Windows 11 'inetpub' Folder Security Flaw: Protect Your System Now

Here is a summary of the original Petri article on the Windows 11 'inetpub' folder security risk:

What happened?​

• After the April 2025 Patch Tuesday update, a new "inetpub" folder started appearing on Windows 10 and 11 machines.
• Microsoft created this folder to help patch a bug (CVE-2025-21204) that left PCs vulnerable to certain cyberattacks.

What is the "inetpub" folder?​

• Traditionally, "inetpub" is used by Internet Information Services (IIS) to store web content, logs, scripts, etc.
• Even if IIS isn’t active, Microsoft now insists this folder should not be deleted for protection purposes following the latest update.

What is the new risk?​

• Security researcher Kevin Beaumont found a new vulnerability:
• Non-admin (regular) users can create a “junction point” in the C:\ directory—a type of directory symbolic link—where inetpub would otherwise go.
• This prevents the system from actually creating the real "inetpub" folder.
• The result: All future Windows security updates can be blocked.
• PCs could be left exposed to threats fixed by those updates.
• This blockage produces error messages and failed update rollbacks.
• No admin rights are required—making it easier for attackers or mischievous users to exploit on shared devices.

Is Microsoft fixing it?​

• The researcher disclosed this issue to Microsoft, but as of writing, Microsoft has not publicly responded.

Summary​

• The well-intentioned fix created a significant new attack vector.
• Regular users could prevent critical updates and expose Windows systems to new security risks—even without special privileges.

Sources:
Full Petri Article

---

Source: Petri IT Knowledgebase https://petri.com/windows-11-inetpu...9AF6BAgFEAI&usg=AOvVaw2ig-_zB-aKuicALA4fUPGU/

 

[ChatGPT]

The recent emergence of the inetpub folder on Windows 11 systems, starting with the April 2025 cumulative update, has stirred considerable discussion and concern within the Windows user and administrator communities. This seemingly innocuous empty directory—traditionally associated with the Internet Information Services (IIS) web server—has surprisingly become a focal point for both security strategy and vulnerability, revealing deep insights into the current state and future direction of Windows system security.

Understanding the Inetpub Folder’s New Role​

The inetpub folder’s presence on virtually every Windows 11 PC following the April 2025 update (notably KB5055523) is neither accidental nor a bug. Microsoft has confirmed that this folder is intentionally created as part of a critical security patch addressing vulnerability CVE-2025-21204. This vulnerability involves improper handling of symbolic links (symlinks) within the Windows Update stack, which, if exploited, could allow local attackers to manipulate or redirect system file operations, potentially causing unauthorized elevation of privileges or compromising update integrity.
The folder essentially serves as a hardened container or controlled "safe zone" where Windows can safely stage update files and verify symbolic link operations with a trusted system-level permission context. Even though IIS itself might not be active, and the folder remains empty, inetpub acts as a protective measure preventing attackers from exploiting missing directories or symlink manipulations during update operations.
Traditionally, inetpub hosts web server files and IIS-related resources. In this new security capacity, it serves as a strategic anchor point with strict system permissions, ensuring that the Windows Servicing Stack, which runs with SYSTEM privileges, does not unknowingly follow malicious reparse points or junctions that could redirect update files to unintended locations. This novel use of an established IIS directory name leverages the operating system’s existing security architecture for a new defensive purpose .

The Vulnerability and How It’s Exploited​

The core vulnerability arises from the servicing stack's failure to differentiate between genuine directories and directory junctions (a type of reparse point that can redirect file system operations). Security researcher Kevin Beaumont demonstrated that any local user, without requiring administrator privileges, can replace the inetpub folder with a directory junction to any file—such as Notepad.exe. This redirect causes Windows Update operations to fail, either by blocking updates or triggering rollbacks.
In practical terms, an attacker with basic access to the PC could circumvent the patch protections by exploiting the inetpub folder’s symbolic link handling. This leads to denial-of-service conditions regarding Windows Update, effectively preventing new updates from being applied and leaving the system vulnerable to other exploits or malware. The simplicity of this exploit is concerning: it requires no elevated privileges and leverages built-in Windows command tools like mklink /J to perform the redirection. Such a low barrier increases the risk, especially in environments with multiple users or where devices might be physically accessible to others .

Microsoft’s Current Response and User Mitigation​

As of now, Microsoft has not publicly released an official fix or patch directly addressing this secondary vulnerability arising from the new inetpub folder deployment. However, users and IT administrators have devised temporary but effective mitigation strategies.
A recommended workaround involves modifying the security permissions on the inetpub folder to remove write and delete rights for all user accounts except for SYSTEM and TrustedInstaller. By restricting folder permissions in this manner, even local users with non-admin privileges cannot replace the inetpub folder with a directory junction, thus blocking the exploit pathway. The update and servicing processes maintain full access to the directory, ensuring updates can continue normally.
This permission adjustment can be achieved by:

• Accessing the folder properties in File Explorer,
• Navigating to the Security tab,
• Disabling inheritance to remove inherited permissions,
• Assigning Full Control only to SYSTEM and TrustedInstaller,
• Removing all other user permissions.

Users and administrators must be cautious with this action, as overly restrictive or incorrect permissions could interfere with update processes. If Windows Update errors occur following permission changes, resetting Windows Update components is advised before rolling back permission changes. Importantly, this solution is a temporary safeguard pending further patches from Microsoft .

Risks of Deleting the Inetpub Folder​

There has been some confusion and temptation among users to delete the inetpub folder given that it appears empty and unused by the average consumer. Microsoft strongly advises against deleting the folder, as its removal disables the security patch's protective mechanisms. Without the inetpub folder, the symbolic link vulnerability resurfaces, potentially exposing the device to local exploits and privilege escalations.
If users or administrators delete the inetpub folder, restoring it is critical. The recommended approach is to:

• Enable Internet Information Services (IIS) via the "Turn Windows features on or off" option in Control Panel,
• This action recreates the inetpub folder with the appropriate system permissions,
• Users can then disable IIS if not needed, leaving the folder intact,
• Alternatively, uninstalling and reinstalling the relevant Windows update will restore the folder.

Manual recreation of the folder and its permissions is possible but not recommended for most users due to the complexity and potential for misconfiguration. This recovery process underscores the importance of understanding that folders seemingly unrelated to daily use may hold critical security functions and should not be casually removed .

Broader Lessons and Implications for Windows Security​

This inetpub folder episode highlights multiple key themes in modern operating system security and update management:

• Security via System Structure: Microsoft’s approach shows an evolution from patching code flaws alone toward embedding structural safeguards in the OS file system and permission architecture. Creating decoy or controlled directories is a proactive barrier against exploitation that cleverly repurposes known system elements.
• The Challenge of Transparency: Users and IT professionals often face opaque updates that alter system behavior in non-obvious ways. The inetpub folder’s mysterious appearance caused understandable confusion, illustrating how critical clear update documentation and communication are to maintaining trust and preventing harmful user actions like deletion or permission changes that could destabilize systems.
• Fragility and Complexity of Cumulative Updates: Features introduced as mitigations can themselves harbor vulnerabilities or operational risks, requiring layered fixes and community vigilance. The inetpub vulnerability is a low-privilege local exploit but demonstrates that security solutions need continual reassessment to avoid turning into new attack vectors.
• The Need for User and Administrator Vigilance: Especially on multi-user or shared machines, even basic local access can be leveraged dangerously. Sound security policies include restricting user permissions carefully, staying informed about update impacts, and resisting the urge to "tidy up" system drives without validating changes.
• Windows Update as a Prime Attack Surface: The servicing stack operates with highest privileges and is thus a frequent target. Ensuring that its environment is tightly controlled and resilient to redirections is vital for maintaining system integrity.

Through this lens, the inetpub folder not only functions as a guardian in disguise but also an emblem of the ongoing tug-of-war between ease of use, security, and system complexity in modern Windows environments .

Conclusion​

The inetpub folder is far more than an empty directory or leftover artifact of internet hosting services. Introduced deliberately as a part of a critical Windows security update, it plays an essential role in protecting systems from symbolic link exploitation that could compromise Windows Update functionality and system integrity.
However, the folder’s deployment has also revealed new vulnerabilities—allowing non-admin users to hijack the folder via directory junctions, leading to update failures and potential security gaps. Until Microsoft patches this secondary vulnerability, users can safeguard their systems by adjusting folder permissions to restrict access to SYSTEM and TrustedInstaller only.
Furthermore, users must avoid deleting the inetpub folder, and if removed accidentally, promptly restore it via enabling IIS or reinstalling the update, thereby ensuring their system remains protected.
This episode serves as a cautionary tale about the intricacies of modern OS security management, the importance of transparent communications by vendors, and the ongoing vigilance required by users and administrators alike to maintain robust defenses in an evolving threat landscape. The inetpub folder is a quiet sentinel—empty yet essential—shielding the Windows ecosystem’s update processes from subtle but dangerous exploit attempts.
For Windows enthusiasts, IT admins, and security professionals, understanding and respecting these hidden defense layers is critical. While it may seem counterintuitive to accept an empty folder as a cornerstone of security, the inetpub saga underscores that in the complex world of cybersecurity, appearances can be deceiving.

---

If you want to ensure safe handling of the inetpub folder or learn how to adjust permissions correctly, consult Microsoft’s official documentation or trusted Windows community resources. Stay informed and cautious to maintain a secure and smoothly updating Windows environment .

---

Source: Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier

 

[ChatGPT]

The recent introduction of the "inetpub" folder in Windows 11, starting with the April 2025 cumulative update, has stirred significant attention within the Windows user and security community. While on the surface it may appear as an empty, somewhat mysterious directory, this folder represents a deliberate and significant security measure integrated by Microsoft to defend against a specific, sophisticated vulnerability. The story behind inetpub’s emergence, its inherent security implications, and the subsequent exploit discovered showcases the complexities and sometimes paradoxical nature of modern operating system security.

What is the "inetpub" Folder and Why Is It Important?​

Traditionally, the "inetpub" folder is known as the default directory for Microsoft’s Internet Information Services (IIS), serving as the home for web content, logs, and web applications. It’s a folder normally created when IIS is installed and used to host and manage websites on Windows servers. Seeing this folder on typical consumer or non-server Windows 11 machines, especially those without IIS enabled, can understandably cause concern or confusion.
However, Microsoft has clarified that the creation of inetpub after the April 2025 update (notably KB5055523) is intentional and tied directly to the mitigation of a critical security vulnerability identified as CVE-2025-21204. This vulnerability involves improper handling of symbolic links (symlinks) within the Windows Update stack, which could allow a local attacker to maliciously redirect system operations to unauthorized files or folders, potentially escalating privileges or corrupting critical system files.
By creating the inetpub folder with strict system controls and permissions, Microsoft established what can be seen as a hardened, trusted workspace. This environment is designed to prevent symbolic link manipulation abuses by providing a controlled directory where Windows Update can safely stage files without being misdirected. The folder acts as a protective decoy, a security "moat" to intercept and neutralize what could be otherwise harmful file system operations.
This approach highlights a newer wave of security-by-design principles in Windows updates—sometimes security fixes involve inserting seemingly inert system components that underlie more complex defensive architectures. Users and administrators are explicitly advised not to delete this folder, as doing so may weaken these defenses and re-expose the system to the exploited vulnerability .

The Vulnerability and Its Exploitation: A Twist of Irony​

While inetpub’s presence is protective, a new dimension of risk emerged immediately upon its mandatory creation. Security researcher Kevin Beaumont revealed a surprisingly simple exploit that leverages standard Windows functionality—specifically the ability of any local user, even without administrative privileges, to create directory junctions (a form of symbolic link).
By executing a single command:
mklink /J C:\inetpub C:\Windows\System32\notepad.exe
a non-admin user can replace the legitimate inetpub folder with a junction pointing to a crucial system file like Notepad.exe or any other target. Because the Windows Servicing Stack runs under the SYSTEM account and treats C:\inetpub as a secure staging area, it does not verify whether the folder is a genuine directory or a reparse point (junction). This oversight leads Windows Update to try and place files in an invalid location, causing the update process to fail, roll back, or hang indefinitely.
This exploit essentially enables a local user with very limited privileges to sabotage system updates, blocking important security patches from being applied, which in a real-world setting could lead to greater vulnerability across networks. The exploit is not a privilege elevation vector in itself but a denial of service against the update process—an Achilles heel in Microsoft’s mitigation approach .

Microsoft’s Silence and the Workaround​

As of now, Microsoft has not publicly issued a patch or official fix specifically addressing this junction point vulnerability in inetpub. This conspicuous silence leaves users and IT administrators in a precarious position since the folder’s mandated creation is a core part of the security infrastructure, yet it can be weaponized to disrupt updates.
To mitigate this risk proactively, security practitioners recommend altering the permissions on the inetpub folder to deny write or delete permissions to all non-system accounts, including administrators, while retaining full control for SYSTEM and TrustedInstaller accounts, which require access for legitimate update operations.
The process to implement this lockdown involves:

• Right-clicking on C:\inetpub and opening Properties.
• Navigating to the Security tab, then Advanced settings.
• Disabling inheritance and removing inherited permissions.
• Adding explicit Full Control permissions only for SYSTEM and NT SERVICE\TrustedInstaller.
• Confirming and applying the changes.

This permission adjustment prevents any user from converting inetpub into a junction point, effectively blocking the exploit. However, it is a manual fix requiring administrative know-how and ongoing vigilance. Users encountering Windows Update failures after applying such changes may need to reset Windows Update components or revert the permission settings temporarily to troubleshoot.
This workaround underlines a broader challenge in Windows ecosystem security: patches intended to fix one vulnerability can inadvertently open new avenues for attack or disruption when assumptions about folder trust or ownership are not enforced robustly by the operating system .

Broader Implications: Security as a Balancing Act​

The inetpub folder saga encapsulates key lessons about the evolving strategies and pitfalls in modern OS security:

• Security Through Complexity: Modern patching involves multi-layered defenses that sometimes rely on unexpected system artifacts like empty folders. The complexity adds security but can introduce new attack surfaces.
• Local User Threats: Even non-admin users pose a risk in today's systems as privilege boundaries become blurred through indirect exploits like symbolic link manipulation.
• Patch Management Fragility: Windows updates are critical yet sometimes fragile operations where subtle filesystem or permission assumptions can lead to cascading failures or vulnerabilities.
• Responsibility for Users and Admins: Until vendors provide comprehensive fixes, manual workarounds by savvy administrators remain necessary to secure systems.
• Communication Challenges: Microsoft’s limited public discourse on this issue highlights a common industry problem—security patches are often technical, undocumented black boxes to end-users that can cause uncertainty or inadvertent misconfiguration.

For end users, the takeaways are clear: do not delete the inetpub folder; keep Windows fully updated; consider hardening folder permissions; and if update errors appear, investigate permission-based attack vectors. For enterprises, enhanced endpoint protections against local user exploits and detailed patch impact analysis should be standard practice .

Conclusion​

The inetpub folder in Windows 11 is a prime example of how security solutions can sometimes become double-edged swords. Created as a critical security enhancement to combat symbolic link abuses in the Windows servicing stack, the folder's very presence has opened a novel attack avenue whereby non-admin users can interfere with update processes via directory junction manipulation.
Until Microsoft addresses this root cause with a patch, users and administrators must rely on permission hardening strategies to protect systems. This incident underscores the inherent challenges of securing complex, widely-used operating systems like Windows and the ongoing dance between defensive innovation and emerging threats.
Embracing such nuanced security features requires a blend of user education, transparent communication from vendors, and diligent system management to maintain the integrity and resilience of modern computing environments. The inetpub folder—though empty and unassuming—is quietly standing guard over Windows’ security landscape, embodying both protection and vulnerability in equal measure.

---

This feature combines technical depth with strategic perspective to illuminate an emerging Windows 11 security narrative crucial for IT professionals and everyday users alike. For continued updates and peer discussions, communities such as WindowsForum.com offer invaluable real-time insights and practical advice.

---

References:

• Microsoft’s design of inetpub folder for CVE-2025-21204 mitigation
• Kevin Beaumont’s exposition on mklink /J exploit of inetpub
• Security and permissions workaround for inetpub junction exploit
• User and admin guidance on maintaining Windows update integrity under new patch conditions

---

Source: Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier

 

[ChatGPT]

The recent emergence of the "inetpub" folder on Windows 11 systems, following the April 2025 cumulative updates, has caused considerable discussion and concern among users and IT professionals alike. Traditionally, this folder is known as the default root directory for Microsoft's Internet Information Services (IIS), used for hosting websites and web applications. However, with recent updates, an empty "inetpub" folder now appears on practically every Windows 11 system, regardless of whether IIS is installed or active. This development is not a glitch or overlooked residue but a calculated security feature introduced by Microsoft as part of addressing a critical vulnerability, CVE-2025-21204.

The Security Patch and the Role of the Inetpub Folder​

CVE-2025-21204 refers to a vulnerability discovered in the Windows Update servicing stack. The flaw specifically involved improper handling of symbolic links (also known as symlinks or junction points), which are filesystem shortcuts that point to other files or directories. Prior to the patch, attackers with local access could exploit symbolic link mishandling to trick Windows into modifying or accessing files it was not supposed to, potentially escalating privileges or corrupting critical system files.
To mitigate this risk, Microsoft implemented a preventive structural measure: the automatic creation of the "inetpub" folder on the system drive as a controlled environment with strict permissions. This folder acts as a trusted directory, designed to prevent any malicious redirection through symbolic links during Windows Update operations. By ensuring the folder exists with correct security settings, Windows can securely stage update files without falling prey to symbolic link manipulation.
Despite this purposeful installation, the folder itself remains empty and does not indicate IIS is running or enabled on the system. It occupies negligible disk space and is largely invisible to end users in normal system activities. Microsoft has explicitly warned users not to delete this folder, as doing so undermines the effectiveness of the security patch, leaving systems vulnerable to the very exploits the patch was designed to prevent.

The Exploitability and Ease of Attack​

While the introduction of this folder was meant to plug a major security hole, unintended consequences have surfaced that pose a novel risk. Security researcher Kevin Beaumont has revealed that any local user on the system, including non-admin accounts, can exploit the "inetpub" folder’s existence by replacing it with a directory junction to an arbitrary target, such as a system file like Notepad.exe.
This is achieved by a simple command executed in the command prompt without administrative privileges:
mklink /J C:\inetpub C:\Windows\System32\notepad.exe
This command deletes the original "inetpub" folder and creates a junction point (a type of symbolic link) pointing to another file. Since the Windows servicing stack runs as SYSTEM and trusts the "inetpub" directory, it will mistakenly follow this junction and attempt to stage update files in the wrong location. This redirection causes Windows Update operations to fail or roll back, effectively blocking system updates and opening the door for patch sabotage.
The implication here is profound: the basic security patch relies on a folder that local non-elevated users can manipulate to disrupt the update process. While this requires physical or local access and is not a remote exploit, it represents a glaring vulnerability in Windows update infrastructure that can be leveraged by malicious insiders or malware operating with standard user privileges.

Mitigating the Vulnerability: Practical Steps Until a Microsoft Fix​

As of now, Microsoft has remained notably silent on the vulnerability, and no official fix or update addressing this exploitation vector has been announced. In the meantime, users and system administrators can adopt defensive measures to protect their systems.
The core principle to prevent exploitation is to restrict write and delete permissions on the "inetpub" folder for all users except the SYSTEM and TrustedInstaller accounts. This approach ensures that only trusted system processes can modify or remove the folder, effectively blocking non-admin users from replacing it with a malicious junction.
Here is a stepwise guide to apply this mitigation:

• Navigate to the root of the system drive (usually C:), right-click the "inetpub" folder and select Properties.
• Go to the Security tab and click the Advanced button.
• In the advanced security settings, click Disable inheritance and then choose Remove all inherited permissions.
• Click Add, then Select a principal, and enter SYSTEM. Confirm and assign Full control permissions.
• Repeat the previous step for the NT SERVICE\TrustedInstaller account.
• Apply and save all changes.

After this, the folder is only editable by core system components, and any attempt by a user or process without proper permissions to modify or delete the folder will be blocked with a permission denied error.
In environments where this mitigation is applied, Windows Update should continue functioning normally, and the risk posed by the current vulnerability is minimized. Should this solution need to be reversed, users can re-enable permission inheritance through similar steps to restore default access.

The Broader Context: A Symptom of System Complexity and Security Trade-offs​

This incident reflects a recurring theme in Windows security management: the complexity of balancing usability, backward compatibility, and layered defense mechanisms sometimes leads to imperfect fixes or new attack surfaces. The "inetpub" folder's introduction was a clever workaround for a tricky vulnerability, yet the patch's implementation inadvertently opened a related weakness due to insufficient checks in the servicing stack around symbolic link validation and folder permissions.
Moreover, the exploitability by non-admin users is concerning given the rise of shared desktops, multi-user workstations, and the increasing intermixing of personal and corporate usage. Even with physical security measures in place, this kind of vulnerability lowers the barrier for an insider threat or a compromised standard user account to hinder updates, potentially preventing critical patches from installing.
While not trivial to exploit in remote attack scenarios, the existence of such an easily triggered weakness emphasizes the need for vigilant system administration practices and for Microsoft to address these foundational issues in future servicing stack improvements.

Restoring Deleted Inetpub Folder: What If You Remove It?​

Some users have attempted to delete the mysterious "inetpub" folder out of curiosity or in a mistaken effort to clean up their system drives. Microsoft strongly advises against this, as the folder’s absence breaks the security patch's functionality.
If deleted, users can restore the folder by:

• Opening Control Panel → Programs and Features.
• Clicking Turn Windows features on or off.
• Temporarily enabling Internet Information Services (IIS), which recreates the "inetpub" folder with appropriate permissions.
• Disabling IIS afterward if desired.

Alternatively, reinstalling the relevant Windows update or waiting for the next cumulative update typically restores the folder correctly.

Conclusion: A Guardian Folder with a Catch​

The "inetpub" folder on Windows 11 systems epitomizes a modern cybersecurity challenge—sometimes, protective measures introduce new complexities and risks that demand ongoing vigilance. This empty folder is no benign artifact; it is a silent guardian designed to harden the system against a significant symbolic link exploit. Yet, its current implementation opens a straightforward avenue for local users to undermine Windows update mechanisms.
Until Microsoft issues a robust fix, IT professionals and users should proactively harden permissions on the folder to halt exploitation. At the same time, this episode serves as a reminder that even empty folders can carry tremendous importance in the security fabric of modern operating systems. Awareness, cautious system management, and staying abreast of updates remain critical to maintaining Windows system integrity.
By respecting the "inetpub" folder and implementing the appropriate mitigations, users help ensure their PCs remain secure and fully patched, even amid the complex trade-offs sometimes unavoidable in operating system security.

---

---

Source: Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier

 

[ChatGPT]

The inetpub folder, traditionally known as the home directory for Microsoft's Internet Information Services (IIS), has recently become a center of attention due to its unexpected appearance on Windows 11 and Windows 10 systems following the April 2025 cumulative update. While many users and administrators initially puzzling over why an empty inetpub folder suddenly appeared on their C: drive, this seemingly innocuous folder is far from a benign or accidental addition. In fact, it is a deliberate component of a security strategy designed to mitigate a critical and complex vulnerability in Windows, specifically CVE-2025-21204. However, the fix has introduced a new security risk centered around how the folder can be exploited, creating a nuanced scenario of an intended safeguard becoming an exploitable weak point.

The Security Vulnerability Behind the Inetpub Folder​

This story starts with a vulnerability, CVE-2025-21204, related to the improper handling of symbolic links (also known as symlinks or junction points) in the Windows Update process. Symbolic links in Windows are filesystem objects that redirect access from one file or folder to another, similar to shortcuts but at a system level. The vulnerability allowed attackers with local access to create malicious symbolic links that misdirect the Windows servicing stack during updates, potentially leading to unauthorized modification of system files or denial of service by blocking updates.
To counter this, Microsoft introduced the inetpub folder as a hardened, controlled directory at the root of the system drive (C:\inetpub). By creating and enforcing strict permissions on this folder owned by SYSTEM and TrustedInstaller accounts, Windows Update gains a trusted location to stage update files, reducing the risk that attackers can insert malicious symlinks to tamper with update operations. The folder’s mere presence, empty as it is, acts as a "safe zone" designed to disrupt the ability of malware or unauthorized users to exploit symbolic link weaknesses during updates.

Why the Inetpub Folder?​

Initially, the choice of inetpub might seem odd, especially for machines not running IIS and where users may have no reason to interact with this folder. However, inetpub is historically a recognized component tied to Internet Information Services, a part of Windows web server infrastructure, making it a familiar and standardized directory to reinforce security policies around symbolic link handling. By standardizing this directory’s creation with appropriate permissions, Microsoft leverages an established system folder for its security role without adding obscure new artifacts in the filesystem.
The intent is clear: the inetpub folder is a preventive structural measure essential for mitigating symbolic link exploits that could impact update integrity and system security. Microsoft explicitly warns against deleting or tampering with this folder, as doing so could negate the benefits of the patch and leave systems vulnerable.

The Unexpected Exploit: How Inetpub Itself Can Be Hijacked​

Unfortunately, this patch introduced an ironic vulnerability in itself. Security researcher Kevin Beaumont discovered that non-admin users—anyone with local access—can exploit the inetpub folder by replacing it with a directory junction (a type of symbolic link in Windows). Using a simple command, such as mklink /J C:\inetpub C:\Windows\System32\notepad.exe, attackers can redirect access from inetpub to a benign or unrelated file.
The Windows servicing stack runs with SYSTEM privileges and naively assumes that the C:\inetpub folder is a conventional directory it can safely write to. It does not validate whether inetpub is a directory junction or a regular folder, nor does it verify ownership or permissions tightly enough to detect manipulations. When the servicing stack attempts to stage files in inetpub, the redirection causes file operations to fail or roll back. This blocks or sabotages Windows Update processes, creating a denial of service condition whereby critical security patches cannot be applied.
Hence, this new folder, intended as a security fortress, can be turned into a Trojan horse used to undermine update reliability and security hardening.

Broader Security Implications​

The inetpub folder vulnerability exemplifies a recurring pattern in Windows security: patches fixing one exploit inadvertently open new, sometimes simpler, attack vectors. This is particularly problematic because the exploit requires only local access with non-elevated privileges—no admin rights are necessary. In environments with shared computers, remote desktop access, or less controlled endpoints, this vulnerability significantly lowers the barrier for attackers to disrupt Windows updates.
Windows administrators and security professionals face the challenge of balancing sufficient privilege assignments to users without unintentionally enabling such exploit paths. The fact that basic filesystem linking commands can compromise an important OS update folder highlights ongoing architectural and permission management weaknesses.

Temporary Mitigation for the Inetpub Folder Vulnerability​

Microsoft has not yet publicly released a fix to address this directory junction abuse. Meanwhile, security-conscious users and administrators can mitigate the risk by hardening the inetpub folder permissions to remove write and delete permissions for all users except SYSTEM and TrustedInstaller. This prevents unauthorized creation or alteration of junction points targeting inetpub.
The recommended steps are:

• Right-click on the inetpub folder (C:\inetpub) and select Properties.
• Go to the Security tab and click Advanced.
• Disable inheritance and remove all inherited permissions.
• Add explicit Full Control permissions for SYSTEM and NT SERVICE\TrustedInstaller only.
• Remove all other user or group permissions.

With these permissions in place, no non-system process can manipulate inetpub’s directory junctions or replace it, thwarting the attack vector demonstrated with mklink commands. The servicing stack, executing as SYSTEM, retains access and can perform updates normally.
If for any reason these hardened permissions cause update issues, users are advised to first reset Windows Update components before reverting permissions.

Restoring Inetpub If Accidentally Deleted​

Some users or IT managers, suspecting the folder to be unnecessary clutter, might delete inetpub. Microsoft strongly advises against this because its removal disables critical protections against the symbolic link vulnerability. If inetpub is deleted, Windows updates could fail or the system could become exposed.
To restore inetpub, the recommended method is to enable the Internet Information Services (IIS) feature via Control Panel:

• Open Control Panel → Programs and Features → Turn Windows features on or off.
• Check "Internet Information Services" and click OK.
• This action recreates the inetpub folder with the correct permissions.
• Afterward, IIS can be disabled again without deleting the folder, retaining the security fix.

Alternatively, reinstalling the relevant Windows update or reinstalling the system patch that introduced inetpub also restores it properly.

The Lessons and Outlook for Windows Security​

This inetpub episode underscores multiple enduring realities of modern Windows security management:

• Patching Complexity: Fixing underlying vulnerabilities can introduce new attack surfaces when patches involve file system structure changes and permission adjustments.
• User Communication: Users need clear, timely, and accessible technical explanations about the role of system artifacts like inetpub to avoid risky behavior like deletion.
• System Hardening: Default permissions and system processes require continuous review to close loopholes that permit local user privileges to cause disruption.
• Balance of Usability and Security: The tension between maintaining a manageable user environment and preventing misuse of features like symbolic links persists, requiring vigilant operational practices.

Until Microsoft releases an official patch revising update stack validation of symbolic links and directory junctions, administrators must apply manual defenses to protect update integrity.

Conclusion​

The inetpub folder, once a humble component of Windows IIS web hosting, now plays an ironic role as both a shield and a potential point of exploitation in Windows 11’s latest security update. Its creation was a forward-looking step to curb symbolic link attacks during updates, yet the folder’s manipulability by non-admin users highlights persistent challenges in Windows’ privilege and filesystem security model.
Windows users and IT professionals should heed Microsoft’s advice: do not delete inetpub, restore it if missing, and harden its permissions to block unauthorized modifications. This approach provides vital protection until Microsoft covers this emerging vulnerability with a definitive fix.
This case study into the inetpub folder's dual role as a security feature and vulnerability reminder reveals much about the evolving cybersecurity landscape in operating systems and the intricate dance of defense, exploitation, and patching that continues to define it .

---

Source: Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier

 

[ChatGPT]

The recent appearance of the "inetpub" folder on Windows 11 systems, particularly after the April 2025 cumulative update, marks a significant yet somewhat perplexing development in Microsoft's ongoing efforts to bolster Windows security. While the folder's sudden emergence on virtually all updated computers has caused confusion among users and IT professionals alike, its presence is far from arbitrary. Instead, it embodies a strategic, albeit imperfect, response to a complex security vulnerability rooted in symbolic link exploitation. Understanding the implications of this folder’s creation, the security concerns it addresses and inadvertently introduces, and practical mitigation steps is vital for Windows enthusiasts and system administrators committed to maintaining robust system integrity.

The Origin and Purpose of the Inetpub Folder in Windows Updates​

Traditionally, the inetpub folder is associated with Microsoft’s Internet Information Services (IIS) web server—a component installed predominantly on servers and development machines to host web applications and websites. On typical consumer or business machines without IIS enabled, "inetpub" would not be present. The April 2025 Windows 11 update (specifically KB5055523) changed this norm by introducing an empty "inetpub" folder on the system drive (C.
Microsoft confirmed this was intentional and tied to a critical security patch aimed at addressing vulnerability CVE-2025-21204. This vulnerability involved improper handling of symbolic links (or symlinks) in the Windows Update stack, which potentially allowed local attackers to redirect system file operations maliciously. Symbolic links are filesystem objects that point to other files or directories, serving as shortcuts. Mishandling these links could enable attackers to inject malicious redirections, ultimately compromising system integrity by elevating privileges or manipulating critical files.
Creating the inetpub folder with locked-down system-level permissions acts as a controlled container to mitigate this risk. By establishing a trusted directory that Windows Update can reliably reference, the system limits symbolic link exploitations in update operations. Essentially, inetpub serves as a "decoy" or hardened staging ground where symlink redirection attacks are neutralized, helping ensure the integrity of update deployment and safeguarding critical system components.

The Security Vulnerability and Its Exploitability​

Despite this protective intent, researchers like Kevin Beaumont uncovered an ironic flaw: any local user, including non-administrators, can manipulate the newly created inetpub folder by replacing it with a directory junction (a type of symlink in Windows). Using a simple command such as:
mklink /J C:\inetpub C:\Windows\System32\notepad.exe
an attacker fragments the trust Windows places in inetpub. By redirecting inetpub access to a file like Notepad instead of a secure directory, Windows Update becomes confused or blocked when it tries to stage files, causing update failures or rollbacks. The servicing stack runs as SYSTEM and treats inetpub as a trusted path but does not verify if it is a junction or who owns it; this lack of validation creates a loophole.
This exploitability represents a peculiar paradox wherein the security measure meant to protect Windows Update inadvertently opens a new attack vector—a local denial of service against updates. Since the exploit requires only standard user privileges, it is particularly worrying in multi-user or shared machine environments where malicious local access could be achieved with relative ease.

Practical Impact and Warning: Why You Should Not Delete Inetpub​

Given its origins, the inetpub folder is essential for the ongoing integrity of Windows Update operations and system security. Deleting this folder, despite its emptiness and apparent lack of active use, disables critical protections tied to the associated patch. Microsoft has strongly advised users not to remove or modify this folder. Removing inetpub could effectively "undo" the security fixes associated with CVE-2025-21204, exposing systems to symbolic link exploitation and privilege escalation threats.
For users who have deleted the folder—often tripped by system cleanup urges or misunderstanding its purpose—Microsoft recommends restoring it by enabling IIS through the "Turn Windows features on or off" interface. Enabling IIS recreates the inetpub folder with the correct security permissions. This workaround reinstates the folder's protective functions without requiring full IIS activation. Alternatively, reinstalling the relevant Windows security updates can also restore the folder correctly.

Temporary Mitigation: Locking Down the Inetpub Folder​

Until Microsoft issues a dedicated fix to prevent directory junction exploitation of inetpub, users and administrators can manually harden the folder’s permissions to prevent unauthorized junction creation. The critical approach is to strip all user write or delete permissions from the inetpub folder, while retaining full control for SYSTEM and TrustedInstaller accounts. This change stops non-system processes—including non-admin users—from replacing the inetpub folder with malicious junctions.
The steps are straightforward:

• Right-click on C:\inetpub and open Properties.
• Navigate to the Security tab and click Advanced.
• Disable inheritance, opting to remove all inherited permissions.
• Add explicit permissions granting Full Control only to SYSTEM and NT SERVICE\TrustedInstaller.
• Apply changes and exit.

This locks the folder so that only essential Windows update processes can access or modify it safely. Attempts by other users to alter inetpub result in permission denied errors, thwarting the directory junction exploit temporarily.

The Bigger Picture: What This Reveals About Windows Security​

This inetpub folder saga exposes larger truths about Microsoft's security approach and Windows update complexities. Rather than directly fixing the symbolic link vulnerability by changing how Windows validates and resolves symlinks, Microsoft created a structural workaround involving the inetpub folder. This solution reclaimed a historical IIS folder as a protective container, embedding new security rules around it.
While this reflects conceptual creativity, the vulnerability to directory junction replacement underscores a reactive, patchwork quality in Windows security design. The problem—a privileged system process trusting a folder without verifying its true nature—illustrates systemic challenges in balancing legacy filesystem behaviors, backward compatibility, and modern security needs.
The fact that relatively unsophisticated local users can subvert such a key patch indicates a need for more robust validation of system folders and symbolic link handling, especially in security-critical contexts like Windows updates. Moreover, Microsoft's silence or slow response to this discovery has left users and administrators caught between applying essential security fixes and managing new weak points the fixes create.

Summary and Best Practices for Users and IT Administrators​

• Do Not Delete the inetpub Folder: Even if it appears empty and unused, this folder is integral to the latest Windows security patch protecting against symbolic link exploits.
• Restore inetpub If Deleted: Enable IIS in Windows Features to regenerate the folder correctly, or reinstall the relevant Windows update to restore secure permissions and defenses.
• Lock Down Permissions on inetpub: To prevent malicious local users from replacing the folder with harmful junctions, remove write and delete permissions from all users except SYSTEM and TrustedInstaller.
• Stay Updated and Informed: Follow official Microsoft advisories and trusted third-party security analyses to keep abreast of any forthcoming patches addressing this issue more holistically.
• Exercise Caution on Multi-User Systems: Since non-admin users can exploit this vulnerability, systems in shared or untrusted environments should adopt stricter user access controls.

The inetpub folder vulnerability represents an intricate example of how modern cybersecurity depends on a delicate interplay of system architecture, user privileges, and update strategies. While imperfect, the folder’s existence and associated workarounds are currently necessary to guard against a deeper symbolic link exploit. Windows users and IT professionals alike should heed the guidance to maintain this folder’s presence and secure its permissions, ensuring their systems remain resilient until Microsoft delivers a comprehensive solution.

---

This comprehensive look at the inetpub folder issue blends technical detail with practical advice, revealing the unfolding narrative of Windows update security in 2025. It illuminates both the promise and peril of Microsoft’s evolving patchwork defense strategies designed to safeguard millions of devices worldwide against increasingly subtle attacks.

---

References:

• Kevin Beaumont’s research and public disclosure on the inetpub folder vulnerability.
• Microsoft’s official advisory on inetpub's role in the CVE-2025-21204 patch.
• Detailed user and expert discussions on locking down inetpub permissions as a mitigation.
• Community and security forums highlighting the nature and impact of symbolic link exploitation in Windows updates.

For further reading and detailed step-by-step mitigation instructions, users can refer to MakeTechEasier’s coverage on the Windows inetpub folder vulnerability and related Windows community discussions.

---

Source: Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier