The recent emergence of the "inetpub" folder on Windows 11 systems, following the April 2025 cumulative updates, has caused considerable discussion and concern among users and IT professionals alike. Traditionally, this folder is known as the default root directory for Microsoft's Internet Information Services (IIS), used for hosting websites and web applications. However, with recent updates, an empty "inetpub" folder now appears on practically every Windows 11 system, regardless of whether IIS is installed or active. This development is not a glitch or overlooked residue but a calculated security feature introduced by Microsoft as part of addressing a critical vulnerability, CVE-2025-21204.
The Security Patch and the Role of the Inetpub Folder
CVE-2025-21204 refers to a vulnerability discovered in the Windows Update servicing stack. The flaw specifically involved improper handling of symbolic links (also known as symlinks or junction points), which are filesystem shortcuts that point to other files or directories. Prior to the patch, attackers with local access could exploit symbolic link mishandling to trick Windows into modifying or accessing files it was not supposed to, potentially escalating privileges or corrupting critical system files.
To mitigate this risk, Microsoft implemented a preventive structural measure: the automatic creation of the "inetpub" folder on the system drive as a controlled environment with strict permissions. This folder acts as a trusted directory, designed to prevent any malicious redirection through symbolic links during Windows Update operations. By ensuring the folder exists with correct security settings, Windows can securely stage update files without falling prey to symbolic link manipulation.
Despite this purposeful installation, the folder itself remains empty and does not indicate IIS is running or enabled on the system. It occupies negligible disk space and is largely invisible to end users in normal system activities. Microsoft has explicitly warned users not to delete this folder, as doing so undermines the effectiveness of the security patch, leaving systems vulnerable to the very exploits the patch was designed to prevent.
The Exploitability and Ease of Attack
While the introduction of this folder was meant to plug a major security hole, unintended consequences have surfaced that pose a novel risk. Security researcher Kevin Beaumont has revealed that any local user on the system, including non-admin accounts, can exploit the "inetpub" folder’s existence by replacing it with a directory junction to an arbitrary target, such as a system file like Notepad.exe.
This is achieved by a simple command executed in the command prompt without administrative privileges:
mklink /J C:\inetpub C:\Windows\System32\notepad.exe
This command deletes the original "inetpub" folder and creates a junction point (a type of symbolic link) pointing to another file. Since the Windows servicing stack runs as SYSTEM and trusts the "inetpub" directory, it will mistakenly follow this junction and attempt to stage update files in the wrong location. This redirection causes Windows Update operations to fail or roll back, effectively blocking system updates and opening the door for patch sabotage.
The implication here is profound: the basic security patch relies on a folder that local non-elevated users can manipulate to disrupt the update process. While this requires physical or local access and is not a remote exploit, it represents a glaring vulnerability in Windows update infrastructure that can be leveraged by malicious insiders or malware operating with standard user privileges.
Mitigating the Vulnerability: Practical Steps Until a Microsoft Fix
As of now, Microsoft has remained notably silent on the vulnerability, and no official fix or update addressing this exploitation vector has been announced. In the meantime, users and system administrators can adopt defensive measures to protect their systems.
The core principle to prevent exploitation is to restrict write and delete permissions on the "inetpub" folder for all users except the SYSTEM and TrustedInstaller accounts. This approach ensures that only trusted system processes can modify or remove the folder, effectively blocking non-admin users from replacing it with a malicious junction.
Here is a stepwise guide to apply this mitigation:
- Navigate to the root of the system drive (usually
C:), right-click the "inetpub" folder and select Properties.
- Go to the Security tab and click the Advanced button.
- In the advanced security settings, click Disable inheritance and then choose Remove all inherited permissions.
- Click Add, then Select a principal, and enter
SYSTEM. Confirm and assign Full control permissions.
- Repeat the previous step for the
NT SERVICE\TrustedInstaller account.
- Apply and save all changes.
After this, the folder is only editable by core system components, and any attempt by a user or process without proper permissions to modify or delete the folder will be blocked with a permission denied error.
In environments where this mitigation is applied, Windows Update should continue functioning normally, and the risk posed by the current vulnerability is minimized. Should this solution need to be reversed, users can re-enable permission inheritance through similar steps to restore default access.
The Broader Context: A Symptom of System Complexity and Security Trade-offs
This incident reflects a recurring theme in Windows security management: the complexity of balancing usability, backward compatibility, and layered defense mechanisms sometimes leads to imperfect fixes or new attack surfaces. The "inetpub" folder's introduction was a clever workaround for a tricky vulnerability, yet the patch's implementation inadvertently opened a related weakness due to insufficient checks in the servicing stack around symbolic link validation and folder permissions.
Moreover, the exploitability by non-admin users is concerning given the rise of shared desktops, multi-user workstations, and the increasing intermixing of personal and corporate usage. Even with physical security measures in place, this kind of vulnerability lowers the barrier for an insider threat or a compromised standard user account to hinder updates, potentially preventing critical patches from installing.
While not trivial to exploit in remote attack scenarios, the existence of such an easily triggered weakness emphasizes the need for vigilant system administration practices and for Microsoft to address these foundational issues in future servicing stack improvements.
Restoring Deleted Inetpub Folder: What If You Remove It?
Some users have attempted to delete the mysterious "inetpub" folder out of curiosity or in a mistaken effort to clean up their system drives. Microsoft strongly advises against this, as the folder’s absence breaks the security patch's functionality.
If deleted, users can restore the folder by:
- Opening Control Panel → Programs and Features.
- Clicking Turn Windows features on or off.
- Temporarily enabling Internet Information Services (IIS), which recreates the "inetpub" folder with appropriate permissions.
- Disabling IIS afterward if desired.
Alternatively, reinstalling the relevant Windows update or waiting for the next cumulative update typically restores the folder correctly.
Conclusion: A Guardian Folder with a Catch
The "inetpub" folder on Windows 11 systems epitomizes a modern cybersecurity challenge—sometimes, protective measures introduce new complexities and risks that demand ongoing vigilance. This empty folder is no benign artifact; it is a silent guardian designed to harden the system against a significant symbolic link exploit. Yet, its current implementation opens a straightforward avenue for local users to undermine Windows update mechanisms.
Until Microsoft issues a robust fix, IT professionals and users should proactively harden permissions on the folder to halt exploitation. At the same time, this episode serves as a reminder that even empty folders can carry tremendous importance in the security fabric of modern operating systems. Awareness, cautious system management, and staying abreast of updates remain critical to maintaining Windows system integrity.
By respecting the "inetpub" folder and implementing the appropriate mitigations, users help ensure their PCs remain secure and fully patched, even amid the complex trade-offs sometimes unavoidable in operating system security.
Source: Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier
What happened?
.