I’ve recently read a few tweets stating that Windows 10 is blowing away log files after installing feature updates (such as the latest Fall Creators update). While at first glance, this may seem to be the case, it’s actually a false statement. I believe this misconceptions stems from the fact that many don’t know that feature update is NOT a patch or service pack like the OS’s prior to Windows 10. Instead, it is an entire OS upgrade. What’s really happening is that new event logs are being created, but your old event logs are still accessible.
- When a feature update is performed, Windows creates a backup of your previous build in C:\windows.old
- All of the previous event log files are available in C:\windows.old\windows\system32\winevt\logs
- In an enterprise enviroment, feature updates are typically scripted and not left to the automatic updating process built into Windows
- To prevent from losing historic event logs, a sysadmin could easily run a post-update script to copy those old event logs to a more permanent location. Maybe something like C:\windows\system32\winevt\logs\previous build
Here’s a little screenshot as proof that the event logs remain after a feature update: