Windows 11 Update KB5055523: Unexplained inetpub Folder Emerges

The inetpub folder that recently appeared on Windows 11 systems following the April 2025 cumulative updates has sparked considerable intrigue and concern among users and IT professionals alike. While traditionally associated with Internet Information Services (IIS) — Microsoft's web server platform — this seemingly empty directory now serves a critical but covert role in Windows security architecture. Understanding its emergence, purpose, the security risks involved, and how users should respond is crucial in the evolving landscape of Windows update management.

The Emergence of the inetpub Folder​

Prior to this update, inetpub typically only existed on machines where IIS was explicitly installed and active, serving as the home directory for website files, logs, and associated web resources. However, starting with Windows 11 24H2's April 2025 update (including KB5055523), inetpub is automatically created on virtually all systems, whether IIS is enabled or not. Its presence is minimal—usually empty and consuming negligible disk space—yet it is neither a bug nor a forgotten remnant but a deliberate security measure integrated by Microsoft.

The Security Vulnerability Behind inetpub​

The root cause of this change stems from a serious vulnerability identified as CVE-2025-21204. This vulnerability exposes Windows systems to manipulation via symbolic links (often called symlinks)—file system objects that point to another file or directory and act as shortcuts. The flaw involves improper handling or resolution of symbolic links by the Windows Update system, which could allow a local attacker (that is, someone with physical or user-level access to the machine) to redirect system operations to unauthorized files or directories, potentially enabling elevation of privileges or tampering with critical system resources.
This vulnerability particularly affects the Windows Servicing Stack and Update processes, which run under the SYSTEM account and trust certain directories like inetpub for staging updates. When symbolic links are abused, these processes might inadvertently operate on malicious targets, opening doors to further exploitation.

The Role of the inetpub Folder in Microsoft’s Mitigation​

To counter this, Microsoft introduced the inetpub folder as part of the update strategy. The folder is created with strict system-level permissions, owned and controlled exclusively by SYSTEM and TrustedInstaller accounts. This arrangement ensures the folder acts as a hardened container or "secure zone" for update operations. By existing as a fixed, correctly permissioned directory, inetpub helps prevent attackers from substituting it with malicious symbolic links or directory junctions that could potentially misdirect the update process.
In essence, the inetpub directory acts as a decoy or placeholder that helps validate and constrain update staging paths, drastically reducing the avenue for symbolic link based tampering.

How the Vulnerability Can Still Be Exploited​

Despite this mitigation, researchers such as Kevin Beaumont have demonstrated that the inetpub folder itself can be manipulated in a way that undermines the intended protection. Non-administrative users, surprisingly, can craft directory junctions (a type of symbolic link) to redirect the inetpub folder path to alternate system files, such as Notepad.exe or others, using a simple command like:
mklink /J C:\inetpub C:\Windows\System32\notepad.exe
Because the Windows servicing process running as SYSTEM trusts the inetpub folder without verifying if it is a reparse point (junction) or checking ownership, this redirection causes the update process to fail, roll back, or behave unpredictably. This leads to Windows Updates breaking silently, with vague error messages confusing even seasoned administrators. The ease of this exploit—requiring no administrative privileges—makes it especially concerning.

Microsoft’s Silence and the Current Mitigation Workaround​

Microsoft has, as of yet, offered no official fix or acknowledgment specific to this follow-up vulnerability. The company’s silence leaves users and system administrators vulnerable to potential local attacks that might sabotage update mechanisms.
However, a practical workaround exists: tightening permissions on the inetpub folder to prevent any user except SYSTEM and TrustedInstaller from altering its contents or replacing it with junctions. This involves:

• Navigating to the C:\inetpub folder properties.
• Disabling inheritance and removing all inherited permissions.
• Explicitly granting full control to SYSTEM and TrustedInstaller accounts only.
• Removing permissions for any other users, including administrators.

This setup blocks non-system processes (and even admins unintentionally) from creating junctions or modifying the inetpub directory, preserving Windows Update functionality and security integrity in the interim.
Should administrators need to revert changes, they can re-enable inheritance and delete the manual permission entries, restoring the original state.

Risks of Deleting inetpub and Recovery Steps​

A common misconception among users dismayed by the presence of this empty folder is that it can be safely deleted to "clean up" their system drives. Microsoft strongly advises against this.
Removing inetpub not only defeats the security fix but also exposes the system to re-exploitation of the original CVE-2025-21204 vulnerability. Without the folder’s presence and proper permissions, the update stack loses a foundational safeguard.
If users have deleted inetpub, restoring it can be done by temporarily enabling IIS via the "Turn Windows Features On or Off" dialog in the Control Panel. Enabling IIS recreates inetpub with requisite permissions. IIS can then be disabled without removing the folder, maintaining the security fix intact. Alternatively, reinstalling the latest cumulative update will restore the folder automatically.

Broader Implications and Lessons Learned​

The inetpub story exemplifies the intricate balance Microsoft must manage between security, usability, and system cleanliness. It highlights how layered defenses, even those involving seemingly innocuous empty directories, are vital in modern OS security.
However, it also underscores recurring challenges in Windows security patching philosophy:

• Complexity and Opacity: Security fixes may involve obscure components that confuse users and administrators, especially when changes are not clearly communicated.
• Partial Fixes and New Vulnerabilities: Patchwork solutions sometimes introduce new attack surfaces, requiring further mitigations.
• User Education and Communication: Informing users effectively about such changes is critical to prevent missteps that could weaken security.

For IT professionals, this is a case study in vigilance—reviewing update notes carefully, testing changes, and preparing to apply manual fixes or permissions hardening as necessary.

Conclusion​

The inetpub folder that quietly appeared on Windows 11 systems as part of the April 2025 update is far from a redundant or harmless curiosity. It represents an innovative, if imperfect, security mechanism designed to thwart sophisticated local attacks targeting Windows Update. Yet, the fact that its presence and structure can be subverted with basic user commands reveals the ongoing cat-and-mouse nature of system security.
Until Microsoft issues a permanent patch, users and admins should adopt the recommended permissions restrictions to safeguard this folder. Furthermore, resist the urge to delete inetpub, even if it seems unnecessary from a casual perspective. Understanding and respecting such subtle elements in the operating system is integral to maintaining a secure and reliable Windows environment as threats and defenses evolve.
This episode also serves as a reminder that in the realm of cybersecurity, sometimes the most innocuous files and folders are silent sentinels guarding the system's integrity.

---

References:

• The vulnerability CVE-2025-21204 and the role of the inetpub folder in mitigation.
• Details of symbolic link exploitation and directory junction manipulation related to inetpub.
• Microsoft’s advice against deleting inetpub and how to restore it.
• The practical permission hardening solution to prevent junction exploitation.
• Community and expert analyses highlighting the ongoing risks and mitigation strategies.

These insights come from comprehensive community discussions and expert analysis on Windows update security, including detailed reports by security researcher Kevin Beaumont and reputable technology publications.

---

Source: Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier

The recent introduction of the inetpub folder on Windows 11 systems, especially following the April 2025 cumulative update, has sparked significant discussion and concern within the Windows community. While the folder's appearance may seem innocuous—or even suspicious at first sight—its presence is deeply tied to a critical Windows security strategy aimed at mitigating a severe vulnerability. However, this solution has, paradoxically, introduced its own security challenges, which users and administrators need to understand and manage.

The Inetpub Folder: A Security Patch in Disguise​

Traditionally, the inetpub folder is a well-known directory used by Microsoft's Internet Information Services (IIS) web server. It houses web content, logs, scripts, and other resources necessary for hosting web services on Windows servers. Its presence on personal or corporate machines that do not run IIS has historically been unusual.
With the April 2025 update to Windows 11, Microsoft began automatically creating an empty inetpub folder on every system drive. This move aligns with patching a serious vulnerability identified as CVE-2025-21204. The vulnerability involved symbolic link (symlink) manipulation within the Windows Update servicing stack. Symlinks are filesystem objects that point to other files or folders, and improper handling can lead to misdirection or unauthorized file modification. The exploit could be used by an attacker with local access—without requiring admin privileges—to manipulate system files or disrupt Windows Updates.
By pre-emptively creating this inetpub folder, Microsoft aimed to establish a controlled and secured location that the Windows servicing stack could trust and reliably interact with, effectively acting as a hardened container to defend against exploit scenarios that abuse missing or improperly secured directories.
Microsoft’s official stance, communicated after initial user confusion, is clear: do not delete the inetpub folder. Even though it is empty and seemingly unused, the folder serves as an integral part of the patch’s defense mechanism, and removing it undermines the security patch’s integrity. If deleted, the patch becomes ineffective, leaving the system vulnerable to attacks leveraging symbolic link misdirection .

The Unexpected Vulnerability: Directory Junction Hijacking​

Security researcher Kevin Beaumont exposed the irony of this patch: while the inetpub folder was introduced to close a loophole, its very presence is now susceptible to a different form of attack. Because the Windows servicing stack runs under the SYSTEM account and treats C:\inetpub as safe, it does not validate or check for reparse points like directory junctions crafted by lower-privileged users.
A non-admin user with physical or remote access to the machine can easily replace the inetpub directory with a directory junction—a special kind of symlink—that redirects C:\inetpub to another file or location, for example, pointing to Notepad.exe. This manipulation causes Windows Update to target an incorrect location when staging updates, leading to update failures or rollbacks. Such an exploit does not require administrator rights, lowering the bar considerably for potential attackers.
This bypass arises because the servicing stack does not check the ownership or the nature of the directory junction before attempting file staging, rendering Windows Update vulnerable to denial-of-service by blocking patch installation or system updates until the junction is corrected. The manifestations typically include confusing and cryptic Windows Update errors, which can perplex even experienced system administrators and lengthen troubleshooting times .

Mitigating the Vulnerability: Locking Down inetpub Folder Permissions​

Until Microsoft addresses this vulnerability with a more robust fix, users and IT administrators must take proactive steps to safeguard systems from attack via the inetpub directory junction exploit.
The key to mitigation is restricting write and delete permissions on the inetpub folder, preventing unprivileged users from modifying or replacing it with a junction. This is done by altering folder permissions such that only the SYSTEM and TrustedInstaller accounts retain full control, blocking all other user accounts—including administrators—from making junctions or deletions.
The recommended protection steps are:

• Right-click the inetpub folder (usually at C:\inetpub), select Properties.
• Navigate to the Security tab, then click Advanced.
• Click Disable inheritance and then select Remove all inherited permissions.
• Add permissions explicitly for SYSTEM and NT SERVICE\TrustedInstaller, granting them Full Control.
• Confirm and apply all changes.

After this permission tightening, any standard or non-system process attempting to create a junction or modify inetpub will be blocked with a permissions denied error. Windows Update processes running as SYSTEM or TrustedInstaller will still function correctly, maintaining update reliability.
In case Windows Update starts experiencing errors after these changes, resetting the Windows Update components may help. And if the mitigation needs to be reverted, re-enabling inheritance on the inetpub folder permissions will restore original settings .

Restoring the inetpub Folder If Deleted​

Some users, either out of curiosity or cleanup habits, may have deleted the inetpub folder, potentially compromising their system’s security patch. Fortunately, restoring the folder is straightforward:

• Open Control Panel, navigate to Programs and Features.
• Select “Turn Windows features on or off.”
• Enable Internet Information Services (IIS), which will recreate the inetpub folder with correct permissions.
• Afterward, IIS can be disabled if not needed, but the folder should not be deleted.

Alternatively, uninstalling and reinstalling the relevant Windows security update will also restore the inetpub folder as part of the patch installation process.
Manual recreation of the folder is possible but fraught with risk unless the creator understands proper permission settings and security contexts, so it's not generally recommended for average users or administrators unfamiliar with security configurations .

Broader Reflections on Windows Security Patch Practices​

The inetpub folder saga highlights some ongoing challenges in Windows security patching:

• Security by Structural Obscurity? Microsoft’s creation of an inert folder as a protective measure veers into defensive design pattern territory, intended to prevent certain classes of exploits by creating a controlled environment. However, this approach can result in unforeseen side-effects or new attack vectors.
• Communication and Transparency: The sudden appearance of a seemingly useless folder triggered confusion and unwise actions by users. Clearer explanations from Microsoft about such changes, particularly in patch notes and update advisories, could mitigate misunderstanding and reinforce best practices.
• Permission Handling and System Trust: The servicing stack’s implicit trust in specific system folders without verifying reparse point ownership or link types reveals a gap in Windows security architecture that could be further hardened.
• User Privilege Management: The ability of non-admin users to manipulate system folder junctions is a reminder that permissions management remains critical, and that even restricted user accounts can represent security risks.

This case is a microcosm of the complex balance between innovation, security, usability, and maintainability that modern OS architects must manage.

Practical Advice for Windows Users and Administrators​

For the everyday user or IT professional, the following best practices apply:

• Do Not Delete the inetpub Folder: Resist any urge to delete the folder, regardless of whether IIS is in use.
• Apply the Official Updates: Ensure all Windows Updates are installed promptly to receive the latest fixes and mitigations.
• Restrict Permissions on inetpub: Implement the folder permission lockdown to mitigate the directory junction vulnerability.
• Educate Users and Teams: In corporate environments, communicate why the folder exists and caution against tampering to avoid accidental deletions or exploit exposure.
• Monitor for Update Errors: If Windows Update fails after permission changes, reset Windows Update components and verify permission configurations before seeking further remedies.
• Stay Informed: Regularly check trusted sources and Microsoft advisories for updates to this evolving issue.

By following these guidelines, users can maintain the intended protection this folder offers and avoid becoming collateral damage in a security patch gone problematic.

---

The inetpub folder is a fascinating example of how Windows security updates operate beneath the surface—sometimes in ways that might seem unexpected or strange—but are vital in defending systems against nuanced and sophisticated attacks. Though it has introduced a new security wrinkle itself, understanding and managing this folder's role is essential in keeping modern Windows PCs safe from threats exploiting symbolic link misuse.
Until Microsoft issues a formal fix, the mitigation described here serves as a pragmatically effective interim safeguard for users to protect their Windows update mechanism and preserve system security integrity.

---

Source: Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier

The appearance of the "inetpub" folder on Windows 11 systems after the April 2025 cumulative update has stirred considerable attention and confusion among users and IT professionals alike. While many might perceive this empty folder as unnecessary clutter and consider deleting it, understanding the background and security implications reveals a far more critical role. This article explores the origins of the inetpub folder in recent Windows updates, explains its role as a security mechanism, outlines how this feature can be exploited, and offers practical advice on how to safeguard systems until Microsoft provides a more permanent fix.

The Origin and Purpose of the Inetpub Folder​

Traditionally, the "inetpub" directory is associated with Microsoft's Internet Information Services (IIS), a web server platform that uses this folder to store website files, logs, and scripts. Under normal circumstances, inetpub appears only when IIS is installed and enabled. However, after the April 2025 Patch Tuesday updates (e.g., KB5055523), Windows 11 and even Windows 10 systems began automatically creating this seemingly empty folder at the root of the system drive (usually C:\inetpub), irrespective of IIS installation. This unusual behavior instantly raised questions and skepticism regarding its necessity and purpose.
Microsoft clarified that the creation of the inetpub folder is deliberate and integral to a broad security patch designed to address a specific vulnerability tracked as CVE-2025-21204. This security flaw involves the improper handling of symbolic links or junction points by the Windows Update servicing stack, which could allow local attackers to manipulate file access, potentially causing privilege escalation or interfering with Windows Update processes. By instituting the inetpub folder with strict system permissions, Microsoft aimed to create a controlled environment to defend against these exploit techniques.
In essence, the inetpub folder is a protective “container” or “decoy” that prevents attackers from redirecting Windows Update operations to malicious targets, thereby preserving the integrity of system updates and patch cycles. Removing or deleting this folder could disable this security safeguard, leaving systems vulnerable to exploitation.

How the Inetpub Folder is Exploitable​

Security researcher Kevin Beaumont brought to light a concerning exploit related to this folder’s presence. Although the inetpub folder’s existence is meant to seal off certain vulnerabilities, in practice it can be manipulated by users without administrator privileges. The attack involves replacing the folder with a directory junction (a special kind of symbolic link in Windows) that redirects any access attempts to another file or directory.
For example, a local user can execute a simple command like:
mklink /J C:\inetpub C:\Windows\System32\Notepad.exe
This replaces the inetpub folder with a junction pointing to Notepad.exe (or any other file). The servicing stack, which runs with SYSTEM privileges and inherently trusts the inetpub folder, does not validate the junction. Consequently, when Windows Update tries to stage files or perform update operations there, it hits the incorrect target, causing update failures or rollbacks.
This exploit is particularly alarming because no administrator privileges are required; any user with standard access can trigger it. The vulnerability poses risks especially in environments where machines are shared, or where an unauthorized local user could deliberately disrupt a system’s update cycle—potentially impacting security compliance, allowing persistent unpatched vulnerabilities, and compromising system integrity.

Microsoft’s Current Silence and Interim Defensive Measures​

As of now, Microsoft has not publicly released a definitive fix for this specific attack vector beyond creating the inetpub folder as part of the April 2025 update. There is an acknowledged gap: while the folder’s presence mitigates the original CVE-2025-21204 risk, it inadvertently opens a low-barrier junction-based exploit attack surface.
To protect systems until Microsoft rolls out a more comprehensive patch, users and administrators can take proactive defensive steps by hardening the permissions on the inetpub folder:

• Navigate to the C:\inetpub folder.
• Right-click the folder, select Properties, then choose the Security tab.
• Click Advanced to open Advanced Security Settings.
• Click Disable inheritance and select Remove all inherited permissions.
• Manually add two principals, SYSTEM and NT SERVICE\TrustedInstaller, granting both Full control permissions.
• Remove all other user or group permissions.

By doing so, you effectively prevent any non-system entities, including non-admin users, from manipulating or deleting the inetpub folder or creating junctions in its place. This ensures Windows Update retains uninterrupted access to the folder and can operate securely.
If these changes ever need to be rolled back (for example, to troubleshoot update failures), re-enable inheritance in the folder’s security settings to revert permissions.

The Importance of Preserving the Inetpub Folder​

A common misconception is that deleting the inetpub folder is harmless since it appears empty and IIS (its usual user) is often not installed or enabled on many personal or enterprise machines. However, this would strip away a vital layer of defense against symbolic link exploitation in the Windows update mechanism.
Removing this folder disables the protective environment that helps prevent unauthorized redirection of update files and processes. If deleted accidentally, restoration involves either:

• Enabling IIS temporarily via the Windows Features control panel, which recreates the folder with correct permissions.
• Uninstalling and reinstalling the relevant Windows update that introduced the folder.

Broader Implications for Windows Security and IT Management​

The inetpub folder scenario is emblematic of the complexities in modern Windows security. It illustrates how security patches increasingly rely on system architecture hardening—sometimes using legacy components in unconventional ways—creating a layered defense system.
However, it also reveals challenges such as:

• Potential for security “whack-a-mole” where initial patches introduce new vulnerabilities requiring quick interim fixes.
• The dilemmas inherent in balancing transparent communication with end users and the need to rapidly deploy complex mitigations.
• The low barrier of privilege needed for local attacks, underscoring the critical need for strict user permissions policies.

For IT administrators, the lesson is clear:

• Continuously monitor unusual folder permissions or junction points in critical system locations.
• Reduce non-admin user permissions that allow the creation of directory junctions in sensitive directories.
• Educate users about the importance of system folders that may appear redundant but serve security roles.
• Keep systems fully patched while watching for Microsoft's follow-up fixes addressing the inetpub exploit vector.

Conclusion​

The inetpub folder that now appears on every Windows 11 system after recent updates is not a bug or useless remnant—it is a carefully intended piece of a sophisticated security mechanism designed to neutralize a subtle but serious vulnerability in Windows Update operations. Nevertheless, the folder inadvertently introduces an exploitable attack vector via junction point substitution that any local user can manipulate without administrative access.
Until Microsoft releases an official fix, system administrators and empowered users should proactively restrict permissions on the inetpub folder, preserving update integrity and thwarting attempts to sabotage patching efforts. Avoid deleting the folder under any circumstances, and if removed, restore it promptly via IIS re-enablement or update reinstallation.
This episode highlights the ongoing evolution and complexity of Windows security engineering, where even an empty folder can be a silent sentinel standing guard against emerging threats.

---

References:

• Security researcher Kevin Beaumont's findings on the exploit and its impact.
• Microsoft’s official stance on not deleting the inetpub folder and restoration procedures.
• Discussions and community analyses on Windows update strategies and folder security from WindowsForum and tech news sources.

This analysis draws on extensive community and expert commentary to provide a comprehensive understanding of the inetpub folder’s role and risks as observed in recent Windows 11 update cycles .

---

Source: Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier

The recent emergence of the "inetpub" folder on Windows 11 systems following the April 2025 update has sparked considerable discussion and curiosity among both casual users and IT professionals. While at first glance this folder might seem like an unnecessary artifact, an empty directory occupying minimal disk space, a deeper dive reveals it is a strategic component of a critical security patch addressing a significant Windows vulnerability.

The Background and Security Context​

The "inetpub" folder has traditionally been associated with Internet Information Services (IIS), Microsoft's web server software. Typically, this folder appears only when IIS is installed and enabled, serving as the root directory for web content, logs, and scripts related to IIS web hosting. However, many Windows 11 users—and even Windows 10 users—noticed this empty folder appearing on their system drive, generally C:, even when they had never installed IIS or engaged in any web hosting activities.
This phenomenon is directly attributed to Microsoft's April 2025 cumulative update (such as KB5055523 for Windows 11 24H2), which introduced the folder deliberately as part of a security enhancement. The update aimed to address a vulnerability identified as CVE-2025-21204—a flaw involving improper handling of symbolic links (symlinks) within the Windows Update stack.
Symbolic links are filesystem objects that act as references or shortcuts to other files or directories. The vulnerability allowed local attackers to exploit symbolic link resolution flaws to gain unauthorized access or to elevate privileges by manipulating file operations. This could potentially let malicious actors misuse the system by redirecting file accesses to unauthorized folders or files.

Why "inetpub" and How Does the Folder Help?​

Microsoft's approach to mitigating the exploit associated with CVE-2025-21204 involved creating the "inetpub" directory as a hardened container with carefully restricted permissions. By introducing this folder into the root of the system drive as a well-known and controlled environment, Microsoft can better manage how symbolic links are resolved during system processes.
The "inetpub" folder acts like a security buffer zone or "safe zone," with strict read-only access that prevents unauthorized manipulations related to symbolic links. Through this mechanism, Windows reduces the risk that symbolic link exploits could redirect critical file operations to sensitive system areas.
Choosing a historically recognized directory like "inetpub," although initially puzzling to many, leverages an existing filesystem convention familiar to the operating system—which helps ensure the control mechanisms work reliably. This folder is essentially an inert placeholder aiding in the sophisticated defense against privilege escalation attacks without actively hosting services or consuming user resources.

User Reactions and the Risks of Deletion​

Understandably, the sudden appearance of an empty "inetpub" folder has led some users to question its origin and purpose. Some attempted to delete the folder, considering it unnecessary clutter. Yet, Microsoft has issued explicit guidance warning users not to remove this folder. Doing so would effectively dismantle the security layer established by the April 2025 update, potentially leaving systems exposed to the very vulnerability the patch was designed to block.
While deleting the folder may not immediately disrupt system performance or cause operational instabilities, it compromises the integrity of the security patch. Without the folder, Windows cannot enforce the intended protective controls on symbolic link handling. This scenario poses a greater risk especially in shared environments such as corporate offices or public labs, where multiple users and varying levels of physical access exist.

How to Restore the "inetpub" Folder​

For users or administrators who have already deleted the folder, Microsoft provides a straightforward restoration method:

• Open the Windows Control Panel and navigate to "Programs and Features."
• Click the option to "Turn Windows features on or off."
• Locate "Internet Information Services" (IIS) in the list and enable it by checking its box.
• Confirm and allow Windows to recreate the "inetpub" folder automatically with the correct permissions.
• After the folder is restored, IIS can be disabled if it is not needed, without deleting the folder.

Alternatively, uninstalling and reinstalling the related Windows security update will also reinstate the folder, ensuring that the patch functions as intended.

Broader Implications for Windows Security and Update Management​

The case of the "inetpub" folder exemplifies a trend in modern operating system security where subtle, behind-the-scenes structural changes are made to enhance system defenses. These changes may initially confuse users or seem extraneous but serve critical protective functions.
Microsoft’s approach in this instance reflects a “security-by-design” philosophy: sometimes, improving security involves augmenting low-level system architecture with carefully controlled artifacts, even if they appear pointless on the surface.
This situation also highlights important lessons for users and IT pros:

• Resist the urge to delete or modify unfamiliar system files or folders introduced by updates without first understanding their role.
• Keep systems updated with the latest patches, since cumulative updates may include layered security measures not always fully detailed in release notes.
• Maintain awareness through official Microsoft communications and trusted community forums to clarify new update behaviors.
• For enterprise IT teams, communicate clear guidelines about such updates and their implications to end users to avoid accidental compromises.

The Emerging Challenge with Junction Point Exploits​

An unexpected dimension related to this patch strategy concerns a feature of Windows known as "junction points," a type of symbolic link. Security researchers have found that non-administrative users can create junction points at system locations like C:\ that masquerade as the “inetpub” folder, redirecting the system away from the real folder.
This redirection can interfere with the update’s ability to recreate or patch the folder, potentially blocking future updates or creating a patch installation deadlock. Such scenarios add complexity to managing Windows security and underline the challenges of balancing usability and protection in multi-user environments.

Final Thoughts​

The introduction of the empty "inetpub" folder in Windows 11 and Windows 10 systems, triggered by the April 2025 security update, is a subtle but critical security measure safeguarding the system against a nuanced symbolic link vulnerability. While the folder’s existence might seem jarring to those unacquainted with the underlying reasons, its role as a protective mechanism underscores the sophistication of modern cybersecurity strategies embedded in routine Windows updates.
Users are strongly advised not to delete the folder and should follow official restoration procedures if it is accidentally removed. IT administrators should incorporate awareness of these update behaviors into their patch management policies and inform users accordingly.
Ultimately, this episode reflects a broader trend where even the smallest components of an operating system—like an empty system folder—can play outsized roles in the overall security posture of Windows devices.

---

---

Source: Microsoft: Don't delete inetpub folder created from the April 2025 update, it's required

The recently introduced "inetpub" folder in Windows 11 is a prime example of how modern operating system security solutions can sometimes introduce new challenges even as they attempt to patch critical vulnerabilities. Originating as a deliberate security measure in the April 2025 cumulative Windows 11 update, the inetpub folder’s unexpected emergence on every system drive has stirred an active debate within the Windows community and cybersecurity circles.

The Origin and Purpose of the inetpub Folder​

Traditionally, the "inetpub" directory is the default location for Internet Information Services (IIS) content, a web server component often used for hosting websites and applications on Windows systems. Typically, this folder appears only when IIS is explicitly enabled. However, the April 2025 patch introduced it system-wide, regardless of IIS usage.
This was not an accidental leftover or a dormant web service installer, but a hardened container designed to mitigate a significant security vulnerability designated CVE-2025-21204. This flaw involved improper handling of symbolic links (symlinks) by the Windows Update process, which could be exploited by local attackers to redirect system operations to unauthorized locations. By creating a controlled and secure directory—inetpub—Microsoft aimed to prevent exploitation via manipulated directory junctions or symlinks during update staging. The folder acts as a trusted container to safeguard the update process and other critical system operations from being hijacked by malicious symlinks.
Microsoft explicitly warned users not to delete this folder, as removing it can disable or circumvent the protective measures embedded in the update. If deleted, it risks re-exposing the system to privilege escalation and update integrity vulnerabilities. Should the folder be accidentally removed, Microsoft advises users to re-enable IIS via the Windows Features dialog or reinstall the update to restore the directory and its permissions properly .

How the inetpub Folder Becomes a Security Vulnerability​

Ironically, while the inetpub folder addresses one exploit, it inadvertently opens the door to another. Security researcher Kevin Beaumont uncovered a novel local privilege exploit based on the ability to replace the inetpub folder with a directory junction (a type of symlink) pointing to any arbitrary file, such as Notepad.exe. This manipulation does not require administrator privileges and can be performed by any local user with basic command-line knowledge.
The root cause lies in how the Windows Servicing Stack (which handles updates) treats the folder. It runs as the SYSTEM account and assumes the inetpub folder is safe—trusting it as a normal directory without verifying whether the folder is a symlink or junction. This oversight allows an attacker to substitute the folder with a junction pointing elsewhere, causing Windows Update to fail or roll back due to the apparent absence or redirection of the staging directory.
As a result, the update process is disrupted, leaving the system vulnerable by blocking security patches and potentially enabling denial of service or further exploitation. Critically, the exploit involves no elevated privileges, making it trivial for a non-admin user to sabotage security updates simply by issuing one command (e.g., mklink /J C:\inetpub C:\Windows\System32\notepad.exe) .

Mitigation: A Manual Fix Pending Microsoft’s Response​

Microsoft has remained publicly silent regarding this new vulnerability and has yet to release a patch that permanently closes this loophole. Consequently, experts recommend a temporary but effective mitigation approach that leverages NTFS permissions.
By restricting write and delete permissions on the inetpub folder to only SYSTEM and TrustedInstaller accounts, all other user accounts—including administrators—are prevented from modifying or replacing the folder. This defense is established by disabling inheritance of permissions on the folder, removing all user-level access rights, and then explicitly granting full control to SYSTEM and TrustedInstaller. This permission lockdown blocks the creation or replacement of the directory junction, breaking the attack vector while allowing Windows Update processes to function unhindered.
The implementation is straightforward via the folder's Security Properties advanced settings: disable inheritance, remove inherited permissions, then add SYSTEM and TrustedInstaller with full control. Users can revert these changes by re-enabling inheritance if needed. This manual fix significantly reduces the exploitation risk until Microsoft issues a proper update to address the vulnerability at its root.
If users experience Windows Update errors after applying these permission changes, resetting Windows update components and reapplying permissions typically resolves such issues. Still, the best long-term strategy is to await an official patch that corrects the servicing stack’s symlink verification and handling constructs to prevent this attack vector from the inside .

The Broader Security and Usability Implications​

The inetpub saga illustrates classic challenges in OS security design, particularly the recurring pattern where quick fixes or patches create new unforeseen issues requiring further intervention. Microsoft’s choice to introduce a system-wide directory historically meant for IIS as a security ‘container’ is a clever yet imperfect step that reflects current complexities in defending modern, multi-faceted operating systems.
From an architectural perspective, the servicing stack’s elevated privileges necessitate meticulous validation of the filesystem state before performing sensitive operations. The failure to detect and block directory junctions or symlink attacks points to gaps in design assumptions, possibly prioritizing backward compatibility or performance over security validation checks. This incident speaks to the broader question of balancing usability, legacy system support, and security rigor in Windows’ patching mechanisms.
Moreover, the attack's low bar—requiring no admin privileges—raises concerns, especially in environments with multiple local users such as corporate, educational, or shared computers. Even unsophisticated users or threat actors with physical or remote local access can disrupt patching cycles, potentially exposing systems to further exploits or malware.
On the positive side, the possibility of a relatively simple permissions hardening approach to mitigate risks offers hope for practical interim defenses. Still, the recurring need for manual fixes signals a systemic challenge in Microsoft’s update infrastructure, where patching “symptoms” occurs before “root causes” are fully resolved. This issue also stresses the ongoing importance of educating users and system administrators to avoid deleting or tampering with newly introduced system components, even if they appear empty or unfamiliar.
The community’s reaction underscores discomfort with hidden or unexplained system changes introduced via updates, reminding vendors of the value of transparent communication and detailed release notes to improve user trust and reduce alarm.

Best Practices to Protect Your PC​

• Never delete the inetpub folder: Despite it seeming empty or unnecessary, this folder plays a critical role in current Windows security mechanisms. Removing it undermines vital protections.
• Apply recommended permission lockdowns: Restrict the inetpub folder’s write/delete permissions to SYSTEM and TrustedInstaller only. This blocks non-admin users from replacing the folder with malicious junctions.
• Stay updated on patch info: Monitor Microsoft’s official communications regarding upcoming fixes or modifications related to this issue.
• Restore the folder if deleted: Reactivate IIS through Windows Features or reinstall the relevant cumulative update to recreate the inetpub folder with proper permissions.
• Reset Windows Update components if updates fail: After permissions changes, reinitializing update services can fix potential errors.
• Educate users in shared environments: Inform multiple local users about this folder’s purpose, emphasizing its security importance and the risks of tampering.

Conclusion​

The inetpub folder in Windows 11 serves as a quiet yet crucial sentinel in Microsoft’s defense against local symbolic link exploits targeting the update stack. While the folder’s creation embodies a thoughtful security strategy, the accompanying vulnerability it unintentionally allows reveals the complexities and trade-offs inherent in modern OS protection schemes.
Until an official resolution arrives, users and administrators must balance cautious respect for this folder with prudent permission adjustments to safeguard update integrity. This ongoing episode highlights the dynamic and sometimes paradoxical nature of cybersecurity—where patches are both shields and potential gateways, and vigilance means not only installing updates but understanding their hidden depths.
In the evolving terrain of Windows security, even an empty directory like inetpub can mean the difference between resilience and risk.

---

References:

• Microsoft’s inetpub folder introduction and security advisory of CVE-2025-21204
• Security researcher Kevin Beaumont’s demonstration of inetpub folder exploit and mitigation guidance
• User recommended permissions lockdown to disable directory junction attacks on inetpub folder

---

Source: Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier