logo
Home/News/News article/

Microsoft: Windows 'inetpub' folder created by security fix, don’t delete

Windows

Microsoft has now confirmed that an April 2025 Windows security update is creating a new empty "inetpub" folder and warned users not to delete it.

This folder is typically used by Microsoft's Internet Information Services (IIS), a web server platform that can be enabled via the Windows Features dialog to host websites and web apps.

However, after installing this month's cumulative updates, many Windows users have found a newly created C:\inetpub folder on their systems, although IIS wasn't installed during the process.

BleepingComputer has confirmed this behavior on our Windows 11 and Windows 10 systems and discovered that the cumulative update creates the folder using the SYSTEM account.

Even though deleting the folder did not cause issues using Windows in our tests, Microsoft told BleepingComputer on Thursday that this empty folder had been intentionally created and should not be removed.

However, according to user reports, the April cumulative updates will fail to install if the C:\inetpub directory is created before update deployment.  

Users warned not to remove the new folder

While Redmond still has to explain why the security updates are creating this folder in the first place, the company updated the advisory for a Windows Process Activation elevation of privilege vulnerability (tracked as CVE-2025-21204) overnight to warn users not to delete the new empty inetpub folder on their hard drives.

"After installing the updates listed in the Security Updates table for your operating system, a new %systemdrive%\inetpub folder will be created on your device," Microsoft says.

"This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users."

The CVE-2025-21204 security flaw is caused by an improper link resolution issue before file access ('link following') in the Windows Update Stack which likely means that, on unpatched devices, Windows Update may follow symbolic links in a way that can let local attackers trick the system into accessing or modifying unintended files or folders.

The company warns that successful exploitation can let local attackers with low privileges escalate permissions and "perform and/or manipulate file management operations on the victim machine in the context of the NT AUTHORITYSYSTEM account."

Microsoft didn't explain how the inetpub folder would "increase protection," and BleepingComputer has yet to receive a reply to further questions regarding the newly created folder's actual purpose.

Free online web security scanner

Top News: