The seemingly innocuous "inetpub" folder, recently introduced across Windows 11 systems as part of the April 2025 cumulative update, has quickly evolved from a quiet background fixture to a focal point of security discussion and user concern. Although empty, this folder represents a new layer in Microsoft’s defensive strategy against sophisticated attack vectors targeting the Windows Update process. However, the introduction of this folder has inadvertently opened a subtle but significant security loophole, underscoring the complexity and ongoing challenges of maintaining system integrity in modern operating systems.
Traditionally, the inetpub folder has been associated with Microsoft’s Internet Information Services (IIS), serving as a web server root directory with subfolders for web content, logs, scripts, and administration. It typically only appears in environments where IIS is actively installed and used. However, starting with the 2025 Windows 11 update, Microsoft mandated the creation of an empty inetpub folder on every system drive, even if IIS is not installed or utilized.
This move forms part of a security patch to address a concrete and critical vulnerability (CVE-2025-21204) linked to improper symbolic link (symlink) handling in the Windows Update stack. Symbolic links are filesystem objects acting as references or shortcuts to other files or directories; if improperly validated, they enable attackers to redirect system operations to malicious locations, bypassing permissions and escalating privileges.
In effect, the inetpub folder is intended as a hardened, controlled "container" or "safe zone" with carefully restricted permissions to prevent symlink misdirection during update processes. It represents a novel approach: rather than patching individual code defects, Microsoft has augmented its file system structure and permissions to preemptively block attack paths that exploit filesystem behavior. The zero-byte folder serves as a decoy or anchor point, ensuring that Windows Update’s servicing stack runs with confidence that the targeted directory is trustworthy and inaccessible to unauthorized manipulations.
Microsoft has explicitly advised users not to delete this folder, as its absence undermines this new security mechanism, potentially reopening the door to privilege escalation attacks. If removed accidentally, Microsoft recommends restoring it by temporarily enabling IIS via Windows Features or reinstalling the relevant update to reinstate the protective configuration.
Security researcher Kevin Beaumont identified a method whereby any local user—without needing administrative privileges—can replace the inetpub folder with a directory junction (junction point), a special kind of symlink that redirects filesystem access. By running a simple command such as:
a user effectively "replaces" the folder with a pointer to another file, here Notepad.exe. Since the Windows Servicing Stack runs as SYSTEM and treats
The exploit is potent precisely because it requires no admin rights and can be performed by any local user with write/delete permissions on the root drive—something that might not be tightly controlled on many machines, particularly shared or corporate environments.
The vulnerability arises from Windows servicing components lacking robust checks for reparse points (junctions/symlinks) and ownership/permission verification on the inetpub folder. As such, the defense Microsoft built inadvertently introduces a new attack surface for denial-of-service (DoS) attacks against system updating, potentially leaving systems unpatched and vulnerable to further exploits.
The crux of this mitigation is revoking all write and delete permissions from regular users and administrators while preserving full control for SYSTEM and TrustedInstaller, the essential Windows system accounts responsible for servicing and updates. This prevents unauthorized reconfiguration of the folder into a junction point.
The steps to accomplish this include:
In case users face Windows Update failures, they should reset Windows Update components and confirm these permissions before further troubleshooting.
Microsoft’s decision to create an inert folder unrelated to active services as a security anchor is an example of security-by-design—augmenting system structure to limit exploit opportunities. However, requiring careful file system permissions and trusting opaque assumptions about folder integrity exposes the system to novel attacks when those assumptions fail.
Furthermore, the fact that non-administrative users can undermine security-related folder configurations underlines the importance of robust permission models and thorough validation within high-privilege processes like Windows Update.
The lack of official public commentary or immediate patches from Microsoft addressing the junction point vulnerability has left many users reliant on manual workarounds, revealing a gap between rapid threat discovery and vendor response.
Additionally, the inetpub folder debate highlights a challenge in communicating update nuances. Many users instinctively delete seemingly empty or unnecessary folders, inadvertently breaking security models. Better education and update notes transparency could reduce this friction.
Users must recognize that even an empty folder can be a critical piece of system defense and avoid tampering with such components. Meanwhile, administrators can safeguard their environments by applying strict access controls and maintaining update vigilance.
Ultimately, the inetpub folder episode serves as a cautionary tale of the evolving landscape of Windows security: every solution may sow new challenges, and robust security demands continuous adaptation, communication, and layered defense strategies.
This analysis draws on community and expert discussions revealing the inetpub folder’s dual role as both sentinel and potential attack vector, along with practical mitigation steps that balance security and operational stability .
Source: Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier
The Inetpub Folder: Origins and Purpose
Traditionally, the inetpub folder has been associated with Microsoft’s Internet Information Services (IIS), serving as a web server root directory with subfolders for web content, logs, scripts, and administration. It typically only appears in environments where IIS is actively installed and used. However, starting with the 2025 Windows 11 update, Microsoft mandated the creation of an empty inetpub folder on every system drive, even if IIS is not installed or utilized.This move forms part of a security patch to address a concrete and critical vulnerability (CVE-2025-21204) linked to improper symbolic link (symlink) handling in the Windows Update stack. Symbolic links are filesystem objects acting as references or shortcuts to other files or directories; if improperly validated, they enable attackers to redirect system operations to malicious locations, bypassing permissions and escalating privileges.
In effect, the inetpub folder is intended as a hardened, controlled "container" or "safe zone" with carefully restricted permissions to prevent symlink misdirection during update processes. It represents a novel approach: rather than patching individual code defects, Microsoft has augmented its file system structure and permissions to preemptively block attack paths that exploit filesystem behavior. The zero-byte folder serves as a decoy or anchor point, ensuring that Windows Update’s servicing stack runs with confidence that the targeted directory is trustworthy and inaccessible to unauthorized manipulations.
Microsoft has explicitly advised users not to delete this folder, as its absence undermines this new security mechanism, potentially reopening the door to privilege escalation attacks. If removed accidentally, Microsoft recommends restoring it by temporarily enabling IIS via Windows Features or reinstalling the relevant update to reinstate the protective configuration.
Exploiting the Inetpub Folder: The Junction Point Vulnerability
While the folder aims to enhance security, an ironic twist emerges: low-level abuse of the inetpub folder itself can sabotage Windows Update operations.Security researcher Kevin Beaumont identified a method whereby any local user—without needing administrative privileges—can replace the inetpub folder with a directory junction (junction point), a special kind of symlink that redirects filesystem access. By running a simple command such as:
mklink /J C:\inetpub C:\Windows\System32\notepad.exea user effectively "replaces" the folder with a pointer to another file, here Notepad.exe. Since the Windows Servicing Stack runs as SYSTEM and treats
C:\inetpub as a trusted directory, it blindly follows this junction without validating that it points to a file rather than a proper folder. This leads to Windows Update failing or rolling back because its file staging or operations target an invalid or inappropriate location.The exploit is potent precisely because it requires no admin rights and can be performed by any local user with write/delete permissions on the root drive—something that might not be tightly controlled on many machines, particularly shared or corporate environments.
The vulnerability arises from Windows servicing components lacking robust checks for reparse points (junctions/symlinks) and ownership/permission verification on the inetpub folder. As such, the defense Microsoft built inadvertently introduces a new attack surface for denial-of-service (DoS) attacks against system updating, potentially leaving systems unpatched and vulnerable to further exploits.
Mitigations: Locking Down the Inetpub Folder Permissions
Until Microsoft releases a definitive patch addressing this junction point vulnerability, users and administrators can implement a manual fix by hardening the permissions of the inetpub folder.The crux of this mitigation is revoking all write and delete permissions from regular users and administrators while preserving full control for SYSTEM and TrustedInstaller, the essential Windows system accounts responsible for servicing and updates. This prevents unauthorized reconfiguration of the folder into a junction point.
The steps to accomplish this include:
- Navigating to
C:\inetpubin File Explorer. - Right-clicking the folder, selecting Properties, then the Security tab.
- Clicking Advanced, disabling inheritance, and removing all inherited permissions.
- Adding explicit permissions granting Full control only to SYSTEM and NT SERVICE\TrustedInstaller.
- Confirming and applying changes.
In case users face Windows Update failures, they should reset Windows Update components and confirm these permissions before further troubleshooting.
Broader Reflections on Windows Security Update Philosophy
The inetpub saga illustrates a recurring tension in Windows security: the balance between layered defense mechanisms and the complexity they introduce.Microsoft’s decision to create an inert folder unrelated to active services as a security anchor is an example of security-by-design—augmenting system structure to limit exploit opportunities. However, requiring careful file system permissions and trusting opaque assumptions about folder integrity exposes the system to novel attacks when those assumptions fail.
Furthermore, the fact that non-administrative users can undermine security-related folder configurations underlines the importance of robust permission models and thorough validation within high-privilege processes like Windows Update.
The lack of official public commentary or immediate patches from Microsoft addressing the junction point vulnerability has left many users reliant on manual workarounds, revealing a gap between rapid threat discovery and vendor response.
Additionally, the inetpub folder debate highlights a challenge in communicating update nuances. Many users instinctively delete seemingly empty or unnecessary folders, inadvertently breaking security models. Better education and update notes transparency could reduce this friction.
Practical Advice for Windows Users and Administrators
- Do not delete the inetpub folder even if IIS is not actively used.
- If deleted, restore inetpub by enabling IIS temporarily or reinstalling the relevant Windows update.
- Apply permission lockdown on
C:\inetpubto restrict write/delete access exclusively to SYSTEM and TrustedInstaller accounts. - Maintain regular, timely Windows updates to ensure latest security patches are applied.
- For IT administrators, communicate clearly with users about the purpose of new system folders introduced in updates to prevent accidental removals.
- Monitor official Microsoft channels for upcoming patches addressing this vulnerability.
Conclusion
The emergence of the inetpub folder on all Windows 11 systems represents Microsoft’s innovative, albeit imperfect, approach to preemptively counter critical privilege escalation vulnerabilities through structural system changes. While the folder plays a crucial role in reinforcing Windows Update security, the unintended writable junction exploitation it permits highlights ongoing challenges in securing complex, layered operating systems.Users must recognize that even an empty folder can be a critical piece of system defense and avoid tampering with such components. Meanwhile, administrators can safeguard their environments by applying strict access controls and maintaining update vigilance.
Ultimately, the inetpub folder episode serves as a cautionary tale of the evolving landscape of Windows security: every solution may sow new challenges, and robust security demands continuous adaptation, communication, and layered defense strategies.
This analysis draws on community and expert discussions revealing the inetpub folder’s dual role as both sentinel and potential attack vector, along with practical mitigation steps that balance security and operational stability .
Source: Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier
