The other day, I updated Windows, and now I have a new folder on my drive. The Windows April 2025 updates are creating an empty “inetpub” folder in the root directory of the C:\ drive.
Traditionally, Windows would create the “inetpub” folder when the Internet Information Services (IIS) — a web server platform to host websites, web applications, and services on Windows systems — was installed on the OS. The IIS is not installed by default, but can be optionally installed. IIS uses the C:\inetpub folder to store website content, logs, and other server-related files.
But, I Didn’t Install IIS!
Microsoft started creating the “inetpub” folder with the April updates, even on systems that do not have IIS installed. Microsoft is installing this on Windows 10 systems, too. It is not just a Windows 11 thing. In addition, the folder is owned by the SYSTEM account.
Safe To Delete?
A search on the internet has a lot of advice on how it is safe to delete this folder. It is an empty folder after all.
However, in MSRC security update CVE-2025-21204, Microsoft added an FAQ that states:
“Does installing the Windows security updates that address this CVE cause a visible change on devices?”
After installing the updates listed in the Security Updates table for your operating system, a new %systemdrive%\inetpub folder will be created on your device. This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users.”
Do Not Delete!
In other words, Microsoft says don’t delete the empty “inetpub” folder. Of course, Microsoft’s “explanation” is no explanation at all. They did not go into detail on how the presence of an empty directory “increase protection”.
The Bottom Line
In the April 2025 updates to Windows 10 and Windows 11, Microsoft creates the empty folder “inetpub” in the root directory with an owner of SYSTEM. Microsoft created this folder even though Internet Information Services is not installed. Although the folder is empty, it should not be deleted since it will be used by Window’s protection services.
Update 4/23/2025. Blogger Kevin Beaumont has found that the April update, which introduces the empty “inetpub” folder in the root directory of the C:\ drive, creates a symlink vulnerability. A user with access to the computer could create a symbolic link between the empty folder and a file (he uses notepad.exe). This introduces a denial-of-service vulnerability in the Windows servicing stack, allowing non-admin users the capability to stop all future Windows security updates. Cyber criminals could use this vulnerability to attack the Windows system.
—
“Update 4/23/2025. Blogger Kevin Beaumont has found that the April update, which introduces the empty “inetpub” folder in the root directory of the C:\ drive, creates a symlink vulnerability…….”
Just like Microsoft to put something out without testing and the exact repercussions of it, wonder if their “do not delete” statement will now change?