Windows 11 Warning: Don't Delete the Mysterious 'inetpub' Folder After April 2025 Update

The Unexpected Appearance of inetpub
Following the April 2025 Patch Tuesday updates (KB5055523 for Windows 11 24H2 and equivalent updates for other versions), users worldwide began reporting an unusual phenomenon - the sudden appearance of an empty C:\inetpub
directory on their system drives. This folder, typically associated with IIS (Internet Information Services) web server functionality, was being created even on systems where IIS had never been installed.
From IIS Component to Security Essential
Historically, the inetpub folder served as the default root directory for IIS, containing several subdirectories:
wwwroot
- Default location for hosted websiteslogs
- Contains server access and error logstemp
- Temporary files for IIS operations
The April 2025 updates changed this paradigm completely. Now, Windows creates just the empty parent inetpub folder regardless of IIS status, serving an entirely different purpose.
CVE-2025-21204: The Vulnerability Behind the Change
Microsoft's security advisory reveals this modification addresses a critical vulnerability in the Windows Update Stack:
"CVE-2025-21204: Windows Update Stack Elevation of Privilege Vulnerability
CVSS Score: 7.8 (High)
Impact: Local attacker could modify system files via symbolic link manipulation
Patch: Requires creation of secured inetpub directory structure"
Technical Deep Dive: How the Patch Works
Through reverse engineering and Microsoft's limited documentation, we've pieced together the security mechanism:
- The empty inetpub folder serves as a canary directory with special NTFS permissions
- Windows Update now verifies this directory's integrity before applying updates
- Any attempt to create malicious symbolic links gets detected via this checkpoint
- The folder's ACLs prevent unauthorized modifications that could indicate tampering
Microsoft's Documentation Timeline
Date | Documentation Status |
---|---|
April 8 | No mention of inetpub creation |
April 10 | Reports surface on Microsoft forums |
April 12 | KB articles updated with brief note |
April 15 | Full security explanation published |
Restoration Guide for Deleted Folders
Method 1: Via IIS Installation
1. Press Win+R, type "optionalfeatures" and hit Enter
2. Expand "Internet Information Services"
3. Check at least "Web Management Tools" > "IIS Management Console"
4. Click OK and restart when prompted
5. (Optional) Disable IIS features after folder recreation
Method 2: Manual Recreation
For advanced users via Administrator Command Prompt:
mkdir %systemdrive%\inetpub
icacls %systemdrive%\inetpub /inheritance:r /grant:r *S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:(OI)(CI)F
attrib +S +H %systemdrive%\inetpub
Enterprise Deployment Considerations
IT administrators should implement these group policy adjustments:
- Add inetpub to protected directory lists in endpoint security solutions
- Create monitoring alerts for deletion attempts
- Modify imaging processes to preserve the folder during deployments
- Update documentation to prevent helpdesk tickets about "suspicious" folders
Why Microsoft Keeps the Mechanism Secret
Security experts suggest several reasons for Microsoft's opacity:
- Prevents attackers from studying and bypassing the protection
- Reduces false sense of security if implementation details were public
- Allows Microsoft to modify the mechanism in future updates
- Minimizes support questions about technical complexities
Long-Term Implications
This change signals a shift in Microsoft's security approach:
- System directories now serve dual purposes (functional + security)
- Even empty folders can have critical security roles
- Future Windows versions may include more such "hidden" protections
- The line between features and security mechanisms continues to blur
Final Verification Steps
To confirm your system is properly protected:
dir /a %systemdrive%\inetpub
icacls %systemdrive%\inetpub
fsutil dirty query %systemdrive%
The folder should exist with SYSTEM and TrustedInstaller full control permissions, and no user-writable access.
Related Posts

Windows 11 24H2 Preview (KB5055627): New Share UI, Phone Link & Update Timer Features
Detailed look at Windows 11 Build 26100.3902's upcoming features including enhanced sharing tools...

Windows 11 Warning: Don't Delete the Mysterious 'inetpub' Folder After April 2025 Update
Microsoft confirms the 'inetpub' folder appearing after April 2025 updates is intentional and lin...