Microsoft explains why Windows 11 25H2 got twice as heavy due to a key security update - Neowin

Microsoft’s November 2025 Patch Tuesday update hardens the Common Log File System (CLFS) in Windows 11 25H2 and Windows Server 2025 by adding hash-based message authentication codes (HMACs) to log files, reducing the risk of tampering and privilege-escalation attacks.

A 90-day learning mode automatically applies authentication codes when logs are opened, after which enforcement mode requires all CLFS logs to be authenticated. Administrators must ensure logs are updated during this window or use the fsutil utility. The change increases disk usage, I/O, and log operation times, with average write times roughly doubling depending on file size.