Microsoft has taken a proactive step in addressing a potential security concern stemming from its April 2025 Windows security updates. In response to user confusion surrounding the automatic creation of an empty C:Inetpub folder, the tech giant has released a PowerShell script designed to assist in restoring this folder should it be inadvertently deleted. This folder plays a crucial role in mitigating a high-severity privilege escalation vulnerability associated with Windows Process Activation.
Upon installing the April updates, many Windows users were surprised to find the empty C:Inetpub folder on their systems, particularly since it is linked to Microsoft’s Internet Information Server (IIS), which may not have been installed on all devices. This unexpected appearance led some users to remove the folder, inadvertently exposing their systems to the very vulnerabilities that the updates were intended to address.
For those who have deleted the folder, Microsoft has provided a clear path to restoration. Users can manually recreate the C:Inetpub folder by enabling Internet Information Services through the “Turn Windows Features on or off” control panel. This process will not only restore the folder but also ensure that it is populated with the necessary files and retains the same SYSTEM ownership as the version created by the April updates. If IIS is not in use, it can be uninstalled through the same control panel, leaving the C:inetpub folder intact.
Microsoft: “Don’t delete it.”
In a recent update to the CVE-2025-21204 advisory, Microsoft emphasized the importance of the C:Inetpub folder, cautioning users against its deletion. The vulnerability it addresses arises from an improper link resolution issue within the Windows Update Stack, which could allow local attackers to manipulate files or folders on unpatched devices.
According to Microsoft, successful exploitation of this flaw could enable attackers with low privileges to escalate their permissions and execute file management operations under the NT AUTHORITYSYSTEM account. While tests indicated that removing the folder did not disrupt Windows functionality, the company reiterated that the folder is a critical component of the security framework and should remain untouched. “This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device,” Microsoft stated, reinforcing that its presence is integral to enhanced security measures.
Cybersecurity expert Kevin Beaumont has also highlighted the potential for non-admin users to misuse this folder by creating junctions between C:inetpub and other Windows files, thereby blocking essential updates. This underscores the need for users to heed Microsoft’s guidance and maintain the integrity of the C:Inetpub folder as part of their security practices.
To facilitate the restoration process, Microsoft has made available a remediation script that allows administrators to recreate the C:Inetpub folder directly from a PowerShell shell. The script sets the correct IIS permissions to safeguard against unauthorized access and ensures that the access control list (ACL) entries for the DeviceHealthAttestation directory on Windows Server systems are appropriately secured.
Install-Script -Name Set-InetpubFolderAcl
C:Program` FilesWindowsPowerShellScriptsSet-InetpubFolderAcl.ps1This development marks a significant step in simplifying the management of Windows security updates, allowing IT administrators to focus on strategic initiatives rather than navigating complex scripts and troubleshooting issues.
