At first, after having learned about this, I thought: “This cannot be. Its impossible for a presence of an empty folder to add any kind of security, unless Microsoft is the most retarded company on Earth.” This is old news already, but here it is: Microsoft warns that anyone who deleted mysterious folder that appeared after latest Windows 11 update must take action to put it back:

Windows 11 24H2 users who were confused by a mysterious empty folder appearing on their system drive after applying the latest update for the OS should be aware that this is not a bug, but an intentional move – and that said folder shouldn’t be deleted.

In case you missed it, last week Windows 11 24H2 received its cumulative update for April 2025, and it created an ‘inetpub’ folder that was the source of some bewilderment or annoyance for those who noticed it.

You may also recall that some folks advised that it was fine to just delete the folder, not an unreasonable conclusion to reach seeing as it was empty, didn’t appear to do anything, and was related to Microsoft’s Internet Information Services (IIS) web server software for developers (and was appearing for those who didn’t have IIS installed).

Still, at the time, I advised that you removed it at your own risk and that it might be best left alone – seeing as it was empty and appeared harmless (and also just because you never quite know what’s going on with Windows). It seems I was right, as Microsoft has now warned against removing the folder, as noted at the outset.

Microsoft told Windows Latest that the folder is created as part of a security fix for a vulnerability that “can let local attackers trick the system into accessing or modifying unintended files or folders.”

In its advisory for this security patch, Microsoft notes: “After installing the updates listed in the Security Updates table for your operating system, a new [inetpub folder] will be created on your [system drive]. This folder should not be deleted, regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users.”

In short, it doesn’t matter whether you use IIS or not, you need to leave this folder alone. Without the folder being present, the mentioned security hole will remain present in Windows 11, offering attackers a potential opportunity to compromise your PC (at least if they are local to the device, meaning they have physical access).

And indeed, it doesn’t make sense, right? Except that it does!

I needed this detailed explanation by Will Dormann to learn about how stupid they are at Microsoft:

Both the vulnerability and the “fix” for CVE-2025-21204 are quite silly.

The scenario is:

  1. Non-admin user creates C:\inetpub\wwwroot directory and puts web content there.
  2. Admin user at some point in the future enables IIS on the system.

The outcome is:
The web content provided by the non-admin user (be it a web shell or whatnot) is served up by IIS.

Maybe non-admin users shouldn’t be able to make directories or junctions (to directories or files) in C:\?
NAH.

Maybe installing IIS should provide a clean webroot when it’s installed?
NAH.

Just preemptively make a C:\inetpub directory that non-admin users can’t write to. That fixes the problem. 🤦‍♂️

Read it as many times as you need.

So, Microsoft’s solution is to create an empty C:\inetpub folder with permissions that prevent non-admin users from writing to it. Should IIS later be installed, it couldn’t serve potentially malicious contents put by non-admin users into C:\inetpub for the mere reason that such users are unable to put anything in this “protected” folder.

Many more sensible solutions could have been implemented instead, such as:

  1. IIS patched to create on installation a fresh C:\inetpub\wwwroot with secure defaults.
  2. IIS patched to refuse to serve anything from a C:\inetpub\wwwroot folder that is owned by a non-admin user, or that contains files with unsafe permissions.
  3. C:\inetpub added to the list of partially protected folders, alongside the already restricted C:\Windows, C:\Program Files and C:\Program Files (x86). These directories have access control lists (ACLs) that restrict the write access to SYSTEM and Administrators, or, where appropriate, to TrustedInstaller. Running sfc /scannow (System File Checker) would restore the original ACLs of the protected folders or files if they don’t match the expected file states. But C:\inetpub is not a protected folder!

But the geniuses at Microsoft have chosen the easiest possible way: “Let’s create a C:\inetpub folder owned by SYSTEM so that only SYSTEM and Administrators have writing rights into it. Oh, we don’t care if that machine uses IIS or not; this is to prevent future vulnerabilities.”

Microsoft. Retards.

Note that Windows 10 is also affected by CVE-2025-21204, but the patches are obviously different: KB5055523 for Windows 11 and KB5055518 for Windows 10.