Deleted a folder — opened a vulnerability: Microsoft releases a “fix” for a Windows security hole
Where does the mysterious folder on drive C come from and what does it protect?
After the April 2025 Windows security updates, users noticed strange system behavior: an empty folder appeared at the root of the C drive called C:\inetpub, even on computers that had never installed the IIS web server. This sparked confusion and a wave of people deleting the “unnecessary” directory — which, as it turns out, opens up a serious vulnerability in the system.
Initially, Microsoft explained that the new folder was created as part of the fix for a privilege escalation issue (CVE-2025-21204) related to improper handling of symbolic links in the Windows update stack. The vulnerability allowed local users with low-level access to perform operations on system files with NT AUTHORITY\SYSTEM privileges — effectively with the highest rights in the system.
The inetpub folder is created automatically by the security update and is protected by special access rights. Even though it is empty, it plays a crucial role in safeguarding the system against bypassing the update mechanism via link substitution. Specialist Kevin Beaumont demonstrated that without proper protection, a regular user could create a symbolic link from C:\inetpub to any system object, thereby interfering with Windows Update.
However, many users considered the folder’s appearance a bug and deleted it, especially on machines without IIS. As a result, the vulnerability became relevant again. Microsoft explained that the folder could be manually restored by installing IIS through the standard Windows Control Panel (“Turn Windows features on or off”), which would recreate inetpub with the correct attributes. IIS could then be uninstalled, but the folder would remain — which is necessary for protection.
To simplify the task for administrators and reduce the risk of mistakes, Microsoft released a PowerShell script that restores the required attributes without the need to install and remove IIS. The script, Set-InetpubFolderAcl, sets the correct permissions for the inetpub folder and simultaneously updates the access control list (ACL) for the DeviceHealthAttestation directory — another component affected by the February 2025 update.
The script can be executed using the following commands:
The company emphasizes that the inetpub folder should remain on the system regardless of whether IIS is used. This is not a bug but a security measure that requires no additional action from end users or administrators.
Microsoft updated the CVE-2025-21204 advisory, once again strongly warning that deleting the C:\inetpub folder could lead to a vulnerability in Windows. Even if it seems unnecessary, it acts as a barrier against attacks that exploit symbolic links to gain access to protected resources.
The creation and protection of this folder are part of architectural changes aimed at reducing the risk of unauthorized privilege escalation and compromising update integrity. Such changes are especially important amid the growing number of attacks exploiting local weaknesses in system mechanisms.