Microsoft has officially acknowledged that the April 2025 Windows security update is generating a new, empty “inetpub” folder on user systems, advising against its deletion. This folder is typically associated with Microsoft’s Internet Information Services (IIS), a web server platform that can be activated through the Windows Features dialog for hosting websites and web applications.
Despite many Windows users discovering the C:inetpub folder after applying this month’s cumulative updates—without having IIS installed—BleepingComputer has confirmed this occurrence on both Windows 11 and Windows 10 systems. The cumulative update creates the folder using the SYSTEM account, raising questions among users.
While tests indicated that deleting the folder did not disrupt Windows functionality, Microsoft emphasized that the creation of this empty folder was intentional and should remain untouched. User feedback has indicated that the April cumulative updates may fail to install if the C:inetpub directory exists prior to the update deployment.
Users warned not to remove the new folder
In the absence of a detailed explanation from Redmond regarding the rationale behind the folder’s creation, the company has updated its advisory concerning a Windows Process Activation elevation of privilege vulnerability (tracked as CVE-2025-21204). This advisory warns users explicitly against deleting the newly created inetpub folder.
Microsoft stated, “After installing the updates listed in the Security Updates table for your operating system, a new %systemdrive%inetpub folder will be created on your device. This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users.”
The CVE-2025-21204 security flaw stems from an improper link resolution issue prior to file access (‘link following’) within the Windows Update Stack. This vulnerability suggests that unpatched devices may allow Windows Update to follow symbolic links in a manner that could enable local attackers to manipulate or access unintended files or folders.
Microsoft cautions that successful exploitation of this flaw could allow local attackers with minimal privileges to escalate permissions, enabling them to “perform and/or manipulate file management operations on the victim machine in the context of the NT AUTHORITYSYSTEM account.”
How to recreate the C:inetpub folder
For users who have deleted the inetpub folder, it can be recreated by navigating to the Windows “Turn Windows Features on or off” control panel and installing Internet Information Services. Upon installation, a new inetpub folder will appear in the root of the C: drive, this time containing files but still retaining the same SYSTEM ownership as the folder generated by the recent Windows security update.
If IIS is not needed, users can uninstall it through the same Windows Features control panel and reboot their computer when prompted. This action will remove the software while leaving the C:inetpub folder intact. Microsoft has confirmed that this method will successfully recreate the folder with the same protective measures in place.
