Windows “Empty Folder” Mystery Solved: C:\inetpub Essential for Security, Deletion Reopens Critical Flaw!

Following the April 2025 Windows security updates, users began to notice a curious anomaly — an empty folder named C:\inetpub was appearing on the system’s root directory, even on machines where the IIS web server had never been installed. This unexpected development sparked confusion and a wave of manual deletions of what many presumed to be an unnecessary directory — a reaction which, as it turns out, exposes a serious vulnerability in the system.

Microsoft initially clarified that the folder’s creation was part of a mitigation for a privilege escalation vulnerability (CVE-2025-21204), which stemmed from improper handling of symbolic links within the Windows update stack. This flaw allowed low-privileged local users to execute operations on system files with NT AUTHORITY\SYSTEM privileges — effectively granting them the highest level of access.

The inetpub folder, although empty, is automatically generated by the security update and safeguarded by specific access control settings. Its presence is essential, serving as a protective barrier against symlink-based attacks that could subvert the update mechanism. Security expert Kevin Beaumont demonstrated that, without this protection, a standard user could create a symbolic link from C:\inetpub to any critical system object, potentially disrupting Windows Update processes.

Nonetheless, many users mistakenly perceived the folder’s sudden appearance as a bug — particularly on systems without IIS — and proceeded to delete it. This, in turn, reintroduced the vulnerability. Microsoft explained that the folder can be reinstated manually by installing IIS via the standard Windows feature management panel (“Turn Windows features on or off”), which recreates the folder with the necessary attributes. IIS can then be uninstalled, while the folder itself remains — precisely as intended.

To streamline the process and minimize administrative error, Microsoft released a PowerShell script to restore the correct access attributes without requiring IIS installation. The script, Set-InetpubFolderAcl, sets the appropriate permissions for the inetpub folder and simultaneously updates the access control list (ACL) for the DeviceHealthAttestation directory — another component affected by the February 2025 update.

The script can be executed with the following commands:

Install-Script -Name Set-InetpubFolderAcl
C:\Program` Files\WindowsPowerShell\Scripts\Set-InetpubFolderAcl.ps1

Microsoft emphasizes that the inetpub directory should remain on the system regardless of IIS usage. Its presence is not a bug but a deliberate security enhancement that requires no further action from users or administrators.

The CVE-2025-21204 advisory has been updated to underscore this point: deleting C:\inetpub reopens a known vulnerability in Windows. While the folder may appear redundant, it serves as a crucial safeguard against attacks leveraging symbolic links to gain unauthorized access to protected resources.

The creation and hardening of this folder represent a broader architectural shift aimed at reducing the risk of privilege escalation and maintaining update integrity. Such changes are increasingly vital as attackers continue to exploit local system weaknesses with growing frequency and sophistication.