Understanding the Mystery of the inetpub Folder in Windows 11 24H2 Update

The Windows 11 24H2 update rolled out in April 2025 introduced an unexpected change that caught many users and IT professionals by surprise: the creation of an empty folder named "inetpub" in the root directory of the system drive (usually C:\). While typically associated with Microsoft's Internet Information Services (IIS) web server, this folder's presence on machines without IIS has generated curiosity and even concern. Far from a glitch or leftover, this folder is a deliberate, strategic component of a critical security patch targeting a serious Windows vulnerability.

Background: The Inetpub Folder and Its Traditional Role

Historically, the "inetpub" folder is the default root directory for IIS, housing web content, logs, scripts, and related files essential for web hosting. Typically, it only appears on systems where IIS is installed and activated. However, Microsoft’s April 2025 cumulative update (notably KB5055523 for Windows 11 24H2) has led to the folder being created universally, regardless of IIS usage.

The Vulnerability: CVE-2025-21204

At the core of this update is a critical security vulnerability identified as CVE-2025-21204. This flaw involves symbolic link (symlink) handling within the Windows Update servicing stack. Symlinks are filesystem objects that act like shortcuts or references to other files or directories. This vulnerability allows local attackers to manipulate symbolic links so that the Windows Update process follows these links to unintended locations, potentially enabling unauthorized access, modification of protected files, or privilege escalation.

The vulnerability arises because the Windows servicing stack operates with SYSTEM-level privileges and assumes the "inetpub" directory to be safe, but fails to validate if it has been replaced or manipulated, such as with junction points or symlinks.

How the inetpub Folder Enhances Security

To mitigate this risk, Microsoft decided to create the "inetpub" folder with strict system permissions, owned by the SYSTEM account and set as read-only for most users. This strategic placement serves as a hardened container or 'safe zone' to protect the Windows servicing stack from symbolic link exploits during update operations.

The folder acts as a kind of security moat:

  • It ensures Windows Update deals with a legitimate, controlled directory.
  • It blocks attackers from redirecting update operations to unauthorized or malicious directories.
  • It prevents elevation-of-privilege attacks that hinge on symbolic link misdirection.

Choosing the well-known "inetpub" folder leverages an existing filesystem convention familiar to Windows, simplifying permissions management and security enforcement.

Risks and Implications of Deleting the Folder

Many users, puzzled by this empty folder, have attempted to delete it. Microsoft has issued strong guidance not to remove the inetpub folder:

  • Deleting the folder disables the patch's protections, exposing the system to the symbolic link vulnerability again.
  • Without it, Windows cannot enforce the intended controls on symbolic link resolution during updates.
  • Systems become vulnerable to privilege escalation and unauthorized file manipulation.

This is particularly critical in environments with multiple users or where the machine may have physical access challenges (e.g., public computers).

Restoring the inetpub Folder

For users or administrators who have deleted this folder, Microsoft recommends restoring it via the following steps:

  1. Open the Control Panel.
  2. Navigate to Programs and Features.
  3. Select Turn Windows features on or off.
  4. Find and enable Internet Information Services (IIS) temporarily.
  5. Confirm changes and Windows will recreate the "inetpub" folder with proper permissions.
  6. IIS can then be disabled if not needed — importantly, do not delete the inetpub folder after disabling IIS.

Emerging Concerns: Directory Junction Hijacking

Ironically, security researcher Kevin Beaumont discovered that while the "inetpub" folder mitigates one vulnerability, it exposes another attack vector. Using Windows directory junctions (a form of symbolic links), a non-administrative attacker could replace the inetpub folder with a junction pointing to another file or folder (e.g., Notepad.exe). This tricks the Windows servicing stack into following this malicious junction during update processes, causing update failures or potential denial-of-service.

Until Microsoft provides a patch for this new issue, a recommended mitigation is to tighten permissions on the inetpub folder, allowing only SYSTEM and TrustedInstaller accounts full control, thereby blocking unauthorized users from replacing or deleting it.

Conclusion

The creation of the "inetpub" folder in Windows 11's April 2025 24H2 update is a subtle but essential part of a security-by-design approach to protect against a privileged escalation vulnerability (CVE-2025-21204) involving symbolic links. Users and administrators must heed Microsoft's warnings to preserve this folder, understanding its important role in system security. Meanwhile, awareness of the new junction-based exploit reinforces the ongoing and evolving challenges in securing modern operating systems.

Embracing such layered security measures is vital for maintaining robust protection in an increasingly hostile threat landscape.

This article synthesizes official Microsoft guidance and community research surrounding the inetpub folder's introduction and related security implications.