Microsoft has now confirmed that an April 2025 Windows security update is creating a new empty “inetpub” folder and warned users not to delete it.
This folder is typically used by Microsoft’s Internet Information Services (IIS), a web server platform that can be enabled via the Windows Features dialog to host websites and web apps.
However, after installing this month’s cumulative updates, many Windows users have found a newly created C:\inetpub folder on their systems, although IIS wasn’t installed during the process.
BleepingComputer has confirmed this behavior on our Windows 11 and Windows 10 systems and discovered that the cumulative update creates the folder using the SYSTEM account.
Even though deleting the folder did not cause issues using Windows in our tests, Microsoft told BleepingComputer on Thursday that this empty folder had been intentionally created and should not be removed.
However, according to user reports, the April cumulative updates will fail to install if the C:\inetpub directory is created before update deployment.
Users warned not to remove the new folder
While Redmond still has to explain why the security updates are creating this folder in the first place, the company updated the advisory for a Windows Process Activation elevation of privilege vulnerability (tracked as CVE-2025-21204) overnight to warn users not to delete the new empty inetpub folder on their hard drives.
“After installing the updates listed in the Security Updates table for your operating system, a new %systemdrive%\inetpub folder will be created on your device,” Microsoft says.
“This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users.”
The CVE-2025-21204 security flaw is caused by an improper link resolution issue before file access (‘link following’) in the Windows Update Stack which likely means that, on unpatched devices, Windows Update may follow symbolic links in a way that can let local attackers trick the system into accessing or modifying unintended files or folders.
The company warns that successful exploitation can let local attackers with low privileges escalate permissions and “perform and/or manipulate file management operations on the victim machine in the context of the NT AUTHORITYSYSTEM account.”
How to recreate the C:\inetpub folder
For those who deleted the inetpub folder, you can recreate it by going into the Windows “Turn Windows Features on or off” control panel and installing Internet Information Services.
Once installed, a new inetpub folder will be created in the root of the C: drive, this time with files in it. However, it will have the same SYSTEM ownership as the folder created by the recent Windows security update.
If you do not use IIS, you can uninstall it again through the same Windows Features control panel and reboot your computer when prompted.
This will remove the software but leave the C:\inetpub folder behind.
Microsoft has confirmed that this method will recreate the folder with the same protections.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
