The inetpub folder has recently become the center of an intriguing and somewhat ironic security controversy in Windows 11, particularly after the April 2025 cumulative update. This seemingly innocuous and empty system folder, traditionally associated with Microsoft's Internet Information Services (IIS), has taken on a new security role while simultaneously opening another attack vector that is the topic of intense discussion among Windows users, IT professionals, and security researchers.
Historically, the inetpub folder has been the repository for IIS web server files — including web content, logs, scripts, and administrative scripts. Typically, this folder only exists if IIS is enabled on a Windows machine, serving web hosting and server applications. However, following the April 2025 Patch Tuesday updates (notably KB5055523 for Windows 11), Microsoft began creating an empty inetpub folder by default on all Windows 11 (and some Windows 10) installations regardless of IIS usage.
This change was part of a targeted security patch designed to address a vulnerability known as CVE-2025-21204. This vulnerability concerns the improper handling of symbolic links (or symlinks) within the Windows Update servicing stack. Symbolic links can act like shortcuts to files or directories, but if exploited, they can redirect operations to unexpected or unintended files, potentially allowing privilege escalation, tampering, or unauthorized modification of critical system files.
Microsoft’s mitigation strategy was to introduce the inetpub folder as a controlled container—a hardened directory with strict permissions owned by SYSTEM and TrustedInstaller. By doing so, Windows Update operations gain a "safe zone" that prevents attackers from planting malicious symlinks by ensuring the directory exists and has correct ownership and access rights. The inetpub folder thus acts as a security anchor and a decoy environment to thwart the exploitation path related to symbolic links during update processes.
Users have been officially warned by Microsoft not to delete the inetpub folder, as its absence effectively disables or weakens the security fix, leaving systems open to tampering and attack through the known vulnerability. Although empty, the inetpub folder serves an essential behind-the-scenes protective function in the Windows ecosystem to safeguard the update mechanism and system integrity.
Specifically, by running a command like:
any local user — even without administrative privileges — can point the inetpub folder path to an arbitrary file or folder, such as Notepad.exe or another target. Because the Windows Servicing Stack runs as SYSTEM and trusts the inetpub folder unconditionally, it doesn't verify that the folder is a genuine directory; it blindly follows the junction point.
When Windows Update hits this junction, it fails to stage or apply updates properly, causing update failures or rollbacks. This effectively blocks critical security updates from applying, opening a denial-of-service vector against patching processes. Since any user with basic command-line skill can execute this attack, it represents a surprisingly easy, low-privilege exploit to disrupt system security.
The vulnerability also highlights a fundamental principle often emphasized in Windows security: the principle of least privilege must be rigorously enforced, including restricting non-admin rights over critical system directories. Yet in this case, the inetpub folder’s parent directory (C
permissions allow users to replace or link the folder without needing admin credentials, undermining the update process’s trust assumptions.
The basic steps involve:
If issues appear with updates after applying this fix, resetting Windows Update components may be necessary before adjusting permissions back to their defaults, ensuring a smooth update experience.
Microsoft’s creation of the inetpub folder as a "defense-in-depth" mechanism follows a defensive design philosophy where security layers include decoy directories or controlled containers to limit attack surfaces. Yet, this solution shows how implicit trust in system paths and directory structures can inadvertently undermine security when combined with user permission configurations.
This episode also reminds IT personnel and administrators of several key lessons:
Until Microsoft issues a formal patch addressing this issue, users are advised not to delete the inetpub folder and to apply the recommended permission restrictions to prevent local exploitation. This pragmatic approach preserves the patch’s intended protections and maintains system update reliability.
While the inetpub folder is empty and silent on most systems, its strategic significance as a sentinel guarding crucial update infrastructure has become clearer. It reminds us that in the intricate architecture of Windows security, even empty directories can play a pivotal role—and that vigilance, proper permissions, and informed administration remain essential defenses in the ongoing cybersecurity battle.
For Windows enthusiasts, IT admins, and security professionals, the inetpub story offers a valuable case study on the delicate balance between automated system hardening and the unforeseen challenges posed by opened doors at lower privilege levels.
Source: Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier
The inetpub Folder’s Role and Its Security Purpose
Historically, the inetpub folder has been the repository for IIS web server files — including web content, logs, scripts, and administrative scripts. Typically, this folder only exists if IIS is enabled on a Windows machine, serving web hosting and server applications. However, following the April 2025 Patch Tuesday updates (notably KB5055523 for Windows 11), Microsoft began creating an empty inetpub folder by default on all Windows 11 (and some Windows 10) installations regardless of IIS usage.This change was part of a targeted security patch designed to address a vulnerability known as CVE-2025-21204. This vulnerability concerns the improper handling of symbolic links (or symlinks) within the Windows Update servicing stack. Symbolic links can act like shortcuts to files or directories, but if exploited, they can redirect operations to unexpected or unintended files, potentially allowing privilege escalation, tampering, or unauthorized modification of critical system files.
Microsoft’s mitigation strategy was to introduce the inetpub folder as a controlled container—a hardened directory with strict permissions owned by SYSTEM and TrustedInstaller. By doing so, Windows Update operations gain a "safe zone" that prevents attackers from planting malicious symlinks by ensuring the directory exists and has correct ownership and access rights. The inetpub folder thus acts as a security anchor and a decoy environment to thwart the exploitation path related to symbolic links during update processes.
Users have been officially warned by Microsoft not to delete the inetpub folder, as its absence effectively disables or weakens the security fix, leaving systems open to tampering and attack through the known vulnerability. Although empty, the inetpub folder serves an essential behind-the-scenes protective function in the Windows ecosystem to safeguard the update mechanism and system integrity.
New Security Vulnerability: The Junction Point Exploit
While the inetpub folder was introduced to remediate a significant risk, an ironic new security risk quickly emerged. Security researcher Kevin Beaumont discovered that a non-administrative user with local access can exploit this folder’s presence to sabotage Windows Update operations by replacing the inetpub folder with a directory junction (a kind of advanced symbolic link).Specifically, by running a command like:
mklink /J C:\inetpub C:\Windows\System32\notepad.exeany local user — even without administrative privileges — can point the inetpub folder path to an arbitrary file or folder, such as Notepad.exe or another target. Because the Windows Servicing Stack runs as SYSTEM and trusts the inetpub folder unconditionally, it doesn't verify that the folder is a genuine directory; it blindly follows the junction point.
When Windows Update hits this junction, it fails to stage or apply updates properly, causing update failures or rollbacks. This effectively blocks critical security updates from applying, opening a denial-of-service vector against patching processes. Since any user with basic command-line skill can execute this attack, it represents a surprisingly easy, low-privilege exploit to disrupt system security.
Implications of the Vulnerability
This exploitation vector exposes a lingering Windows security design flaw: a critical system process running at SYSTEM level trusts certain directories implicitly and does not validate reparse points or directory ownership properly before performing sensitive file operations. As a result, local users can “hijack” the update process by manipulating directory junctions.The vulnerability also highlights a fundamental principle often emphasized in Windows security: the principle of least privilege must be rigorously enforced, including restricting non-admin rights over critical system directories. Yet in this case, the inetpub folder’s parent directory (C
permissions allow users to replace or link the folder without needing admin credentials, undermining the update process’s trust assumptions.Temporary Workaround to Secure inetpub
Microsoft had not yet released a fix specific to this vulnerability at the time of discovery, leaving users vulnerable to update sabotage. However, a practical temporary mitigation involves manually adjusting the permissions for the inetpub folder:- Remove write and delete permissions for all user accounts (including administrators) on the C:\inetpub folder.
- Explicitly grant full control only to SYSTEM and TrustedInstaller accounts.
The basic steps involve:
- Right-click on C:\inetpub, open Properties.
- Navigate to the Security tab and click Advanced.
- Disable inheritance and remove all inherited permissions.
- Add explicit permissions granting Full Control to SYSTEM.
- Add explicit permissions granting Full Control to NT SERVICE\TrustedInstaller.
- Confirm and exit.
If issues appear with updates after applying this fix, resetting Windows Update components may be necessary before adjusting permissions back to their defaults, ensuring a smooth update experience.
Broader Context and Lessons Learned
The inetpub folder glitch illustrates both the complexity and fragility of modern operating system security, where fixes for one vulnerability can inadvertently expose new weaknesses. It embodies a classic challenge in cybersecurity—complex defensive systems must constantly evolve, but patches can introduce unexpected side effects.Microsoft’s creation of the inetpub folder as a "defense-in-depth" mechanism follows a defensive design philosophy where security layers include decoy directories or controlled containers to limit attack surfaces. Yet, this solution shows how implicit trust in system paths and directory structures can inadvertently undermine security when combined with user permission configurations.
This episode also reminds IT personnel and administrators of several key lessons:
- Do not hastily delete or modify newly created system folders without understanding their purpose, especially after major updates.
- Maintain strict file system permissions on critical system paths, avoiding overly permissive settings for standard users.
- Monitor Microsoft’s official channels for guidance on mitigating emerging vulnerabilities and temporarily patching unidentified risks.
- Prepare for manual mitigations to address update failures, such as resetting update components or adjusting permissions, if affected.
Conclusion
The inetpub folder in Windows 11 represents a fascinating juxtaposition of security design and vulnerability. Initially introduced as a protective measure against symbolic link exploitation (CVE-2025-21204), its presence has become a new exploitation surface allowing non-admin users to disrupt Windows Update processes through directory junctions.Until Microsoft issues a formal patch addressing this issue, users are advised not to delete the inetpub folder and to apply the recommended permission restrictions to prevent local exploitation. This pragmatic approach preserves the patch’s intended protections and maintains system update reliability.
While the inetpub folder is empty and silent on most systems, its strategic significance as a sentinel guarding crucial update infrastructure has become clearer. It reminds us that in the intricate architecture of Windows security, even empty directories can play a pivotal role—and that vigilance, proper permissions, and informed administration remain essential defenses in the ongoing cybersecurity battle.
For Windows enthusiasts, IT admins, and security professionals, the inetpub story offers a valuable case study on the delicate balance between automated system hardening and the unforeseen challenges posed by opened doors at lower privilege levels.
Source: Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier
