C:\INETPUB?">
News wires are abuzz with stories that after you install this Tuesday’s Microsoft updates (the April 2025 Patch Tuesday security fixes), you end up with a weird directory (or folder, if you prefer), at the top level of the C: drive, called C:\INETPUB.
If you’ve ever used Microsoft’s old-school web server IIS, short for Internet Information Services, you’ll recognize that directory name as the starting point for the web server’s files.
Anyone who isn’t running IIS on their computer, which is probably just about everyone these days, might well be surprised to see this directory suddenly show up, but early reports said that:
So far, so good, if not entirely perfect.
But just as the story started to calm down, several influential social media commentators put out posts suggesting that if the C:\INETPUB directory already existed before you updated, then the update would fail.
This, they suggested, this was a potentially dangerous security hole.
Any user can create such a directory, whether they’re an administrator or not, and therefore any user (or any unprivileged malware running on your computer, even if it only runs for an instant), could trivially and deliberately put you in harm’s way by blocking your security patches.
As far as we can see, however, this rumor is untrue, and was started by a well-meaning influencer who noticed that updates broke when the offending directory existed, and wrongly assumed that the directory was the cause of the problem.
Apparently, that assumption was wrong: the update, it seems, broke for a reason unrelated to the presence of C:\INETPUB.
Stand down from blue alert!
We applied the update twice to a bog-standard installation of Windows 11 Enterprise, once with, and once without, the presence of a directory called C:\INETPUB.
The update completed successfully both times.
To be clear, a directory called C:\INETPUB turned up after the update when it hadn’t existed before, which certainly seems like a bug, albeit a modest and not particularly dangerous one.
Just to make sure, we took the access control list (ACL) from the INETPUB directory created by Windows itself during the update, as shown in the screenshot above. (The icacls command can be used to show and modify access control lists.)
We generated our own version of C:\INETPUB with the same settings, which are more restrictive than the ACL you end up with if a regular user creates the directory.
Then we tried updating for a third time, and this too completed successfully.
The bottom line is that you should find this special IIS directory appearing in C:\ after you apply the April 2025 Patch Tuesday updates, whether you have ever installed IIS or not.
In this very article, published at 2025-04-10T22:43:00Z, we originally wrote:
If you aren’t using IIS, you can simply remove the offending directory (you will need administrator privileges to do so).
That statement is still true: you can delete the directory, and it won’t cause problems if you do.
However, Microsoft has now updated one of its own Patch Tuesday advisories to advise you not to delete this unexpected directory, because creating it was not a bug, but a security feature.
Who knew?
For reasons Microsoft doesn’t explain:
After installing the [April 2025] updates listed in the Security Updates table for your operating system, a new %systemdrive%\inetpub folder will be created on your device. This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. [Microsoft’s own emphasis.] This behavior is part of changes that increase protection and does not require any action from IT admins and end users.
If you have already deleted this directory, you can recreate it yourself, but you will need to give it the same permissions that we showed in the screenshot above, where regular users’ access rights are restricted.
In our tests, creating the directory C:\INETPUB as an Administrator seemed to t]do the trick and get the right ACL permissions.
If you’re not confident doing that, Microsoft has apparently suggested the workaround of installing IIS (which creates the directory itself with the right permissions), and then uninstalling it, which removes the software but not the directory.
Hope this helps!
The logical fallacy of assuming that because X preceded Y, then X must have caused Y, is known by the fancy name of post hoc ergo propter hoc, which is Latin for “after something, therefore because of that thing.” Be careful not to fall into this trap. It can waste a lot of time, may lead to false accusations, and can end up letting the real culprit off the hook.
Learn more about our mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers:
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
