The inetpub folder, a seemingly innocuous directory newly appearing on Windows 11 systems following the April 2025 cumulative update, has sparked considerable debate and concern across the Windows user and IT administrator communities. Traditionally associated with Internet Information Services (IIS)—Microsoft’s web server software—the empty inetpub folder’s unexpected presence on machines without IIS installed is not an error or malware artifact, but a deliberately placed security measure by Microsoft. However, its introduction exposes a puzzling security paradox: a patch intended to enhance system defense inadvertently opened the door to a trivial attack vector that could disrupt Windows Update operations.
Beginning with the April 2025 cumulative update (including KB5055523 for Windows 11 24H2), Microsoft’s update process creates an empty inetpub folder in the root of the system drive (usually C:\inetpub) on every machine. This was a strategic move aimed at mitigating a critical vulnerability identified as CVE-2025-21204, which stemmed from Windows Update’s insecure resolution of symbolic links (symlinks). Before this patch, malicious local actors could exploit missing directories like inetpub to plant symbolic links, misleading Windows Update into unintentionally modifying or placing files in unauthorized locations. This risked privilege escalation and system integrity breaches.
The inode of the patch was to provide a fixed, system-controlled directory—inetpub—where Windows Update could safely stage its files without fear of redirection by symbolic link manipulation. This folder would have locked-down permissions and serve as a security “safe zone” protecting the servicing stack during updates, preventing attackers from inserting deceptive symlinks in this critical path.
Moreover, making inetpub a purposely empty, locked-down folder with controlled permissions means that the servicing stack can reliably work within a trusted environment. It acts as a “decoy” or containment area where symbolic link resolution can be safely controlled, closing gaps previously exploited by attackers relying on missing directory structures .
An attacker with local access—even without administrative privileges—could exploit absent directories by replacing them with junction points (a type of symbolic link) redirecting the servicing stack’s file operations to unintended targets. For example, a malicious user could replace the inetpub folder with a directory junction to a system executable like Notepad.exe. When Windows Update tried to stage files in inetpub, it would instead be redirected erroneously, causing update failures or rollbacks.
Security researcher Kevin Beaumont demonstrated how easily this could be accomplished by running a simple command without admin rights:
This command replaces the inetpub directory with a junction to Notepad. Since Windows Update’s servicing stack operates as SYSTEM and blindly treats the destination as trusted, it fails to check for symbolic link reparse points or validate ownership, leading to update process derailment. This exposes a bizarre but practical attack vector enabling non-privileged users to sabotage Windows Update — an ironic twist where a patch introduced a new vulnerability owing to a design oversight about symbolic link handling.
The lack of a direct fix leaves administrators and users in a holding pattern where cautious tweaks are necessary to minimize risk pending an official update. The vulnerability’s critical nature warrants urgent attention, given that local access, while a prerequisite, is often easier to obtain than privileged exploits, especially in shared, remote, or work-from-home scenarios common today .
To block any non-privileged processes (including administrators from using mklink /J on inetpub), users should:
If issues arise with Windows Updates after tightening permissions, resetting Windows Update components may help before reverting these permissions back. For restoration, simply re-enable inherited permissions and remove the manually added entries, reversing the lock-down.
This can expose the system to repeated symbolic link attacks, privilege escalations, or allow attackers to sabotage Windows Updates further. Microsoft explicitly warns against deleting the inetpub folder, stressing that the folder must remain intact for system security to be preserved.
If it has been deleted, users are advised to restore it by enabling IIS via the Windows Features panel, which recreates the inetpub folder with correct permissions. Alternatively, uninstalling and reinstalling the update or waiting for future cumulative patches can also restore it.
This unexpected necessity to preserve an empty “decoy” folder challenges user expectations about system tidiness and highlights the complex trade-offs in modern security design .
The entire incident underscores the need for stronger checks on symbolic links and ownership validation in system components running at SYSTEM privilege. Until Microsoft refines these core mechanisms, administrators must employ strategic workarounds like permission hardening and cautious monitoring of system directories.
Additionally, it raises concerns about how transparent and informative Microsoft is with users regarding security updates. Unexpected new folders and features, if not well documented, foster confusion and risky behaviors like accidental deletion or misconfiguration.
Finally, it reminds all users and IT professionals of the critical need to maintain robust system backups, stay informed on update advisories, and avoid impetuous “clean-up” actions that undermine invisible but vital security scaffolding .
Windows 11’s inetpub folder story highlights the often invisible complexity behind modern operating system security. What appears as an empty and innocuous folder is, in fact, a sentinel guarding against privileged elevation and file manipulation exploits. Yet, the pathway it offers for local, low-privilege attackers to disrupt updates serves as a cautionary tale about security patch side effects. Until Microsoft addresses this with a deeper security fix, users and administrators must be proactive stewards of their system permissions and update hygiene to keep Windows safe and reliable in an ever-evolving threat landscape.
References:
Source: Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier
The Genesis of the Inetpub Folder in Windows 11
Beginning with the April 2025 cumulative update (including KB5055523 for Windows 11 24H2), Microsoft’s update process creates an empty inetpub folder in the root of the system drive (usually C:\inetpub) on every machine. This was a strategic move aimed at mitigating a critical vulnerability identified as CVE-2025-21204, which stemmed from Windows Update’s insecure resolution of symbolic links (symlinks). Before this patch, malicious local actors could exploit missing directories like inetpub to plant symbolic links, misleading Windows Update into unintentionally modifying or placing files in unauthorized locations. This risked privilege escalation and system integrity breaches.The inode of the patch was to provide a fixed, system-controlled directory—inetpub—where Windows Update could safely stage its files without fear of redirection by symbolic link manipulation. This folder would have locked-down permissions and serve as a security “safe zone” protecting the servicing stack during updates, preventing attackers from inserting deceptive symlinks in this critical path.
Why Inetpub? Historical and Security Rationale
Inetpub’s selection is not accidental. Historically, it has hosted IIS web content, making it a familiar and well-understood directory within the Windows ecosystem. Even for users who do not utilize IIS or web server features, the inetpub folder’s name is recognizable, and its structure is standardized for web service management. By leveraging this legacy folder name, Microsoft capsulizes its security fix within a known container that can be easily monitored and protected by the system’s security framework.Moreover, making inetpub a purposely empty, locked-down folder with controlled permissions means that the servicing stack can reliably work within a trusted environment. It acts as a “decoy” or containment area where symbolic link resolution can be safely controlled, closing gaps previously exploited by attackers relying on missing directory structures .
The Security Vulnerability: CVE-2025-21204 and Its Exploitation Risk
CVE-2025-21204 exposed a flaw in the Windows servicing stack’s handling of symbolic links during update sessions. Symbolic links, shortcuts at the system level pointing to other files or directories, were improperly vetted by the servicing stack when staging update files.An attacker with local access—even without administrative privileges—could exploit absent directories by replacing them with junction points (a type of symbolic link) redirecting the servicing stack’s file operations to unintended targets. For example, a malicious user could replace the inetpub folder with a directory junction to a system executable like Notepad.exe. When Windows Update tried to stage files in inetpub, it would instead be redirected erroneously, causing update failures or rollbacks.
Security researcher Kevin Beaumont demonstrated how easily this could be accomplished by running a simple command without admin rights:
mklink /J C:\inetpub C:\Windows\System32\notepad.exeThis command replaces the inetpub directory with a junction to Notepad. Since Windows Update’s servicing stack operates as SYSTEM and blindly treats the destination as trusted, it fails to check for symbolic link reparse points or validate ownership, leading to update process derailment. This exposes a bizarre but practical attack vector enabling non-privileged users to sabotage Windows Update — an ironic twist where a patch introduced a new vulnerability owing to a design oversight about symbolic link handling.
Microsoft’s Silence and the Security Community’s Response
At the time of discovery, Microsoft has remained mostly silent on the vulnerability, offering no immediate patch or guidance beyond strong warnings not to delete the inetpub folder. The company’s silence has been met with frustration in the security and IT communities, considering the severity and triviality of exploitation.The lack of a direct fix leaves administrators and users in a holding pattern where cautious tweaks are necessary to minimize risk pending an official update. The vulnerability’s critical nature warrants urgent attention, given that local access, while a prerequisite, is often easier to obtain than privileged exploits, especially in shared, remote, or work-from-home scenarios common today .
Mitigating the Risk: Tweaking Permissions on Inetpub
Until Microsoft ships a proper fix, the best mitigation involves tightening permissions on the inetpub folder so non-system users cannot replace it with directory junctions.To block any non-privileged processes (including administrators from using mklink /J on inetpub), users should:
- Right-click on the
C:\inetpubfolder and select Properties. - Navigate to the Security tab, then click Advanced.
- Click on Disable inheritance, then choose Remove all inherited permissions.
- Add explicit permissions for:
- SYSTEM with Full Control
- NT SERVICE\TrustedInstaller with Full Control
- Remove all other user and administrator permissions.
- Confirm and exit.
If issues arise with Windows Updates after tightening permissions, resetting Windows Update components may help before reverting these permissions back. For restoration, simply re-enable inherited permissions and remove the manually added entries, reversing the lock-down.
Risks of Deleting the Inetpub Folder
Many users, initially alarmed by the unknown folder’s appearance, may have instinctively deleted it, assuming it was redundant or unnecessary. However, doing so defeats the security patch’s purpose. Removing inetpub removes the protected directory used by Windows to anchor the security fix against symbolic link exploits.This can expose the system to repeated symbolic link attacks, privilege escalations, or allow attackers to sabotage Windows Updates further. Microsoft explicitly warns against deleting the inetpub folder, stressing that the folder must remain intact for system security to be preserved.
If it has been deleted, users are advised to restore it by enabling IIS via the Windows Features panel, which recreates the inetpub folder with correct permissions. Alternatively, uninstalling and reinstalling the update or waiting for future cumulative patches can also restore it.
This unexpected necessity to preserve an empty “decoy” folder challenges user expectations about system tidiness and highlights the complex trade-offs in modern security design .
Broader Reflections on Windows Security Patch Design
This scenario exemplifies a persistent dilemma in Windows security philosophy: fixes that patch certain vulnerabilities often generate new, unforeseen problems. Microsoft’s approach to solving the symlink exploitation with inetpub’s forced creation is clever but also symptomatic of patching surface vulnerabilities without redesigning deeper system validation logic.The entire incident underscores the need for stronger checks on symbolic links and ownership validation in system components running at SYSTEM privilege. Until Microsoft refines these core mechanisms, administrators must employ strategic workarounds like permission hardening and cautious monitoring of system directories.
Additionally, it raises concerns about how transparent and informative Microsoft is with users regarding security updates. Unexpected new folders and features, if not well documented, foster confusion and risky behaviors like accidental deletion or misconfiguration.
Finally, it reminds all users and IT professionals of the critical need to maintain robust system backups, stay informed on update advisories, and avoid impetuous “clean-up” actions that undermine invisible but vital security scaffolding .
Practical Advice for Windows Users and Administrators
- Do not delete the inetpub folder, regardless of whether IIS is installed or used.
- Apply permission restrictions on inetpub as detailed above to prevent exploitation.
- Maintain regular Windows Updates, ensuring that all patches and cumulative updates are installed promptly.
- If you have deleted inetpub, restore it by:
- Enabling IIS briefly via "Turn Windows features on or off"
- Reinstalling the relevant security updates
- Stay aware of any error messages during Windows Updates and consider resetting Windows Update components if updates fail unexpectedly.
- Consult official Microsoft documentation regularly and trusted community sources for updates on resolving this issue.
Windows 11’s inetpub folder story highlights the often invisible complexity behind modern operating system security. What appears as an empty and innocuous folder is, in fact, a sentinel guarding against privileged elevation and file manipulation exploits. Yet, the pathway it offers for local, low-privilege attackers to disrupt updates serves as a cautionary tale about security patch side effects. Until Microsoft addresses this with a deeper security fix, users and administrators must be proactive stewards of their system permissions and update hygiene to keep Windows safe and reliable in an ever-evolving threat landscape.
References:
- Windows 11 inetpub Folder Bug: How to Protect Your PC from Exploits
- The inetpub Folder Reflects Broader Trends in Windows Security and Patch Challenges
- Microsoft’s Security Advisory on inetpub Folder and CVE-2025-21204 Patch
- How to Restore inetpub Folder if Deleted and Permission Lockdown Steps
Source: Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier
