Microsoft Warns Millions Of Windows Users To Never Delete This Folder
Another day means another Windows update, and this time it comes with a warning from Microsoft. You may have noticed a new folder in your root C:\ folder after applying the latest cumulative update for April 2025. Furthermore, you may have been tempted to delete it after discovering that it's an empty folder. Word to the wise: leave it be because it's a feature, not a bug.
The folder in question is labeled "inetpub" and it gets plopped onto your root partition after applying the newest update for Windows. For most folks, that's going to be the C:\ folder, though the location may vary depending on how you have your Windows 11 PC set up (or Windows 10, if you haven't trashed it per Microsoft's advice). Regardless, it needs to remain on your drive or you could open yourself up to a security vulnerability related to CVE-2025-21204.
Microsoft even chose to bold the text to underscore the importance of leaving the folder intact. Curiously enough, the warning only came after users noticed the unexpected folder addition, leading to confusion. According to WindowsLatest, which spotted the quiet creation of the new folder, users initially assumed it was a bug since it appeared as an empty folder. Nope.
The folder is actually used to manage Internet Information Services (IIS) logs during web app and app development. Microsoft's documentation on the feature explains that it can balloon in size over time, and even "fill up an entire hard drive." There are mitigations if this happens, such as enabling folder encryption. But given that it presents a security risk if you delete it, even when the folder is empty, Microsoft really should have made a bigger effort to get the word out. Even an FAQ entry after the fact feels a little lazy—this is the type of thing that should warrant a blog post.
What's at stake is an elevation of privilege vulnerability. According to CVE-2025-21204, an attacker who exploits the vulnerability "gains the ability to perform and/or manipulate file management operations on the victim machine in the context of the NT AUTHORITY\SYSTEM account." In other words, a hacker could bamboozle a compromised system into giving them the ability to alter files and folders, which is obviously not a good thing.
What if you already deleted the inetpub folder? Microsoft says you need to recreate it through the Control Panel. The easiest way to do this is to type Windows Features in the taskbar's search box and select Turn Windows features on or off. Once in there, check the Internet Information Services box, which will recreate the inetpub folder on your root partition.
Going this route will result in there being files inside the inetpub box instead of it being empty. However, if you don't use IIS, you can go back into the Windows Features section and uncheck the box, then reboot your PC. The inetpub folder will remain, but it will be empty again (and your PC will still be secure against the aforementioned vulnerability).
Why exactly does the folder need to be there? That's a great question, and one that Microsoft has not yet answered. However, if you deleted the folder, you need to follow the above steps in order to restore it with the same security protections intact.
