Don't delete that mystery empty folder. Windows put it there as a security fix
(2025/04/15)
- Reference: 1744672567
- News link: https://www.theregister.co.uk/2025/04/14/windows_update_inetpub/
- Source link:
Canny Windows users who've spotted a mysterious folder on hard drives after applying last week's security patches for the operating system can rest assured – it's perfectly benign. In fact, it's recommended you leave the directory there.
The folder, typically C:\inetpub , is empty and related to Microsoft's Internet Information Services (IIS). It will be created when you install the security patches whether or not you're using that optional web server. The purpose of the folder is to mitigate an exploitable elevation-of-privileges flaw within Windows Process Activation, classified as CVE-2025-21204.
That CVE, which can give malware on a system or a rogue user system-level file-management privileges, was fixed in the [1]April Patch Tuesday batch from the Windows maker; installing the fix on Windows 11 and 10 will create the directory as additional protection, we're told.
[2]
"After installing the updates listed in the security updates table for your operating system, a new %systemdrive%\inetpub folder will be created on your device," [3]advised Microsoft.
[4]
[5]
"This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users."
[6]April's Patch Tuesday leaves unlucky Windows Hello users unable to login
[7]Bad luck, Windows 10 users. No fix yet for ransomware-exploited bug
[8]Apple belatedly patches actively exploited bugs in older OSes
The inetpub folder isn't a new concept – administrators running IIS will have seen it for years. It's used to store the web server's script files, site content, and other bits and pieces. In the case of CVE-2025-21204, the folder is created with [9]read-only SYSTEM-level access to block some form of privilege-escalation exploitation that hasn't been publicly disclosed.
It's important to note that the folder will appear even if you haven't installed IIS, which isn't included by default in Windows 10 and 11. So it's best to just leave it alone. It's there to thwart a potential future attack, according to Microsoft. There is no known exploitation of CVE-2025-21204 in the wild, nor any exploit code being publicly shared.
If you have deleted it after applying the patch, there's a fix. Go to the Windows Control Panel and open Programs and Features. On the left you'll see "Turn Windows features on or off." Scroll down until you find IIS and hit "OK" after highlighting it. The folder will be recreated with the correct SYSTEM-level permissions. You can then switch off IIS and restart. (No one uses IIS these days.)
[10]
Or create the folder by hand with read-only access and SYSTEM-level ownership. ®
Get our [11]Tech Resources
[1] https://www.theregister.com/2025/04/08/patch_tuesday_microsoft/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z_3ZygjfcFWOMGyVxsnfhQAAAIQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z_3ZygjfcFWOMGyVxsnfhQAAAIQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z_3ZygjfcFWOMGyVxsnfhQAAAIQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/04/09/microsoft_hello_patch/
[7] https://www.theregister.com/2025/04/08/patch_tuesday_microsoft/
[8] https://www.theregister.com/2025/04/02/apple_patch_bundle/
[9] https://www.malwarebytes.com/blog/news/2025/04/no-its-not-ok-to-delete-that-new-inetpub-folder
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z_3ZygjfcFWOMGyVxsnfhQAAAIQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://whitepapers.theregister.com/
The folder, typically C:\inetpub , is empty and related to Microsoft's Internet Information Services (IIS). It will be created when you install the security patches whether or not you're using that optional web server. The purpose of the folder is to mitigate an exploitable elevation-of-privileges flaw within Windows Process Activation, classified as CVE-2025-21204.
That CVE, which can give malware on a system or a rogue user system-level file-management privileges, was fixed in the [1]April Patch Tuesday batch from the Windows maker; installing the fix on Windows 11 and 10 will create the directory as additional protection, we're told.
[2]
"After installing the updates listed in the security updates table for your operating system, a new %systemdrive%\inetpub folder will be created on your device," [3]advised Microsoft.
[4]
[5]
"This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users."
[6]April's Patch Tuesday leaves unlucky Windows Hello users unable to login
[7]Bad luck, Windows 10 users. No fix yet for ransomware-exploited bug
[8]Apple belatedly patches actively exploited bugs in older OSes
The inetpub folder isn't a new concept – administrators running IIS will have seen it for years. It's used to store the web server's script files, site content, and other bits and pieces. In the case of CVE-2025-21204, the folder is created with [9]read-only SYSTEM-level access to block some form of privilege-escalation exploitation that hasn't been publicly disclosed.
It's important to note that the folder will appear even if you haven't installed IIS, which isn't included by default in Windows 10 and 11. So it's best to just leave it alone. It's there to thwart a potential future attack, according to Microsoft. There is no known exploitation of CVE-2025-21204 in the wild, nor any exploit code being publicly shared.
If you have deleted it after applying the patch, there's a fix. Go to the Windows Control Panel and open Programs and Features. On the left you'll see "Turn Windows features on or off." Scroll down until you find IIS and hit "OK" after highlighting it. The folder will be recreated with the correct SYSTEM-level permissions. You can then switch off IIS and restart. (No one uses IIS these days.)
[10]
Or create the folder by hand with read-only access and SYSTEM-level ownership. ®
Get our [11]Tech Resources
[1] https://www.theregister.com/2025/04/08/patch_tuesday_microsoft/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z_3ZygjfcFWOMGyVxsnfhQAAAIQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z_3ZygjfcFWOMGyVxsnfhQAAAIQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z_3ZygjfcFWOMGyVxsnfhQAAAIQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/04/09/microsoft_hello_patch/
[7] https://www.theregister.com/2025/04/08/patch_tuesday_microsoft/
[8] https://www.theregister.com/2025/04/02/apple_patch_bundle/
[9] https://www.malwarebytes.com/blog/news/2025/04/no-its-not-ok-to-delete-that-new-inetpub-folder
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z_3ZygjfcFWOMGyVxsnfhQAAAIQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://whitepapers.theregister.com/
Re: Wow....
David 132
Yep.
Reading between the lines, my guess is that the vulnerability in question creates some \inetpub\subdirectory\file with normal user privs, which is then picked up as a default ("index.htm"?) by some Windows component or other that still has hooks to IIS coded into it and executed with elevated privs. So creating the root-level folder with SYSTEM ownership and read-only access prevents that file-write.
But I could be way off track, of course.
For what it's worth, I have here a fully-patched Lenovo 12th-gen Core i7 Thinkpad running 24H2 and it doesn't have the folder. So... *shrug*
Anonymous Coward
So, what can I add to this folder to make copilot die? Or make other applications die?
NapTime ForTruth
Pretty sure the answer to your question is either "sand" or "cheese"; "bits of metal" or "magnets" might also work.
"Do Not Enter" or "DieDieDie" tags are also authoritative by default, but not in real life or anywhere else.
Wow....
...is that how bad the CoPilot Interns code now?
"Do we fix the root cause?"
"Nah just change the folder to read only".
This is the sort of bodge I was doing as a first line support "tech" to prevent sneakernet viruses 30 years ago.