How the Update Compatibility Evaluator Works

Applies To: Windows 7, Windows Vista

The Update Compatibility Evaluator (UCE) provides insight and guidance about the potential effects of a Windows® security update on your installed applications. The UCE dynamically gathers application dependencies and is deployable to both your servers and client computers in either a production or a test environment. The compatibility evaluator collects information about the modules loaded, the files opened, and the registry entries accessed by the applications currently running on the computers. It then writes that information to .xml files uploaded to the ACT database.

This topic includes:

  • UCE terminology

  • UCE capabilities

  • UCE high-level process

  • UCE architecture

UCE Terminology

Term Definition

ACT database

The database that stores the application dependency information returned by the UCE, the security update information provided by Microsoft, and any files or registry entries potentially affected by the update.

ACT Log Processing Service

The service that processes the log files uploaded from your client computers, adding the information to your ACT database.

Application Compatibility Manager (ACM)

The user interface (UI) that enables you to view reports based on the UCE and security information generated from the ACT database. This is also where you create the data-collection packages used to deploy UCE.

Application Compatibility Toolkit (ACT)

A suite of tools that enables software developers, independent software vendors (ISVs), and enterprise IT professionals to determine whether their applications are compatible with a new version of the Windows operating system or newly released Windows security updates.

Application Compatibility Toolkit Data Collector (ACT-DC)

A self-extracting executable (.exe) file containing your configuration manifest and installation file for the data collector and compatibility evaluators. After deployment, ACT-DC installs the compatibility evaluators, maintains their scheduling and data collection, and uploads the issue data to your ACT database.

application profile

A list of the system state settings and system files on which an application has been observed to be dependent.


An executable (.exe) file that processes the raw XML data collected by the UCE and sends it to a centralized location.

compatibility evaluator

A command-line program launched by ACT-DC and configured by the user through the data-collection package (DCP) settings. An evaluator might run immediately and exit, or continue to monitor system activity through the duration configured by the user.

compatibility-evaluator definition package

The collection of files and data created by a partner to define a compatibility evaluator.

compatibility-evaluator installation package

The installation package used by the ACT-DC to install a compatibility-evaluator module. The provider of the compatibility-evaluator produces the compatibility-evaluator installation package that is included in the compatibility-evaluator definition package.

compatibility-evaluator module

A compatibility-evaluator component that is exposed to ACT-DC. A compatibility-evaluator module generates data and can have dependencies on other compatibility evaluators.


A part of the ACT that specifies the compatibility-evaluator resources and settings.

configuration manifest

A file that contains all of the user-configurable settings such as which compatibility evaluators will run, when, and for how long, and where to store the log files and other parameters configurable in the Advanced Settings dialog box.

data-collection package (DCP)

A Microsoft® Windows® installer (.msi) file created in the Application Compatibility Manager (ACM) for deployment to each of your client computers. Each data-collection package can include one or more compatibility evaluators, depending on what you are trying to evaluate.

data collector

A set of compatibility-evaluator modules that produce or gather data and then store the data locally in a raw or nearly raw form. All compatibility evaluators act as data collectors and are installed and deployed by ACT-DC.

Event Tracing for Windows (ETW)

A tracing tool provided with the Windows operating system. The tool provides a fast, reliable, and versatile set of features for logging events raised by user-mode applications and kernel-mode device drivers.

Event Tracing Log (ETL)

The log file created by the ETW tool.

evidence file

An .xml document that contains a set of evidence gathered by the Inventory Collector and processed by the Bucketizer.

evidence of potential impact

Information used to determine whether an update might affect an application. The system state is used to determine issues, based on the update profile and whether the compatibility evaluator observes any of the files or entries in use by an application.

evidence or indicators

Information used to determine the installed applications on a computer.

Microsoft Compatibility Exchange

A Web service that sends the security update information to the ACT database, including any files and registry entries impacted by the security update.


A compatibility-evaluator module that takes volumes of raw data and produces it in a format that matches the ACT schema, with extensions supplied by the compatibility-evaluator provider. More than one post-processor might depend on a single data collector, and a post-processor might depend on data from more than one data collector.

update profile

Information, including changes to the system state, that describes a software update.

UCE Capabilities

The UCE can:

  • Identify dynamic dependencies such as module loads, file opens, and registry accesses for your installed applications. It then stores the information in a database.

  • Identify the application dependencies that overlap with the files and registry entries changed by a security update, and then flag the dependencies as issues.

  • Download and display the files and the registry entries changed by a security update.

  • Interact with the ACM to view your issue details.

The UCE cannot:

  • Identify specific Web components or Web sites potentially affected by a security update.

  • Identify or quantify the functional impact to the application from a security update.

  • Identify potential regressions caused by service packs, applications, operating systems, and non-security updates.

  • Guarantee that all flagged issues have a functional impact on the application, or guarantee that all possible regressions have been identified.

UCE High-Level Process

The UCE high-level process is as follows:

  1. You identify a subset of computers that represent your overall environment, and then configure and deploy UCE to those computers.

  2. UCE builds application profiles over time, sending the information to your ACT database.

  3. After Microsoft Corporation publishes a Windows update, it publishes a corresponding update profile, which you download into your ACT database.

  4. UCE generates a report that compares the published update profile with your current application profile.

  5. You use the UCE report to develop and to prioritize a test plan.

UCE Architecture

UCE consists of two high-level modules: the UCE Data Collector and the UCE Post-Processor. The UCE binary files consist of two executable files named Uiaservice.exe and Uiaconvert.exe, a driver file named Systrace.sys, and a DLL file named Tracemgr.dll.

UCE Data Collector

The UCE Data Collector logs dynamic application dependencies consisting of file opens, module loads, and registry accesses. These dependencies are processed and written to the ETL log files. The following diagram shows the major functionality of the UCE Data Collector (Uiaservice.exe).

The following table describes the elements of the UCE Data Collector.

Element Description

Command-Line Parser

Parses commands and options when ACT-DC invokes UCE with command-line arguments. Additionally, the Command-Line Parser is responsible for signaling some events, such as the stop event, and for notifying the service process when the UCE service runs.

Microsoft Windows NT® service routine module

Manipulates the compatibility-evaluator service by invoking the Service Control Manager (SCM) interfaces and handling the compatibility-evaluator service events while maintaining status information for the running system.

Trace controller

Starts and stops the tracing driver and changes, or sets the current log-file name.

Trace driver

Handles tracing system events such as file operations, registry operations, image load events, and process creation events.

ETW log files

Contains the events logged by the trace driver. The ETW log files are initially stored in the temporary file specified during the UCE installation process. The service processor moves the ETW log files to the output folder specified when UCE starts.

UCE Post-Processor

The UCE Post-Processor converts the ETL log-file data created by the UCE Data Collector into XML files. After conversion, the Bucketizer uses the XML files to consolidate the data and send it to a centralized location. The UCE Post-Processor also filters out the operating system components such as Iexplore.exe and Explorer.exe. The following diagram shows the major functionality of the UCE Post-Processor (uiaconvert.exe).

The following table describes the elements of the UCE Post-Processor.

Element Description
Trace consumer module Processes the ETW log files (also known as ETL files) by reading events and sending callbacks.
Events processor Provides a set of callbacks to handle various events, and stores the events in the events buffer for late logging. The Events processor also deletes the ETW log files.
Events buffer Stores events that have not obtained image names or been filtered.
Application events filter Filters noise events for which the user has no need or requirements (for example, events from Explorer.exe or Cmd.exe).
Duplicate events filter Filters duplicate logged events.
Bucketizer Processes the raw XML evidence collected by UCE. The Bucketizer, which is a post-processor, also consolidates the output from other compatibility evaluators and sends the data to a centralized location.
XML Writer Produces .xml log files. Additionally, the XML Writer uniquely identifies a module by using information from the ETW event to respond to supply information that is not provided by that event. During this process, the XML Writer retrieves additional information from a function in your custom database queries.
Application information cache Helps the XML Writer supply the application information. This avoids the inefficient process of querying information from the same image file.
DLL version information cache Helps the XML Writer supply the DLL version information. This avoids the inefficient process of querying information from the same image file.
.xml log files Stores the process log files in your specified folder.

See Also


Update Compatibility Evaluator (UCE) Technical Reference
Phase 1: Collecting Your Compatibility Data
Phase 2: Analyzing Your Compatibility Data