Full Report
Microsoft's April 2025 Patch Tuesday updates are strangely creating an empty "inetpub" folder in the root of the C:\ drive, even on systems that do not have Internet Information Services (IIS) installed. [...]
Analysis Summary
# Incident Report: Unexpected 'inetpub' Folder Creation Post Windows 11 Update
## Executive Summary
This report details an unexpected system change following the installation of the Windows 11 KB5055523 cumulative update released in April 2025. The update automatically created an empty `inetpub` folder in the root of the C: drive on systems where the Internet Information Services (IIS) web server role was explicitly *not* installed. While the action did not cause immediate operational instability, its non-standard behavior prompted security investigation regarding its intent or potential as an unintended bug introduced by the deployment process.
## Incident Details
- Discovery Date: Following installation of the April 2025 Patch Tuesday updates (KB5055523).
- Incident Date: Concurrent with update installation and system restart.
- Affected Organization: Unspecified (Observed across various Windows 11 systems).
- Sector: Technology/General End-User Computing.
- Geography: Unspecified (Global observation implied by wide release of update).
## Timeline of Events
### Initial Access
- Date/Time: Post-installation of KB5055523 and subsequent restart.
- Vector: Official Microsoft Cumulative Update deployment mechanism.
- Details: The update process executed a step that created the `C:\inetpub` directory, despite IIS not being enabled.
### Lateral Movement
- Not Applicable. This event is an unintended system modification by an update package, not a malicious lateral movement step.
### Data Exfiltration/Impact
- Data Exfiltration: None confirmed.
- Impact: Creation of an empty directory structure, potentially confusing administrators and raising questions about undocumented changes or potential hidden functionality.
### Detection & Response
- Detection: BleepingComputer staff confirmed the folder's presence during routine post-update checks on systems lacking IIS.
- Response Actions: Investigation into whether IIS was installed (confirmed negative) and initial testing confirmed deleting the folder caused no immediate issues, prompting outreach to Microsoft for clarification.
## Attack Methodology
Since this was a system update side effect and not a cyber attack, standard ATT&CK categories do not directly apply. Below describes the observed system interaction:
- Initial Access: Legitimate Software Update Execution.
- Persistence: Not applicable (folder is static).
- Privilege Escalation: The folder was created by the **SYSTEM** account, indicating elevated permissions were used by the update process.
- Defense Evasion: Not applicable.
- Credential Access: Not applicable.
- Discovery: Not applicable (Internal process activity).
- Lateral Movement: Not applicable.
- Collection: Not applicable.
- Exfiltration: Not applicable.
- Impact: Minor file system alteration/configuration bleed-through.
## Impact Assessment
- Financial: Minimal immediate cost; primarily administrative time spent investigating the unexpected artifact.
- Data Breach: None.
- Operational: Negligible impact on system stability or performance, though it caused administrative uncertainty.
- Reputational: Minimal, restricted to internal administrative confusion about Windows update behavior.
## Indicators of Compromise
- Network indicators: N/A
- File indicators: Presence of an empty directory structure: `C:\inetpub`
- Behavioral indicators: The update process (KB5055523) created this directory without the corresponding feature service (IIS) being installed.
## Response Actions
- Containment: None required, as no active compromise was detected.
- Eradication: Manually deleting the `C:\inetpub` folder on affected systems was confirmed to be safe.
- Recovery: Awaiting official clarification from Microsoft regarding the intended purpose or bug status of this folder creation.
## Lessons Learned
- Software updates, even official ones, can introduce unexpected file system changes that mimic initial compromise activity, demanding immediate verification by security teams.
- The creation of directories owned by the SYSTEM account highlights the high privilege level inherent in the patch deployment process.
## Recommendations
- Organizations should implement strict change monitoring, especially after major cumulative updates, to track unexpected file system modifications in high-visibility areas like the root of system drives.
- System administrators should maintain operational awareness of Microsoft's release notes to quickly triage unusual system artifacts reported post-patching.