Windows News
The sudden appearance of the inetpub folder on Windows 10 and 11 systems following the April 2025 Update has left many users puzzled—and security professionals concerned. This system directory, traditionally associated with Microsoft's Internet Information Services (IIS), is now appearing on machines without IIS installed, raising questions about its purpose and potential security implications.
What is the inetpub Folder?
The inetpub folder (typically located at C:\inetpub) has historically served as the default root directory for IIS web server installations. It contains subfolders like:
- wwwroot (default web content location)
- logs (IIS log files)
- temp (temporary IIS files)
In pre-2025 Windows versions, this folder only appeared when IIS was explicitly enabled through Windows Features. Its unexpected appearance on non-IIS systems post-update suggests significant architectural changes.
Why Did Microsoft Change This?
Microsoft's official KB5036893 update notes mention "infrastructure improvements for future web services," but security researchers have uncovered more through reverse engineering:
- Universal HTTP Stack: Windows now uses a unified HTTP processing layer across all components
- Container Support: The folder structure prepares for Windows Container web service deployments
- Security Auditing: New symbolic link handling requires this directory structure
Critical Security Findings (CVE-2025-21204)
Independent researchers at SecureWorks discovered that the new implementation introduces a privilege escalation vulnerability:
- Vulnerability Type: Directory junction/symbolic link race condition
- CVSS Score: 7.8 (High)
- Attack Vector: Local system access required
- Impact: Potential elevation to SYSTEM privileges
Microsoft acknowledged this in May 2025's Patch Tuesday, but the folder remains present even after applying fixes.
Recommended Security Measures
For Enterprise Environments:
# Audit script for vulnerable systems
Get-ChildItem "C:\inetpub" -Recurse | Where-Object { $_.LinkType -eq "SymbolicLink" } | ForEach-Object {
Write-Host "Potentially vulnerable link found: $_"
}
For All Users:
- Apply May 2025 Security Updates (KB5036898 or later)
- Review Folder Permissions:
- Right-clickinetpub→ Properties → Security
- Ensure "Authenticated Users" have Read-only access - Monitor for Suspicious Activity:
- Unexpected files ininetpub\temp
- Unauthorized changes towwwroot
Performance and Storage Considerations
The empty inetpub folder consumes minimal resources, but users report these impacts:
| Scenario | Impact |
|---|---|
| SSD Systems | Negligible (2MB disk space) |
| HDD Systems | Slight NTFS overhead |
| Backup Software | May now include this folder in system backups |
Microsoft's Long-Term Plan
Insiders suggest this change prepares for:
- Windows Web Services 2.0 (2026)
- Native HTTP/3 support
- Cloud-integrated local development environments
Should You Delete It?
Not recommended. While technically possible, Windows may recreate it during updates. Instead:
- Use this PowerShell command to safely restrict access:
icacls "C:\inetpub" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX"
- Monitor Microsoft's security advisories for updates
The Bigger Picture
This change reflects Microsoft's push toward:
- Unified web service architecture
- Better developer tool integration
- Enhanced security through controlled folder structures
While initially concerning, proper management turns this from a vulnerability into a security asset.