Microsoft: Windows 'inetpub' folder created by security fix, don’t delete

Microsoft has now confirmed that an April 2025 Windows security update is creating a new empty "inetpub" folder and warned users not to delete it.

This folder is typically used by Microsoft's Internet Information Services (IIS), a web server platform that can be enabled via the Windows Features dialog to host websites and web apps.

However, after installing this month's cumulative updates, many Windows users have found a newly created C:\inetpub folder on their systems, although IIS wasn't installed during the process.

BleepingComputer has confirmed this behavior on our Windows 11 and Windows 10 systems and discovered that the cumulative update creates the folder using the SYSTEM account.

Even though deleting the folder did not cause issues using Windows in our tests, Microsoft told BleepingComputer on Thursday that this empty folder had been intentionally created and should not be removed.

However, according to user reports, the April cumulative updates will fail to install if the C:\inetpub directory is created before update deployment.  

Users warned not to remove the new folder

While Redmond still has to explain why the security updates are creating this folder in the first place, the company updated the advisory for a Windows Process Activation elevation of privilege vulnerability (tracked as CVE-2025-21204) overnight to warn users not to delete the new empty inetpub folder on their hard drives.

"After installing the updates listed in the Security Updates table for your operating system, a new %systemdrive%\inetpub folder will be created on your device," Microsoft says.

"This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users."

The CVE-2025-21204 security flaw is caused by an improper link resolution issue before file access ('link following') in the Windows Update Stack which likely means that, on unpatched devices, Windows Update may follow symbolic links in a way that can let local attackers trick the system into accessing or modifying unintended files or folders.

The company warns that successful exploitation can let local attackers with low privileges escalate permissions and "perform and/or manipulate file management operations on the victim machine in the context of the NT AUTHORITYSYSTEM account."

How to recreate the C:\inetpub folder

For those who deleted the inetpub folder, you can recreate it by going into the Windows "Turn Windows Features on or off" control panel and installing Internet Information Services.

Once installed, a new inetpub folder will be created in the root of the C: drive, this time with files in it. However, it will have the same SYSTEM ownership as the folder created by the recent Windows security update.

If you do not use IIS, you can uninstall it again through the same Windows Features control panel and reboot your computer when prompted.

This will remove the software but leave the C:\inetpub folder behind. 

Microsoft didn't explain how the inetpub folder would "increase protection," and BleepingComputer has yet to receive a reply to further questions regarding the newly created folder's actual purpose and how to restore it.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357

RIP Matrix | Farewell my friend