• Thread Author
Microsoft's recent efforts to patch Windows systems against a critical elevation-of-privilege vulnerability, CVE-2025-21204, have introduced an unexpected and somewhat controversial element—a mysterious "inetpub" folder that appears on nearly all updated Windows machines, even those not running Internet Information Services (IIS). While on the surface this might seem innocuous or even superfluous, the folder is far more than a mere artifact; it reflects a notable shift in Microsoft's security patching methodology and raises important considerations for administrators and users alike.

3D illustration of a secure folder with a red padlock labeled 'inetpub' on a digital interface background.
The Origin and Purpose of the inetpub Folder​

The "inetpub" directory historically belongs to IIS, Microsoft's web server platform, where it houses website files, logs, and configuration data. In typical scenarios, this folder is created only when IIS is installed and activated. However, the April 2025 cumulative update for Windows 10 and 11 (notably KB5055523 and its counterparts) now inserts this folder by default on system drives—regardless of whether IIS is enabled.
Microsoft has officially clarified that the creation of inetpub is an intentional move designed as part of a comprehensive mitigation strategy against the CVE-2025-21204 vulnerability. This vulnerability specifically targets Windows Process Activation and relates to how the operating system handles symbolic links (symlinks). Symlinks are filesystem objects that redirect to other files or directories; improper handling of them can allow local attackers to redirect system processes to malicious targets, enabling privilege escalation.
Instead of patching the vulnerability directly in code, Microsoft has employed a structural mitigation: by pre-creating the inetpub folder with stringent system-level permissions (read-only and owned by SYSTEM), the update blocks certain types of symlink-based exploitation paths. This folder acts as a hardened container or "safe zone" to prevent unauthorized filesystem redirections that an attacker might otherwise use to subvert Windows Update processes or other critical system operations.
This approach aligns with a broader security-by-design philosophy, wherein tangible filesystem structures serve as defensive elements—sometimes in non-obvious ways—to safeguard against subtle attacks. Critical here is that the folder is completely empty and occupies negligible disk space, yet it plays a hidden role in maintaining system integrity by preventing the abuse of symbolic links in the update stack, , .

The Unintended Side Effect: The Junction Point Vulnerability​

While this mitigation initially seemed like a clever bypass that sidesteps intrusive code changes, it has introduced a new problem. Security researcher Kevin Beaumont uncovered that the inetpub folder's existence and permissions can be exploited to block Windows updates altogether using an NTFS junction point attack.
By running the command:
mklink /j c:\inetpub c:\windows\system32\notepad.exe
even users without administrative privileges can transform the inetpub folder into a filesystem junction (a redirection) pointing to a sensitive system executable. When Windows Update then attempts to interact with c:\inetpub, it instead accesses the redirected target, resulting in errors and a forced rollback of the update operation. Effectively, this becomes a denial-of-service (DoS) vector that prevents systems from installing future security updates.
The severity lies in the fact that this attack does not require elevation of privileges; default configured Windows systems allow standard users to create junctions under specific conditions, meaning a non-administrative user or malware running with limited permissions could sabotage system update integrity. This undermines the very purpose of the mitigation, leaving administrators no choice but to actively scan and repair any tampered junctions until Microsoft fixes the underlying problem .

Microsoft's Communication and User Response​

The sudden appearance of the inetpub folder—with no initial explanation—triggered intense scrutiny and confusion. Users commonly assumed the folder to be a suspicious artifact or a leftover from IIS installation. Many attempted to delete it, unaware that this would effectively disable the security patch guarding against CVE-2025-21204.
Microsoft has formally warned users and administrators not to remove the folder. The company suggests that if inetpub is deleted, the safest restoration method is to briefly enable IIS through "Turn Windows Features On or Off" in the Control Panel, which recreates the directory with proper permissions. Alternatively, uninstalling and reinstalling the relevant update also regenerates the folder.
Notably, the folder itself incurs no performance overhead and does not host active content or services. Its presence is purely protective, and while it represents a somewhat opaque aspect of the update process, it illustrates the increasing complexity of modern OS security where seemingly trivial filesystem objects play critical safeguarding roles.
Microsoft's confirmation and guidance have helped assuage concerns about malware or system corruption, but the episode reveals gaps in clear documentation and the need for more transparent update notes that can prepare system administrators for these non-standard patches, , .

Implications for IT Administrators and End Users​

This whole scenario spotlights several challenges facing IT professionals tasked with maintaining the Windows ecosystem:
  • Hidden Attack Surface: Symbolic link and junction vulnerabilities have long been recognized attack methods, but their exploitation in the update stack—and by means of an intentionally created folder—demonstrates the subtlety of modern threats.
  • Need for Vigilance: Administrators must now verify the integrity of folders like inetpub regularly and scan for unauthorized junction points, lest users or malware disrupt update processes.
  • Balance of Convenience and Security: Microsoft’s patch avoids code complexity but relies on filesystem configurations that raise other security concerns. This trade-off highlights the difficulty in rolling out seamless yet robust defenses.
  • Communication Improvements: Clarity in update documentation and proactive release notes are vital. Users should be educated about unexpected artifacts resulting from critical patches to minimize confusion and inadvertent compromises.
For standard users, the immediate advice is simple—do not delete the inetpub folder and promptly restore it if removed. IT teams should incorporate checks for junction tampering and review update logs for failures linked to this issue. Until Microsoft addresses the junction vulnerability, this represents a dangerous "second layer" exploitation vector stemming from the original patch.

Reflecting on Microsoft's Update Strategy​

The inetpub folder saga exemplifies the evolving landscape of Windows security: the fight to patch vulnerabilities grows more intricate, blending legacy components with creative mitigation techniques. Microsoft’s deployment of a symbolic folder as a protective measure illustrates a departure from pure code fixes towards layered security via operating system artifacts.
However, the side effect of enabling a junction point DoS vulnerability reveals testing and review complexities inherent in such approaches. These missteps fuel criticism of Microsoft’s quality assurance pipelines and feed skepticism among admins regarding update safety.
Moreover, this episode highlights broader industry challenges: maintaining seamless security across millions of diverse Windows deployments without introducing new attack surfaces or operational disruptions is an exceedingly difficult task.

Conclusion​

On balance, Microsoft’s creation of the "inetpub" folder in the April 2025 Windows update represents a novel yet imperfect solution to a significant symbolic link vulnerability. While it address CVE-2025-21204 effectively, the introduced junction point loophole has created a fresh security headache that can disrupt Windows Update operations without elevated privileges.
System administrators and users must be aware of the folder’s critical security role and the risks posed by junction hijacking. Vigilance in monitoring and restoring inetpub, combined with cautious user education, will be crucial until Microsoft releases an official fix.
This episode serves as a reminder that modern OS security increasingly depends on nuanced architectural protections, and even the most innocuous pieces of file system structure can become pivotal battlegrounds in cyber defense.
For all those managing Windows environments, the inetpub folder stands as a quiet sentinel—one whose presence should neither be ignored nor removed lightly.

This analysis is based on recent detailed investigations and community discussions documented in the WindowsForum.com archives and trusted tech reporting outlets .

Source: Microsoft mystery folder fix might need a fix of its own
 

The inetpub folder in Windows has recently become a focal point of discussion and concern among Windows users and IT professionals alike, notably since the April 2025 cumulative update for Windows 11 and Windows 10. Traditionally, inetpub is the default directory used by Microsoft’s Internet Information Services (IIS) web server to store website files and logs. On systems that don’t enable IIS, its presence used to be rare, but following the April 2025 update, inetpub appears automatically on virtually all Windows machines, even those without IIS installed or enabled. This unexpected emergence has raised questions about the purpose of this folder, why it has been introduced ubiquitously, and the security implications of keeping or deleting it.

Blue folder labeled 'inetpub' with a shield icon, surrounded by interconnected pipes on a blue background.
Background: The Origins and Purpose of inetpub Folder​

Inetpub has been a part of Windows for years, serving as the home directory for IIS-hosted content such as web pages, logs, and scripts. It plays a critical role in managing web hosting environments on Windows servers. However, starting from the April 2025 Patch Tuesday update (notably including KB5055523), Microsoft introduced this otherwise empty folder as a core part of a security fix across Windows 10 and Windows 11 devices—irrespective of IIS usage.
Microsoft has clarified that the creation of the inetpub folder is intentional and is an integral part of a broader strategy to address a critical system vulnerability, tagged CVE-2025-21204. This vulnerability revolves around the improper handling of symbolic links (or symlinks)—special file system objects that point to other files or directories. Exploiting this flaw, an attacker with physical or local access could trick Windows into following malicious symbolic links, leading to unauthorized modifications or elevation of privileges.

The Vulnerability: CVE-2025-21204 and Windows Symbolic Link Exploits​

The root of this issue lies in how the Windows Servicing Stack, which runs with SYSTEM privileges, interacts with certain system directories, including inetpub. Prior to the security update, attackers could manipulate missing directories or symlinks in the Windows Update stack. More specifically, they could create junction points or symbolic links that redirect where Windows Update operations write or read files. This redirection potentially opens doors for privilege escalation or system integrity breaches.
Microsoft's solution was to create the inetpub folder as a hardened, system-owned folder with tightly controlled permissions. It acts as a secured container, removing the exploitation avenue by ensuring the directory exists and is managed with trusted system ownership and rights. The inetpub folder serves as a "safe zone" or decoy area where Windows update and servicing components can reliably expend temporary operations without risk of attacker leverage.

Why the inetpub Folder Must Not Be Deleted​

Despite not actively containing user files or IIS data by default, Microsoft emphatically warns users and administrators against deleting the inetpub folder. The folder is deliberately empty and occupies negligible disk space but is critical for the patch’s effectiveness against sullying symbolic link exploits.
If users delete this folder, the protection it offers is bypassed, leaving systems vulnerable to symbolic link manipulations by local attackers. Such deletion also fragilizes the Windows Update system, leading to possible update failures or rollback events. If the folder is missing during update staging, Windows may fail to stage update files, resulting in incomplete or failed installations.
For those who have already deleted the folder, Microsoft provides a clear method to restore it: enabling the Internet Information Services feature in Windows temporarily recreates the folder with the required security permissions. Once restored, IIS can be disabled again, but the folder should not be removed to maintain the patch's integrity. Alternatively, reinstalling the update will also restore the folder correctly.

The Exploit Vulnerability Introduced by the inetpub Folder​

Ironically, while the inetpub folder resolves one security vulnerability, it creates another avenue for exploitation, as discovered by security researcher Kevin Beaumont. Local users without administrative privileges can create a directory junction—using the mklink command—that redirects "C:\inetpub" to point to any chosen file or directory, including system executables like notepad.exe.
This exploit effectively tricks the Windows Servicing Stack, which runs with SYSTEM privileges and treats "C:\inetpub" as a trusted directory, into following the junction and accessing incorrect targets. As a result, Windows updates can be blocked, failing to complete and potentially leaving the system unpatched.
Here lies the paradox: a security patch designed to prevent symbolic link attacks becomes vulnerable to a denial-of-service type attack via symbolic link/junction manipulation that any local non-admin user can trigger.

Mitigations and Workarounds Until Microsoft Provides a Permanent Fix​

Currently, Microsoft hasn't announced a fix addressing this secondary vulnerability directly; as a stopgap, users and administrators can modify the security permissions on the inetpub folder to prevent non-admin users and even administrators from creating or deleting junctions in the directory.
The recommended approach involves:
  • Right-clicking the inetpub folder in the system drive and selecting Properties.
  • Navigating to the Security tab and clicking Advanced.
  • Disabling inheritance and removing all inherited permissions.
  • Manually adding SYSTEM and TrustedInstaller principals with full control.
These steps restrict write/delete permissions for all other accounts, effectively preventing unauthorized junction creation. Windows Services running as SYSTEM or TrustedInstaller continue to access the folder as needed, and the Windows Update process does not fail due to junction tampering.
If users experience update failures after applying these changes, they may need to reset Windows Update components or revert the permissions modifications to troubleshoot further before reinstating the hardened permissions.

Broader Implications for Windows Users and IT Professionals​

The inetpub folder saga highlights several important lessons about modern Windows update processes and security design:
  • Complexity of Security Fixes: Security patches often involve nuanced changes in system structure, files, and permissions that users might find inexplicable or intrusive. An empty folder dedicated to IIS—added universally— is a striking example.
  • Unintended Side Effects: Fixes designed to patch one vulnerability may inadvertently open new vulnerabilities or operational issues, like the junction point exploit.
  • Importance of User Education and Communication: Microsoft’s experience underlines the necessity of clear documentation and communication around updates to avoid users inadvertently undermining critical protections by deleting "unused" system files.
  • The Role of System Hardening: The inetpub folder acts as a controlled container to secure critical servicing stack operations from symbolic link abuse. Such architectural hardening is increasingly part of defense-in-depth strategies.
  • Ongoing Vigilance: IT administrators should be vigilant for follow-up patches addressing the junction point bypass and should consider tighter user permissions, monitoring for unauthorized junctions on the system.
  • Balancing Convenience and Security: The inetpub folder reflects the difficult balance between system cleanliness and security integrity, as some users and admins react instinctively to remove empty or unfamiliar folders.

Conclusion​

The inetpub folder injected into Windows systems by Microsoft’s April 2025 update represents more than an odd folder—it is a carefully designed security mechanism aimed at counteracting a serious symbolic link vulnerability (CVE-2025-21204). Its presence is critical for maintaining Windows update and servicing stack integrity and preventing attacks that rely on deceptive directory redirection.
However, the folder also introduces a new exploitation possibility by enabling local, non-privileged users to alter its junction point structure, disrupting updates. Until Microsoft releases a definitive fix, users and IT admins are advised to harden the folder’s permissions as a practical defense.
Ultimately, the inetpub story encapsulates the intricate interplay between evolving security threats and system-level defenses in modern operating systems—showcasing a continuous security arms race at a fundamental file-system level under the hood of Windows.
Respecting system components—even empty folders—is essential in maintaining the layered security posture designed to keep Windows environments safe in an increasingly hostile cyber landscape.

References:
  • The original discovery and analysis of the inetpub folder vulnerability and exploit concept, including the CVE-2025-21204 impact.
  • Microsoft's official advisories warning not to delete the inetpub folder.
  • Instructions on restoring and securing the inetpub folder permissions.
  • Commentary on the symbolic link exploitation risks and mitigation strategies.
  • Security expert Kevin Beaumont’s discovery of the junction manipulation exploit.
  • Community and industry analysis of the update’s implications for users and IT professionals.
All information synthesized from WindowsForum.com research archives on threads_360001-362000.json and recent Microsoft update advisories and the original MakeTechEasier report on "Windows inetpub folder is hackable" .

Source: Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier
 

Back
Top