Listen to this Post
After installing the April 2025 Windows update, many users noticed a new `C:\inetpub` folder, even if IIS (Internet Information Services) wasn’t installed. At first glance, it looks like a leftover or mistake — but it’s actually intentional.
Why is it there?
Microsoft added this folder as a temporary workaround to mitigate a serious privilege escalation vulnerability (CVE-2025-21204) that could let attackers gain SYSTEM-level access.
What should you do?
- Do NOT delete the `inetpub` folder.
- If you insist on removing it, at least deny write access to the system root (
C:\) to avoid security risks. - If the folder already existed before the update, the patch may fail to install.
This isn’t an IIS issue. It’s a clever (but quiet) trick by Microsoft to block exploits before a proper patch is fully rolled out.
More info: Microsoft Security Advisory
You Should Know:
1. Verify the Folder’s Integrity
Check if the folder was created by the update:
Get-ChildItem C:\inetpub -Force | Select-Object Name, CreationTime
2. Restrict Unauthorized Access
Deny write permissions to prevent misuse:
icacls C:\inetpub /deny Everyone:(OI)(CI)(W)
3. Check for Failed Updates
If the update failed due to an existing `inetpub` folder, reapply it:
wusa /uninstall /kb:500XXXX /quiet /norestart
(Replace `500XXXX` with the actual KB number.)
4. Monitor for Exploits
Use Windows Event Viewer to track suspicious activity:
Get-WinEvent -LogName Security -FilterXPath "[System[EventID=4688]]" | Where-Object { $_.Message -like "inetpub" }
5. Alternative Workaround (Advanced Users)
If you must remove the folder, create a symbolic link to a restricted location:
rmdir /s /q C:\inetpub mklink /J C:\inetpub C:\Windows\Temp\RestrictedFolder
6. Validate System Stability
After changes, ensure critical services are running:
Get-Service | Where-Object { $_.Status -ne "Running" } | Restart-Service -Force
What Undercode Say:
Microsoft’s silent deployment of `C:\inetpub` highlights how security patches often involve unconventional fixes. While some admins may panic, understanding the context prevents unnecessary risks.
Key Takeaways:
- Never delete system folders without investigation.
- Audit permissions regularly (
icacls,Get-Acl). - Monitor logs (
Event Viewer,SIEM tools). - Use PowerShell for automation (
Get-WinEvent,Get-Service).
Additional Commands for Security Checks:
Check for suspicious processes accessing inetpub
Get-Process | Where-Object { $_.Path -like "inetpub" } | Stop-Process -Force
Verify update history
Get-HotFix | Sort-Object InstalledOn -Descending
Scan for malware in system directories
Start-MpScan -ScanPath C:\inetpub -ScanType FullScan
Expected Output:
A secure system where `C:\inetpub` remains intact, permissions are restricted, and logs are monitored for anomalies.
Reference: Microsoft Security Advisory
References:
Reported By: Phuong Nguyen – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
