably also know you can't delete log files if they are in use. If you want to delete them you must kill the proces or stop the service that is holding it. Backup software can not access them also during a backup. It's not that important to backup these kind of files. Services etc. are writing into it when needed. It content is related to the moments that service/proces is running. At a offline restore that log file will be missing. But when the restore is complete and after a reboot of the PC that service is started again, sees that the logfile is missing and creates a new and empty file. When needed it writes into it again.

If you would stop the service and look inside this logfile it knows nothing about the time before the restore. It's only valid when Windows is running. From that perspective this is some kind of temporary file also. This why you can't find a earlier date prior to the latest restore or In-place-Installment. Just look inside the C:\Windows\Logs\DISM\dism.log file. It is possible by using the Windows Recovery Environment and CMD to delete these file. But not all of them. This environment is the bare minimum what's needed to run Windows. There are log files locked because of the needed services that run at that moment.

The user TrustedInstaller has his own service called Windows Modules Installer. Only active during updates and DISM/SFC operations. Shuts down 2 minutes after the operation has been finished. (Ending TrustedInstaller finalization, inside the CBS.log.)
 

My Computer

System One

  • OS
    Win 11 Pro "25H2" Build 26200.8524, Zorin OS Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self built
    CPU
    Intel® Core™ i7-12700KF 12th Gen.
    Motherboard
    ASUS Prime Z690-A, BIOS v4505
    Memory
    32GB DDR5 5600-36 Vengeance
    Graphics Card(s)
    PCIe4.0 Asus NVIDIA RTX3060Ti
    Sound Card
    Onboard; Realtek
    Monitor(s) Displays
    34" LG 34UC79G-B Curved 21:9 144Hz
    Screen Resolution
    2560x1080 (No HDR)
    Hard Drives
    250Gb Samsung 870PRO NVMe (Win 11 Pro)
    1Tb Samsung 980PRO NVMe
    1Tb Samsung 970EVO NVMe
    2Tb Samsung 990PRO NVMe with heatsink.
    4Tb WDC WD40EZRZ Blue SATA (Int.)
    4Tb WDC WD40EZRZ Blue SATA (Int.)
    3Tb WDC WD30EFRZ Red SATA (Int.)
    256Gb Samsung 840PRO SSD (RHEL 9,5)
    256Gb Samsung 850PRO SSD (Zorin OS Pro 18)
    PSU
    Coolermaster 850W V2 Gold with internal 12cm exaust fan
    Case
    Be-Quiet Pure Base 600.
    Cooling
    3x Be-Quiet! 12/14cm "Silent Wings 4" casefans, 1x Arctic Freezer i35 CPU towerblock with fan.
    Keyboard
    Steelseries APEX 7 keyboard.
    Mouse
    Logitech G-502 Hero
    Internet Speed
    1Gb
    Browser
    Brave
    Antivirus
    F-Secure
    Other Info
    No Noise system.
    256Gb Kingston Travler USB 3.0 drive.
    64Gb Sandisk USB 3.2 drive. (Ventoy)
    8Gb Philips USB 3.0 drive. (Win. Inst.)
    8Gb Philips USB 3.0 drive. (Rescue disk)
    2Tb WD USB 3.0 Passport drive.
    USB Ext. 500Gb WD SATA drive.
    External USB 3.0 C.A. CD/DVD* burner.
You must log in or register to reply here.

Similar threads

Win 11 Registry has old Windows Login Links
Replies
3
Views
975
pseymour
P
  • Article Article
Windows Update Read Windows Update Logs in Windows 11
Replies
1
Views
36K
Birk
B
Solved Former C: drive now my E: drive, how to delete old Windows
Replies
19
Views
9K
Ghot
Ghot

Latest Support Threads

Latest Tutorials

Back
Top Bottom