Introduction

The Windows 11 April 2025 cumulative update (version 24H2) has brought an unexpected but important change: the automatic creation of an empty folder named C:\inetpub on almost all updated systems. Initially puzzling to users and IT professionals, this folder is not a bug or leftover but a deliberate security measure tied to mitigating a serious vulnerability known as CVE-2025-21204.

This article explores the background and context of the inetpub folder introduction, the technical nature of the vulnerability it addresses, its implications for system security, and guidance for users and administrators to navigate this change.

What is the C:\inetpub Folder?

Traditionally, the INLINECODE0 folder is associated with Microsoft’s Internet Information Services (IIS) web server, commonly hosting web content, scripts, and logs, and typically only present on systems where IIS is enabled. However, the recent update causes this folder to appear even on systems without IIS installed, and it remains empty.

Microsoft clarified that this folder is created as part of a strategic security patch to improve Windows Update's resilience against specific exploit techniques involving symbolic links (symlinks).

Understanding CVE-2025-21204: The Vulnerability Behind inetpub Creation

What is CVE-2025-21204?

This vulnerability concerns a flaw in Windows' handling of symbolic links during file operations within the Windows Update servicing stack. Symbolic links are filesystem objects that redirect file system requests to other files or directories. If improperly handled, maliciously crafted symbolic links can be used to redirect system operations to unauthorized locations.

Technical Details about the Exploit:

  • The Windows servicing stack, which runs with SYSTEM privileges and applies updates, trusts the INLINECODE1 folder as a secure, system-owned directory.
  • The vulnerability lies in the servicing stack's inability to verify if the INLINECODE2 directory is a genuine folder or a symbolic link (such as a directory junction) pointing elsewhere.
  • An attacker with local access but no administrator privileges can delete the legit INLINECODE3 folder and replace it with a junction to an arbitrary target, such as:
CODEBLOCK0
  • Such redirection causes Windows Update to fail or roll back, disrupting update installations.
  • This represents a privilege escalation and denial-of-service vector against Windows Update, undermining update integrity.

Purpose of the inetpub Folder in Security

The empty INLINECODE4 folder acts as a hardened container designed to block manipulated symbolic link operations from impacting critical system update files.

  • It has strict system-level ownership and permissions.
  • It establishes a trusted staging area for Windows Update to safely place files without falling victim to symbolic link exploitation.
  • By pre-creating this folder, Microsoft raises the bar for attackers attempting to misuse symlinks.

Microsoft's creation of the folder uses the existing IIS folder's infrastructure and security concepts to integrate this defense neatly without adding new complex components.

Risks and Recommendations

Why Users Should Not Delete the Folder

  • Despite appearing empty and inert, deleting INLINECODE5 disables the patch's protections, reopening security risks related to symbolic link attacks.
  • Replacing or deleting the folder can cause Windows Update failures and rollback.
  • Microsoft explicitly advises users and administrators to not delete or modify this folder.

Mitigation for Accidental Deletion

  • Restore the folder by reinstalling the update or by briefly enabling IIS from Windows Features (which regenerates the folder).
  • IT administrators should monitor folder permissions and restrict non-administrative users from manipulating this folder.

Implications for IT Pros and Security Awareness

  • The inetpub folder case illustrates how even empty system folders can carry significant security importance.
  • Administrator vigilance is necessary to prevent low-privilege users from exploiting such filesystem quirks.
  • This situation underscores the complexity of modern OS security, where protective measures may also introduce new attack surfaces requiring layered defenses.
  • System hardening practices should include restricting access to critical system folders and careful monitoring of changes to symbolic links or junctions.

Conclusion

The Windows 11 April 2025 update's introduction of the INLINECODE6 folder is a critical part of Microsoft's defensive strategy against symbolic link attacks identified as CVE-2025-21204. While its unexpected presence created confusion, it is fundamental to maintaining Windows Update security and integrity.

Users and IT professionals must respect this system component by avoiding deletion or modification and applying best security practices to safeguard their systems. This case is a compelling example of how security in operating systems often involves subtle, sometimes invisible measures that require awareness and thoughtful management.