If you’ve recently installed the April 2025 Patch Tuesday update on your Windows 10 or 11 system and noticed a new, empty folder called C:\inetpub, don’t panic — and definitely don’t delete it.
What’s the inetpub Folder?
The folder is associated with Internet Information Services (IIS), Microsoft’s built-in web server. While most regular users don’t use IIS, the folder has been intentionally created after the update to fix a security vulnerability: CVE-2025-21204.
This flaw could let malware or rogue users gain system-level privileges via Windows Process Activation. The folder acts as a protective measure, created with read-only SYSTEM-level access to prevent potential privilege-escalation exploits.
Even If You Don’t Use IIS…
…the folder will still be created. IIS isn’t installed by default on Windows 10 or 11, but Microsoft recommends not deleting the folder, regardless of whether IIS is active on your device.
In short, it’s part of a silent security patch meant to improve system resilience. No action is needed from IT admins or users.
Accidentally Deleted It? Here’s the Fix
If you’ve already removed the folder:
- Go to Control Panel > Programs and Features
- Click “Turn Windows features on or off”
- Enable Internet Information Services (IIS)
- Click OK — the folder will be recreated
- You can then disable IIS again and restart
No Exploits in the Wild Yet
There are no active exploits or publicly shared code using CVE-2025-21204 yet. But the folder is a proactive measure from Microsoft to close potential future attack vectors.
