Policy
Enable / disable CLFS logfile authentication
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, WindowsServer2016
This policy setting configures CLFS logfile authentication, a security feature which aims to harden logfile parsing. Logfile authentication provides the ability for the CLFS driver to detect malicious modications made to logfiles. If modifications are detected, CLFS will deem the logfile as unsafe for parsing and return an error to the caller. CLFS is able to detect modifications by writing authentication codes to logfiles, which combines file data with a system-unique cryptographic key. A side effect of logfile authentication is that CLFS will fail to open logfiles that were created on other systems, as these logfiles contain authentication codes created using a system-unique cryptographic key. To open a logfile that was created on another system, an administrator must first use the "fsutil.exe clfs authenticate" command to correct the authentication codes. If you enable or do not configure this setting, CLFS will refer to local registry settings on whether logfile authentication should be done or not. By default, CLFS will do logfile authentication. The local registry settings for this feature can be found at "HKLM:\SYSTEM\CurrentControlSet\Services\CLFS\Authentication". If you disable his setting, CLFS will no longer perform logfile authentication. Logfiles will be able to be moved and opened across systems without Administrative action. However, CLFS will open and parse all logfiles, including maliciously crafted logfiles that may compromise the system.
Registry values
How enabled and disabled states update the registry.
| Registry location | Type | Enabled value | Disabled value |
|---|---|---|---|
| HKLM\System\CurrentControlSet\Policies\ClfsAuthenticationChecking | REG_DWORD | 1 | 0 |
Policy elements
Inputs and configuration options exposed by this policy.
This policy has no additional user input fields.
Other policies in this category
Explore related policies at the same level.
- ComputerDev drive filter attach policyAt least Windows 11 Version 22H2
- ComputerDisable delete notifications on all volumesAt least Windows Server 2008 R2 or Windows 7
- ComputerEnable dev driveAt least Windows 11 Version 22H2
- ComputerEnable Win32 long pathsAt least Windows Server 2016, Windows 10
- ComputerSelectively allow the evaluation of a symbolic linkAt least Windows Vista