Introduction

In April 2025, following a cumulative Windows 11 update, a mysterious new folder, named "inetpub", appeared unexpectedly at the root of the system drive on virtually all Windows 11 devices—including those that do not have Microsoft's Internet Information Services (IIS) enabled. While the folder’s sudden ubiquity puzzled many users and IT professionals, it was later revealed to be a deliberate element of a security patch designed to address a severe vulnerability related to symbolic link attacks within the Windows Update servicing stack.

However, this update-created folder also introduced an ironic security vulnerability exploitable even by non-administrative users, creating a nuanced risk landscape for system administrators and end users alike. This article delves into the background, technical details, implications, and practical mitigation strategies concerning the inetpub folder in Windows 11.

Background: What Is the Inetpub Folder?

Historically, the inetpub folder is the default directory used by Microsoft's IIS web server to store websites, logs, scripts, and server content. It is typically present only on systems where IIS is installed and enabled.

Beginning with the April 2025 cumulative update (notably KB5055523), Windows 11 now automatically creates an empty inetpub folder in the root directory (usually INLINECODE0 ) on all systems regardless of whether IIS is installed or running. This move surprised many, leading to questions about the folder's purpose on machines unrelated to IIS.

Microsoft clarified that this folder serves as a hardened "safe zone" container. It holds a critical role in mitigating a symbolic link vulnerability, registered as CVE-2025-21204, which involved improper symbolic link resolution in the update process. By introducing this folder with strict system-level permissions, Microsoft sought to neutralize opportunities for local attackers to redirect Windows Update operations through malicious symbolic links, a serious security flaw that could enable privilege escalation or unauthorized file modifications.

Technical Details: The Vulnerability and How It Exploits Inetpub

  • Symbolic Links (Symlinks) are shortcuts or pointers within the file system that redirect file or folder access to different locations.
  • Directory Junctions are a special type of symbolic link in NTFS that can link directories to other locations.

Vulnerability Explained

Security researcher Kevin Beaumont uncovered that while the inetpub folder is meant to be a secure container:

  • The Windows Servicing Stack, which runs with SYSTEM privileges and handles updates,
  • Assumes INLINECODE1 is a trusted directory but does not verify whether it is a real folder or a symbolic link/reparse point, nor does it check ownership.

This trust flaw allows any local user — even without admin rights — to replace the real INLINECODE2 folder with a directory junction pointing elsewhere, for example, to a critical system executable like Notepad:

CODEBLOCK0

By doing so, the servicing stack might write or attempt to stage update files to an unintended location. This misdirection causes Windows Update to fail or roll back, potentially locking the system out of future updates—a denial-of-service condition.

Security Impact

  • This allows non-admin users to sabotage Windows Update processes, escalating to a local denial-of-service attack.
  • It increases exposure risks by potentially preventing critical security patches from installing.

Why Not Delete the Inetpub Folder?

Due to confusion around its presence and emptiness, users sometimes consider deleting the inetpub folder. However:

  • Microsoft explicitly warns against deleting the inetpub folder.
  • Deletion disables the symbolic link exploit mitigation, re-exposing systems to CVE-2025-21204.
  • Removal compromises the update servicing stack’s security mechanisms.

If the folder is deleted accidentally, Microsoft recommends:

  1. Reinstalling the affected update.
  2. Or temporarily enabling IIS via Windows Features, which recreates the inetpub folder with proper permissions, then disabling IIS without deleting the folder.

How to Mitigate the Vulnerability Manually

While awaiting an official Microsoft patch, system administrators can manually harden the inetpub folder's permissions to prevent unauthorized symbolic link manipulation:

  1. Right-click the INLINECODE3 folder and select Properties.
  2. Go to the Security tab and click Advanced.
  3. Disable inheritance and remove all inherited permissions.
  4. Add SYSTEM and NT SERVICE\TrustedInstaller explicitly with Full Control.
  5. Remove all write or delete permissions for all other users, including local admins.

This approach blocks non-system users from creating harmful directory junctions, preserving update integrity without disrupting system operations.

Broader Implications and Lessons

This unusual case underscores several important themes in modern Windows security:

  • Modern OS updates embed complex and sometimes opaque protections that are essential yet unfamiliar to everyday users.
  • Leveraging legacy directories like inetpub as security "anchors" shows how Microsoft innovatively repurposes existing structures in defense.
  • The attack surface of local non-admin users is underestimated; minimal privilege users can cause significant harm if safeguards are incomplete.
  • User caution is critical: tampering with unexpected new system folders can undermine key security patches.

Conclusion

Windows 11’s hidden inetpub folder exemplifies the evolving complexity of securing modern operating systems. Introduced as a security control against a symbolic link vulnerability, it paradoxically opens a new attack vector when exploited by local users—demonstrating the delicate balance between innovation and security risks.

System administrators and users should heed Microsoft’s warnings, preserve the inetpub folder, and apply manual permission hardening as a temporary fix. Vigilant patch management and awareness of subtle security design actions will remain essential to safeguarding Windows environments going forward.