MyTechBlog

Windows 11 Warning: Don't Delete the Mysterious 'inetpub' Folder After April 2025 Update

Posted on April 12, 2025 • 85 views

The Unexpected Appearance of inetpub

Following the April 2025 Patch Tuesday updates (KB5055523 for Windows 11 24H2 and equivalent updates for other versions), users worldwide began reporting an unusual phenomenon - the sudden appearance of an empty C:\inetpub directory on their system drives. This folder, typically associated with IIS (Internet Information Services) web server functionality, was being created even on systems where IIS had never been installed.

From IIS Component to Security Essential

Historically, the inetpub folder served as the default root directory for IIS, containing several subdirectories:

  • wwwroot - Default location for hosted websites
  • logs - Contains server access and error logs
  • temp - Temporary files for IIS operations

The April 2025 updates changed this paradigm completely. Now, Windows creates just the empty parent inetpub folder regardless of IIS status, serving an entirely different purpose.

CVE-2025-21204: The Vulnerability Behind the Change

Microsoft's security advisory reveals this modification addresses a critical vulnerability in the Windows Update Stack:

"CVE-2025-21204: Windows Update Stack Elevation of Privilege Vulnerability
CVSS Score: 7.8 (High)
Impact: Local attacker could modify system files via symbolic link manipulation
Patch: Requires creation of secured inetpub directory structure"

Technical Deep Dive: How the Patch Works

Through reverse engineering and Microsoft's limited documentation, we've pieced together the security mechanism:

  1. The empty inetpub folder serves as a canary directory with special NTFS permissions
  2. Windows Update now verifies this directory's integrity before applying updates
  3. Any attempt to create malicious symbolic links gets detected via this checkpoint
  4. The folder's ACLs prevent unauthorized modifications that could indicate tampering

Microsoft's Documentation Timeline

Date Documentation Status
April 8 No mention of inetpub creation
April 10 Reports surface on Microsoft forums
April 12 KB articles updated with brief note
April 15 Full security explanation published

Restoration Guide for Deleted Folders

Method 1: Via IIS Installation

1. Press Win+R, type "optionalfeatures" and hit Enter
2. Expand "Internet Information Services"
3. Check at least "Web Management Tools" > "IIS Management Console"
4. Click OK and restart when prompted
5. (Optional) Disable IIS features after folder recreation

Method 2: Manual Recreation

For advanced users via Administrator Command Prompt:

mkdir %systemdrive%\inetpub
icacls %systemdrive%\inetpub /inheritance:r /grant:r *S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:(OI)(CI)F
attrib +S +H %systemdrive%\inetpub

Enterprise Deployment Considerations

IT administrators should implement these group policy adjustments:

  • Add inetpub to protected directory lists in endpoint security solutions
  • Create monitoring alerts for deletion attempts
  • Modify imaging processes to preserve the folder during deployments
  • Update documentation to prevent helpdesk tickets about "suspicious" folders

Why Microsoft Keeps the Mechanism Secret

Security experts suggest several reasons for Microsoft's opacity:

  • Prevents attackers from studying and bypassing the protection
  • Reduces false sense of security if implementation details were public
  • Allows Microsoft to modify the mechanism in future updates
  • Minimizes support questions about technical complexities

Long-Term Implications

This change signals a shift in Microsoft's security approach:

- System directories now serve dual purposes (functional + security)
- Even empty folders can have critical security roles
- Future Windows versions may include more such "hidden" protections
- The line between features and security mechanisms continues to blur

Final Verification Steps

To confirm your system is properly protected:

dir /a %systemdrive%\inetpub
icacls %systemdrive%\inetpub
fsutil dirty query %systemdrive%

The folder should exist with SYSTEM and TrustedInstaller full control permissions, and no user-writable access.