Microsoft Releases PowerShell Script to Restore Critical *inetpub* Folder After April 2025 Windows Update
Microsoft has released a PowerShell script to help administrators restore the C:\inetpub folder, which was automatically created by the April 2025 Windows security updates but mistakenly deleted by some users. The folder plays a key role in mitigating CVE-2025-21204, a high-severity privilege escalation vulnerability in the Windows Process Activation Service.
The issue emerged after the April updates deployed an empty inetpub folder—typically associated with Internet Information Services (IIS)—even on systems where IIS was not installed. Confused users removed the folder, inadvertently re-exposing their systems to the patched flaw. Microsoft initially advised manually reinstalling IIS via Turn Windows Features on or off to recreate the folder with proper permissions, though uninstalling IIS afterward would leave the folder intact.
On Wednesday, Microsoft updated its CVE-2025-21204 advisory, providing a PowerShell script (Set-InetpubFolderAcl.ps1) to automate the restoration process. The script re-establishes the correct access control lists (ACLs) for the inetpub folder, ensuring protection against the vulnerability. It also secures the DeviceHealthAttestation directory on Windows Server systems, which may have been affected by February 2025 updates.
The underlying flaw stems from an improper link resolution issue in the Windows Update Stack, allowing local attackers with low privileges to exploit symbolic links and escalate to NT AUTHORITY\SYSTEM permissions. While Microsoft confirmed the folder’s deletion does not disrupt normal Windows operations, it warned that removing it weakens defenses against the vulnerability. Cybersecurity researcher Kevin Beaumont further demonstrated that non-admin users could abuse the folder to block Windows updates by creating malicious junctions.
Microsoft has emphasized that the inetpub folder should remain in place regardless of IIS installation, as it is a deliberate security measure requiring no additional action from users or admins.
Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center
"id": "MIC1766551188",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "4/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': 'Users who deleted the '
'C:\\inetpub folder after April '
'2025 updates',
'industry': 'Technology, Government, Enterprise, '
'Consumer',
'location': 'Global',
'name': 'Microsoft Windows Users',
'size': 'All sizes',
'type': 'Operating System Users'}],
'attack_vector': 'Local',
'customer_advisories': 'Users are advised to restore the folder using the '
'provided PowerShell script or manual methods if '
'deleted.',
'date_detected': '2025-04',
'date_publicly_disclosed': '2025-04',
'description': 'Microsoft released a PowerShell script to help restore an '
"empty 'inetpub' folder created by the April 2025 Windows "
'security updates if deleted. The folder mitigates a '
'high-severity privilege escalation vulnerability '
'(CVE-2025-21204). Users who deleted the folder were left '
'vulnerable, prompting Microsoft to provide remediation steps, '
'including a PowerShell script to restore the folder with '
'correct permissions.',
'impact': {'operational_impact': 'Potential privilege escalation leading to '
'unauthorized file manipulation',
'systems_affected': 'Windows systems with April 2025 security '
'updates installed'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Users should not delete system folders created by '
'security updates without confirmation. Automated updates '
'may introduce changes that are not immediately intuitive '
'but serve critical security functions.',
'post_incident_analysis': {'corrective_actions': 'Microsoft patched the '
'vulnerability in April 2025 '
'updates and provided a '
'PowerShell script to '
'restore the mitigating '
'folder.',
'root_causes': 'Improper link resolution in '
'Windows Update Stack allowed '
'privilege escalation via symbolic '
'links.'},
'recommendations': ['Do not delete the C:\\inetpub folder, even if it appears '
'unnecessary.',
"Use Microsoft's provided PowerShell script to restore "
'the folder if deleted.',
'Install IIS temporarily if needed to recreate the folder '
'with correct permissions.',
'Monitor Microsoft advisories for updates on security '
'patches and their implications.'],
'references': [{'date_accessed': '2025-04',
'source': 'BleepingComputer',
'url': 'https://www.bleepingcomputer.com'},
{'date_accessed': '2025-04',
'source': 'Microsoft CVE-2025-21204 Advisory',
'url': 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204'}],
'response': {'communication_strategy': 'Updated CVE advisory, blog posts, and '
'direct warnings to users',
'containment_measures': 'PowerShell script to restore folder and '
'permissions',
'incident_response_plan_activated': 'Yes',
'recovery_measures': 'Install IIS or use PowerShell script to '
'restore folder',
'remediation_measures': 'Recreate C:\\inetpub folder manually or '
'via script, ensure correct ACL '
'permissions'},
'stakeholder_advisories': 'Microsoft has issued warnings to IT admins and end '
'users not to delete the C:\\inetpub folder.',
'title': 'Windows Process Activation Privilege Escalation Vulnerability '
'(CVE-2025-21204)',
'type': 'Privilege Escalation',
'vulnerability_exploited': 'Improper link resolution in Windows Update Stack '
'(CVE-2025-21204)'}