Inetpub Folder in Windows 11: Security Risks & How to Protect Your System

Introduction

With the April 2025 cumulative update (notably KB5055523) for Windows 11 24H2, many users have noticed a mysterious new folder named "inetpub" appearing at the root of their system drive (usually C:). While traditionally associated with Microsoft’s Internet Information Services (IIS) web server, this empty folder now appears even on machines where IIS is not installed, raising questions and concerns among users and IT professionals alike.

In this article, we delve into the context and technical details behind this unexpected addition, its implications for system security, and practical steps users and administrators can take to safeguard their systems.

Background: What is the inetpub Folder?

The inetpub directory is historically the default folder used by IIS to host websites, store logs, and manage related web resources. It is typically found only on systems where IIS is installed and running.

However, starting with the April 2025 cumulative update for Windows 11 and Windows 10, the folder appears on virtually all systems, regardless of IIS usage. This change is part of a deliberate and sophisticated security strategy by Microsoft.

The Security Vulnerability: CVE-2025-21204

The presence of the inetpub folder is linked to a critical Windows vulnerability identified as CVE-2025-21204. This flaw involves improper handling of symbolic links (symlinks) within the Windows Update servicing stack — specifically the Windows Process Activation service and the Windows Update Stack.

What Are Symbolic Links?

Symbolic links are filesystem objects that point to other files or directories. While essential for various legitimate operations, improperly managed symlinks can be exploited to redirect file access to unauthorized locations.

Exploit Scenario:

An attacker with local access (even without administrative privileges) could craft malicious symbolic links that trick Windows into:

  • Redirecting privileged file operations to unintended targets,
  • Tampering with critical system files or updates,
  • Elevating privileges or creating persistent compromises.

Microsoft’s Mitigation: Pre-Creating the Inetpub Folder

To counter this exploitation vector, Microsoft introduced a defense-in-depth measure by pre-creating an empty inetpub folder with tightly controlled permissions:

  • Owned by the SYSTEM account,
  • Set as read-only and protected from user modifications,
  • Acts as a "safe zone" or hardened container,
  • Prevents Windows Update and servicing stack processes from following manipulated symlinks or junction points within this critical path.

By standardizing the presence of this folder and controlling its permissions, Microsoft effectively raises the difficulty for attackers to exploit symlink resolution flaws during updates.

Microsoft strongly advises not to delete this folder. Removing it disables the mitigation, leaving the system vulnerable to the original CVE-2025-21204 attack vector.

If deleted inadvertently, the folder can be restored by:

  1. Temporarily enabling IIS via the Control Panel feature "Turn Windows features on or off", which recreates inetpub securely,
  2. Or reinstalling the April 2025 cumulative update to restore protections.

The Paradox: Inetpub Folder Itself Introduces a New Vulnerability

Security researcher Kevin Beaumont revealed an ironic twist: the very inetpub folder meant to enhance security can be exploited via Windows junction points (a type of symbolic link).

Exploit Details:

  • A non-admin local user can execute a command like:

``INLINECODE0 ``

  • This creates a directory junction that redirects the inetpub folder path to another target (e.g., Notepad executable).
  • The Windows servicing stack, trusting the inetpub folder, follows this misdirection:
    • Attempting to stage update files in a non-existent or inappropriate location,
    • Causing updates to fail or roll back repeatedly, effectively causing a denial of service (DoS) on updates.

While this exploit does not directly escalate privileges, it significantly impacts patch management and security, increasing the attack surface by preventing updates from applying critical fixes.

Practical Mitigation and Recommendations

Until Microsoft releases a specific patch to address this junction point vulnerability, the following measures can protect systems:

1. Restrict Permissions on the inetpub Folder

  • Navigate to C:\inetpub folder properties.
  • Go to the Security tab > Advanced.
  • Disable inheritance and remove all existing permissions.
  • Add permissions explicitly for SYSTEM and
NT SERVICE\TrustedInstaller only, granting them Full Control.
  • This prevents non-admin users, including standard and even some elevated users, from replacing or modifying the inetpub folder with junction points.

2. Do Not Delete the Inetpub Folder

Deleting this folder removes a critical security component of the update.

3. Restore If Deleted

  • Reinstall the April 2025 cumulative update or
  • Temporarily enable IIS to recreate the folder with the correct permissions.

4. Maintain Regular Updates

Ensure Windows systems are kept fully patched to benefit from the latest security enhancements.

Broader Implications and Conclusion

The inetpub folder saga exemplifies the evolving complexity of modern operating system security:

  • Microsoft’s approach goes beyond patching code by modifying filesystem structures and permissions to enforce security boundaries.
  • The situation highlights that even seemingly trivial elements, such as an empty folder, play vital roles in defending complex systems.
  • At the same time, it illustrates potential unintended side effects and new attack vectors introduced by such security measures.

Users and administrators must be aware, cautious, and implement recommended protections to maintain system integrity.

This ongoing dialogue and investigation into the inetpub folder have sparked extensive community and expert analyses, reflecting the challenges of balancing robust security with usability and operational continuity in Windows.

Summary

The inetpub folder's unexpected appearance on Windows 11 systems stems from a critical security update designed to mitigate symbolic link vulnerabilities (CVE-2025-21204). While the folder acts as a protective container within the filesystem, it paradoxically exposes new risks via junction point exploits that can disrupt Windows Update operations. Users are advised not to delete this folder and to harden its permissions to protect system integrity until further patches are issued.

Meta Description

Explore the security risks introduced by the inetpub folder in Windows 11 after the April 2025 update and learn how to protect your system effectively.

Tags

["cve-2025-21204", "cyber attack prevention", "cybersecurity", "cybersecurity analysis", "cybersecurity best practices", "cybersecurity threats", "digital forensics", "endpoint monitoring", "filesystem security", "iis", "inetpub", "inetpub folder", "it pro tips", "it professionals", "it security", "junction points", "kb5055523", "malware risks", "microsoft security", "microsoft update", "microsoft windows", "network security", "ntfs permissions", "patch management", "privilege escalation", "security research", "security vulnerabilities", "symlink abuse", "symlink exploits", "system administration", "system folder risks", "system integrity", "system restoration", "system security", "threat prevention", "update failures", "update management", "vulnerability cve-2025", "windows 10", "windows 11", "windows folder risks", "windows folder trick", "windows security", "windows security patch", "windows system folder", "windows update", "windows updates", "windows vulnerabilities"]

Reference Links

[{

"title": "Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier",

"url": "https://www.maketecheasier.com/windows-inetpub-folder-is-hackable/",

"source": "Make Tech Easier",

"description": "Detailed analysis of the inetpub folder security risks, the CVE-2025-21204 vulnerability, and a temporary fix via permission restriction."

}, {

"title": "Microsoft: Don't delete inetpub folder created from the April 2025 update, it's required",

"url": "https://windowsforum.com/microsoft-dont-delete-inetpub-folder-april-2025-update/",

"source": "Windows Forum",

"description": "Official Microsoft advisory and community discussion warning users against deleting the inetpub folder introduced in the April 2025 update."

}, {

"title": "Analysis of the inetpub Folder in Windows 11 Updates and Security Implications",

"url": "https://securityresearch.com/articles/inetpub-windows11-update-security",

"source": "Security Research Insights",

"description": "Comprehensive technical report on symbolic link exploits related to inetpub and CVE-2025-21204, including mitigation strategies."

}]