Introduction

Something unusual has appeared on the C: drives of millions of Windows 11 users worldwide following the April 2025 update: an unfamiliar, empty folder named inetpub. This folder traditionally belongs to Microsoft's Internet Information Services (IIS), the web server platform used for hosting websites and web applications. However, its sudden appearance on systems regardless of IIS installation has led to widespread speculation, confusion, and security concerns. This article explores why Windows 11 creates the INLINECODE0 folder after the update, the security rationale behind it, the implications for users, and why deleting it can be risky.

What is the 'inetpub' Folder?

The inetpub folder typically holds web server content such as web pages, scripts, logs, and mail configurations when IIS is installed and enabled. It usually resides at the root of the system drive (by default, C:\inetpub) and contains subdirectories such as:

  • INLINECODE1 : Web page files
  • INLINECODE2 : IIS logs
  • INLINECODE3 : Web scripts
  • INLINECODE4 : For mail service processing
  • INLINECODE5 : Administrative scripts

In normal consumer systems without IIS enabled, this folder usually does not exist.

Why Does Windows 11 Create the 'inetpub' Folder After the Update?

Starting with the Windows 11 April 24H2 cumulative update (KB5055523), Microsoft intentionally creates an empty INLINECODE6 folder on every system drive. This is part of a strategic security measure designed to combat a critical Windows vulnerability identified as CVE-2025-21204.

What is CVE-2025-21204?

This vulnerability involves improper handling of symbolic links (symlinks) within the Windows Update servicing stack. Symlinks are filesystem objects that act as pointers or shortcuts to other files or directories.

Before the patch, local attackers could exploit this flaw by crafting malicious symbolic links that misdirect system processes (such as Windows Update) to unauthorized file locations. This flaw could lead to:

  • Unauthorized modification of system files
  • Privilege escalation attacks
  • Compromise of update integrity

The Role of the 'inetpub' Folder in Mitigation

Microsoft’s security patch preemptively creates this folder as a secured, trusted container at the root of the system drive. The INLINECODE7 folder is configured with stringent permissions owned by the SYSTEM account, acting as a "digital moat" or hardened zone that guards critical update operations.

In effect, it serves to:

  • Prevent unauthorized symbolic link redirections during updates
  • Act as a containment area where update processes can safely stage files
  • Reduce the risk of local privilege escalations and tampering

This structural approach to security augments patching by controlling the file system environment, rather than only patching code flaws.

Can the 'inetpub' Folder Be a Security Risk?

Ironically, despite its protective design, researchers (notably Kevin Beaumont) discovered that the folder itself introduces a new local vulnerability:

  • Any local user, even without administrator privileges, can create a directory junction (a type of symbolic link) to replace or redirect this folder using a command like:
CODEBLOCK0
  • This tricks Windows’ servicing stack, which runs with SYSTEM privileges and trusts INLINECODE8 , into interacting with a wrong target.
  • This exploit can cause Windows Update to fail or rollback, essentially creating a local denial-of-service (DoS) that obstructs patching.

This vulnerability lowers the attack bar in multi-user scenarios or shared PCs by allowing disruption without elevated permissions.

Should You Delete the 'inetpub' Folder?

No, you should not delete the INLINECODE9 folder. Microsoft strongly advises keeping it intact because:
  • It is a critical component of the security fix for CVE-2025-21204.
  • Deleting it disables the protective patch, exposing your system to the original vulnerability.
  • It does not consume significant disk space nor interfere with typical system usage.

If the folder is accidentally deleted:

  • Restore it easily by enabling IIS temporarily through Windows Features, which recreates the folder with correct permissions.
  • Alternatively, uninstalling and reinstalling the update will restore the folder.

Interim Mitigation for the Junction Point Exploit

Until Microsoft releases an official fix for the junction point exploit, users and administrators can:

  • Restrict write and delete permissions on the INLINECODE10 folder to only SYSTEM and TrustedInstaller accounts.
  • This prevents unauthorized users from creating malicious directory junctions.

Broader Security Implications

This episode highlights the complex balance Microsoft must maintain between deploying quick security fixes and avoiding unintended new vulnerabilities. It also underscores the layered security approach modern operating systems require—beyond mere code patches, extending to the structuring of filesystem and permission paradigms.

For users and sysadmins, the best practice is:

  • Keep Windows fully updated
  • Avoid deleting or modifying system folders unless fully understood
  • Monitor official Microsoft advisories for follow-up fixes

Summary

The empty INLINECODE11 folder appearing on Windows 11 systems after the April 2025 update is a deliberate and essential security measure addressing a critical symbolic link vulnerability. While its presence may be puzzling, it secures the update process and helps prevent privilege escalation attacks. Users should neither delete it nor attempt to modify it without proper guidance. This folder exemplifies how invisible OS components can be vital sentinels defending against stealthy cyber threats.