Remember the odd inetpub folder that seemingly randomly appeared on people’s root drives after installing a Windows 11 update? Everybody assumed it was something left over from an update script, and that the folder was safe to remove. Well, it turns out that’s not the case, as the empty folder is actually a crucial part of a security fix for a serious vulnerability.
Initially undocumented in the official release notes, the empty and seemingly inactive
inetpubfolder led to user speculation about whether it was a leftover artifact from development or a bug. Microsoft has since clarified that the folder is intentional and part of a critical security improvement.The change addresses CVE-2025-21204, a vulnerability that allowed local attackers to exploit symbolic link (symlink) attacks via Windows Update, potentially granting unauthorized access to protected system files or directories. As part of the fix, the system pre-creates certain directories — including
↫ CyberdomC:\inetpub— to harden the update process and mitigate such attacks.
If you’ve already removed the folder, you can reinstall the April 2025 cumulative update to restore the folder, or you can wait for next month’s update roll-up, which will also restore the folder.
This lone, empty folder at your Windows PC’s root is apparently a crucial part of the security of your computer, but since it took Microsoft a while to publish release notes, nobody knew where it was coming from. The idea that a random, empty folder usually associated with IIS could be part of a vulnerability mitigation didn’t cross anybody’s mind at the time, especially since random folders appearing at a Windows PC’s root aren’t exactly uncommon or out of the ordinary.
The consensus seems to be that creating this folder is a pretty clever form of mitigation, despite feeling so hacky. I’m assuming Microsoft’s engineers are capable, and that making the folder in question impossible to delete or somehow hidden is simply not an option and would break the vulnerability mitigation, but that doesn’t change the fact that this looks like a really crude hack that should be solved in a more elegant way.
Has Windows reached a point where “elegant” solutions are no longer possible? Is it just too messy and unwieldy and frankensteined to be properly fixed? And is THIS the best they can do?
If so, yechh.
Windows was never in a position where “elegant” solutions were possible. In fact all other systems (ChromeOS, macOS, some Linux) have only started gaining traction when Microsoft lost its religion: https://www.joelonsoftware.com/2004/06/13/how-microsoft-lost-the-api-war/
After spectacular loss of mobile market Microsoft went back to it, more-or-less and it’s unlikely that it would decide to go back to “elegant” solutions.
Interesting article: Thanks!!
This would drive me batty if I hadn’t already decided that I’ll stop adding to my stable of older PCs at Windows 7.
I’m the kind of person who would use a sandbox like Firejail purely to force the issue on a badly ported game’s attempts to put its un-hideable clutter in my homedir.
Seems to be a hack job that blocks the exploit from working. This might be an interim workaround while they work on a more permanent solution, but they really should be addressing the root cause so the hack doesn’t need to become a permanent feature of windows.
New exploit:
Step 1 – Look for inetpub folder in root directory
Step 2 – Delete inetpub folder in root directory
Step 3 – Proceed with prior exploit
It’s a good thing that the malware writers aren’t smart enough to figure this out!!
Simple fix to hide it in Explorer: Open a Terminal window as Administrator and then type:
cd /
attrib +h +s inetpub
Why MS couldn’t have done this in the first place is beyond me.
I’m aligned with this snippet of Thom’s post:
If I’m not allowed to delete it without breaking the mitigation? Why would it be any safer to hide it when the Microsoft devs didn’t?
ssokolow (Hey, OSNews, U2F/WebAuthn is broken on Firefox!),
The mitigation would probably still work just as well if it were hidden because a hidden directory would still displace a symbolic link. But I’m still of the opinion that this should only be considered a temporary hack and that hopefully MS fixes the components responsible going forward. Otherwise windows will end up with more vestigial crap that makes no sense to future generations yet users will have to accept it just because.
I can imagine that some engineers at microsoft are arguing with managers to fix things the right whereas management pressuring them to produce a quick and dirty hack even if results in windows becoming more obtuse with time. There are so many examples of this in windows.
Probably …but then why didn’t they make it hidden? Assuming it does work just as well, that’d be safer since users who don’t know why it’s there would be less likely to delete it.
ssokolow (Hey, OSNews, U2F/WebAuthn is broken on Firefox!),
You could but Inetpub was never meant to be hidden. Obviously you’re right that making it hidden would make it less noticeable for people who don’t use IIS, but it also means they’d have to go update more software to conditionally hide/unhide the directory, which seems like a bigger can of worms to me. In any case I’m hoping this is only a temporary hack and not a permanent one.
“…hopefully MS fixes the components responsible going forward.”
Do you really think they will, or is this “Meh, fixed enough. Now do something that Makes Money!”
JohnnyS777,
I don’t know, I haven’t seen microsoft make a statement about it. Windows carries a lot of legacy baggage even though it hasn’t always been “forced”. We’ll have to wait and see if this ends up being permanent baggage and future generations will be instructed to keep an empty directory there just because.
Hahahahaha your killing me. You must be new to computers. For close to forty years now Microsoft has put out a virus/trojan delivery system masquerading as an operating system. For anyone to expect they have one single clue on how to do anything properly let alone security fixes is just beyond belief. As is the idea that people will give them clowns one single cent of money to pay for this trash to be on their computer, let alone use it for anything important. With nothing but exploit after exploit continuously happening like clockwork with that garbage they produce. Quite frankly windows users deserve everything the get.
Except it appears they have screwed up as it opens another security vulnerability:
https://doublepulsar.com/microsofts-patch-for-cve-2025-21204-symlink-vulnerability-introduces-another-symlink-vulnerability-9ea085537741
sloth,
It’s not a bug, it’s a feature to let users override forced MS updates 🙂