Microsoft has officially released a specialized PowerShell script designed to restore the critical inetpub folder in Windows systems, addressing a serious privilege escalation vulnerability in the Windows Process Activation component identified as CVE-2025-21204. This security measure has become essential for maintaining system integrity across Windows environments, regardless of whether Internet Information Services (IIS) are actively deployed.
The Mystery Behind April’s Automatic inetpub Folder Creation
In April 2025, Windows users encountered an unexpected phenomenon following the installation of cumulative security updates. Systems began automatically creating an empty C:\inetpub folder, even on machines where IIS had never been installed or configured. This seemingly random folder creation initially caused confusion among system administrators and end users alike.
The situation became more perplexing when Microsoft’s initial communications provided limited explanation for this behavior. Many users, viewing the folder as potentially suspicious or unnecessary, proceeded to delete it without understanding its protective function. Notably, the April updates included a safeguard that prevented installation if an inetpub folder already existed on the target system, hinting at the folder’s critical security role.
Understanding the CVE-2025-21204 Security Vulnerability
Microsoft subsequently updated their security bulletin to clarify the true purpose of the mysterious inetpub folder. According to the official statement, “this folder must not be removed regardless of IIS service activity on the target device and represents an integral component of enhanced security measures.”
Technical analysis reveals that the folder is created with SYSTEM-level access rights in read-only mode. This specific configuration prevents exploitation of the privilege escalation vulnerability within the Windows Process Activation Service, effectively creating an additional security barrier against potential attackers seeking to elevate their system privileges.
Cybersecurity Expert Concerns and Attack Vector Warnings
Prominent cybersecurity specialist Kevin Beaumont has raised concerns about potential misuse of the inetpub folder mechanism. His analysis suggests that malicious actors could exploit this security feature to block the installation of critical Windows security updates, potentially creating significant risks for enterprise infrastructure and leaving systems vulnerable to other attack vectors.
Official Microsoft Solution: Set-InetpubFolderAcl PowerShell Script
To address systems where users inadvertently removed the protective folder, Microsoft has developed an automated PowerShell-based solution. System administrators can restore the deleted inetpub folder and its proper security configuration by executing the following commands with administrative privileges:
Install-Script -Name Set-InetpubFolderAcl
C:\Program Files\WindowsPowerShell\Scripts\Set-InetpubFolderAcl.ps1
This automated script not only recreates the folder with appropriate permissions but also configures correct access rights for IIS services, preventing unauthorized access and potential exploitation of CVE-2025-21204. Additionally, the tool updates Access Control List (ACL) entries for the DeviceHealthAttestation directory in Windows Server environments, ensuring comprehensive security coverage.
Implementation Best Practices and Security Recommendations
Security professionals recommend immediate deployment of Microsoft’s PowerShell script across all systems where the inetpub folder was removed by users or administrators. This security measure operates independently of active IIS services and applies to all Windows configurations, making it universally applicable across diverse IT environments.
Organizations should also implement monitoring procedures to detect unauthorized removal of the inetpub folder and establish policies preventing its deletion. Regular verification of the folder’s presence and proper permissions should be integrated into routine security audits and system maintenance procedures.
The inetpub folder incident highlights the critical importance of clear communication regarding security changes and the need for proactive user education. Microsoft’s response to CVE-2025-21204 demonstrates the evolving nature of cybersecurity threats and the necessity of trusting official vendor recommendations while maintaining vigilant security practices. System administrators should prioritize the implementation of this PowerShell script to ensure comprehensive protection against privilege escalation attacks targeting Windows Process Activation services.
