Microsoft Releases Script for Restoring Critical inetpub Folder

Microsoft has introduced a PowerShell script to facilitate the restoration of the ‘inetpub’ folder, which was unintentionally created by the April 2025 Windows security updates, should it be deleted. This folder plays a critical role in mitigating a high-severity privilege escalation vulnerability associated with the Windows Process Activation service.

In April, after the implementation of the security updates, Windows users noticed the emergence of an empty C:Inetpub folder, a component linked to Microsoft’s Internet Information Server (IIS). The creation of this directory was confusing for users whose systems did not have IIS installed, leading to its unwarranted deletion and subsequent exposure to the vulnerabilities that the updates sought to address. Microsoft has advised that users who mistakenly removed this folder can restore it by enabling Internet Information Services through the “Turn Windows Features on or off” settings in Windows.

Upon installing IIS, a new inetpub folder will be established at the root of the C: drive, complete with the necessary files and system ownership attributes akin to those generated by the April security updates. Furthermore, users not utilizing IIS have the option to uninstall it via the same Feature control panel while retaining the C:inetpub folder.

In conjunction with a recent update to the CVE-2025-21204 advisory, Microsoft has disseminated a remediation PowerShell script that assists administrators in recreating the inetpub folder through a PowerShell shell with the following commands:

Install-Script -Name Set-InetpubFolderAcl

C:Program` FilesWindowsPowerShellScriptsSet-InetpubFolderAcl.ps1

This script is designed to configure the proper IIS permissions, effectively curbing unauthorized access and mitigating the vulnerabilities linked to CVE-2025-21204. Additionally, it will adjust the access control list (ACL) entries for the DeviceHealthAttestation directory on Windows Server systems, ensuring its security if established by the February 2025 security updates.

The vulnerability addressed by this inetpub folder (CVE-2025-21204) stems from an incorrect link resolution issue within the Windows Update Stack. This flaw may permit Windows Update to traverse symbolic links on unpatched devices, potentially allowing local attackers to manipulate or access unintended files or directories. Successful exploitation can enable attackers with low privileges to escalate their permissions, enabling them to conduct file management operations at the NT AUTHORITYSYSTEM account level.

While the removal of the folder did not result in operational failures during testing, Microsoft has reiterated that it was intentionally created and should not be removed. In an updated advisory regarding CVE-2025-21204, users are explicitly cautioned against deleting the empty %systemdrive%inetpub folder.

Microsoft’s directive emphasizes that this folder must not be deleted, irrespective of whether IIS is active on the device. This measure enhances system protection and necessitates no action from IT administrators or end users. Additionally, cybersecurity experts have highlighted that non-admin users can misuse this folder to obstruct Windows updates by creating a junction between C:inetpub and any Windows file.