While diagnosing a bug where a Windows guest hangs at boot, I used libguestfs to find out what files were being updated on the disk. Here is how.
First of all I used virt-ls to get a listing of all the files in the guest and the last time they were updated:
$ virt-ls -lR -a /path/to/winxp.img --time-relative / | \ grep '^-' > /tmp/files
The colums in the output file look like this:
- 0777 0 12022162 12022162 12022162 /AUTOEXEC.BAT
The three numbers in columns 4, 5 and 6 (“12022162”) are the ones we are interested in. These are the time of last access, time of last modification and time of last status change, in seconds before now (because of the --time-relative flag).
So now we’re just looking for the files where column 6 is a small number. Everything that’s been touched in the last 2 minutes, for example:
$ awk '$6 < 120' < /tmp/files - 0777 1024 40 40 40 /Documents and Settings/rjones/NTUSER.DAT.LOG - 0777 7414 30 30 30 /WINDOWS/Prefetch/LOGON.SCR-151EFAEA.pf - 0777 9445376 50 50 50 /WINDOWS/SoftwareDistribution/DataStore/DataStore.edb - 0777 8192 50 50 50 /WINDOWS/SoftwareDistribution/DataStore/Logs/edb.chk - 0777 131072 50 50 50 /WINDOWS/SoftwareDistribution/DataStore/Logs/edb.log - 0777 203243 49 49 49 /WINDOWS/WindowsUpdate.log - 0777 1024 41 40 40 /WINDOWS/system32/config/SAM.LOG - 0777 262144 645 42 42 /WINDOWS/system32/config/SECURITY - 0777 20480 42 41 41 /WINDOWS/system32/config/SECURITY.LOG
Ah.
Looks to me like Windows Update is running.
We can confirm this easily:
$ virt-cat -a /path/to/winxp.img /WINDOWS/WindowsUpdate.log|tail 2012-02-27 19:17:57:718 824 144 DnldMgr Error 0x80072f78 occurred while downloading update; notifying dependent calls. 2012-02-27 19:18:12:546 824 144 DnldMgr Error 0x80072f78 occurred while downloading update; notifying dependent calls. 2012-02-27 19:18:39:015 824 14c DnldMgr Error 0x80072f78 occurred while downloading update; notifying dependent calls. 2012-02-27 19:18:49:031 824 7b8 DnldMgr Error 0x80072f78 occurred while downloading update; notifying dependent calls. 2012-02-27 19:18:58:046 824 14c DnldMgr Error 0x80072f78 occurred while downloading update; notifying dependent calls. 2012-02-27 19:18:58:062 824 748 AU AU checked download status and it changed: Downloading is paused
Indeed soon afterwards the guest came back to life, after downloading all its Windows Updates.
Richard WM Jones 
so virt-ls and virt-cat could be used while guest is up and running? Are these the only 2 libguestfish commands that could be used while guest is still up?
virt-ls and virt-cat are safe to use on running guests, and these are not the only commands that are safe.
Read the man page for each command carefully before using it. Commands which are unsafe have a “WARNING” section, like this.
Mostly it’s common sense. Commands for editing a disk (like virt-edit, guestfish, etc.) are not safe. Commands which just display the contents of a disk (like virt-filesystems) are safe.
Pingback: Tip: Detecting guest activity: three methods | Richard WM Jones