Microsoft explains why Windows 11 25H2 got twice as heavy due to a key security update

When it comes to security, Microsoft often introduces security measures and hardening changes in order to make Windows more secure. As you may be familiar, every month on the second Tuesday, the company releases the monthly security patches, which is why it is referred to as Patch Tuesday or Update Tuesday.

With the November 2025 patch, Microsoft imposed a new security mitigation for the Common Log File System (CLFS) driver in updates to Windows 11 25H2 and Server 2025. This is a crucial update as it adds a hash-based message authentication code (HMAC) to CLFS logfiles in order to strengthen protection against tampering.

If you are wondering, a Hash-based Message Authentication Code (HMAC) is a cryptographic mechanism used to verify message integrity and authenticity by combining a secret key with a hash function. The sender computes a hash value over the data and transmits both the data and the HMAC. The receiver then, using the same secret key, recomputes the hash and checks for a match. This match is basically what ensures there is no tamper detection.

According to Microsoft, the authentication codes are generated by combining file data with a system-unique cryptographic key stored in the registry. Access to this key is restricted to administrators and SYSTEM accounts. So if tampering is detected, the logfile will not open.

If you are unfamiliar, the Common Log File System (CLFS) API is a general-purpose, high-performance logging subsystem in Windows that is used by apps and services, both in user-mode as well as kernel-mode executions. CLFS is designed to ensure reliable transactions, event logging and tracking, thus making it good for crash recoveries. However, it has historically been vulnerable to privilege escalation exploits which is why the new HMAC mechanism is a hardening step to prevent such attacks.

To help in easy adoption, Microsoft, for now, has built in a 90‑day “learning mode” following installation of the updates. During this period, authentication codes are automatically added to existing logfiles when they are opened. After the 90-day window closes, CLFS enters enforcement mode, requiring all logfiles to contain valid authentication codes.

Thus IT admins and system administrators are advised to review systems that rely on CLFS and ensure logfiles are accessed during the learning mode period. Otherwise, the fsutil clfs authenticate command line utility should be used to add authentication codes to unopened log files.

One thing the company notes is the additional file space that is required to store the authentication codes. It explains: "Additional file space is required to store authentication codes. The amount of space needed for authentication codes depends on the size of the file. Refer to the following list for an estimate about how much additional data will be required for your logfiles:

• 512KB container files require an additional ~8192 bytes for authentication codes.
• 1024KB container files require an additional ~12288 bytes for authentication codes.
• 10MB container files require an additional ~90112 bytes for authentication codes.
• 100MB container files require an additional ~57344 bytes for authentication codes.
• 4GB container files require an additional ~2101248 bytes for authentication codes"

It further adds that the consequent increase in I/O operations for maintaining authentication codes, the time taken to perform logfile creation, logfile opening, and the writing of new records will also go up, depending on the container size, and that the average time it takes to write to a record in a logfile has now doubled.

You can find the full details about CLFS authentication and hardening on this support article here under KB5056852 on Microsoft's official site.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 13 January 2026 at 12:06 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix