In context: Every now and then, Microsoft security patches can wreak havoc on Windows PCs. Users are understandably cautious these days, and even an innocent, empty folder can raise concerns about what's going on in the system after installing one of these patches. Recent Windows security updates released as part of April's Patch Tuesday introduced an unexpected change. After installing this month's bug fixes, users discovered a new "inetpub" folder had been created in the root of the system volume (e.g., C:\inetpub). Though empty, the folder quickly sparked concern – enough that Microsoft was compelled to update its security bulletin to (partially) explain its purpose. Technically speaking, the inetpub folder is associated with Microsoft's Internet Information Services (IIS), an "extensible" web server that has been part of the Windows OS family since Windows NT 4.0. The IIS platform uses this folder to store logs, but only when the relevant Windows components are installed on the system. The newly created inetpub folder is related to CVE-2025-21204, a security vulnerability that Microsoft patched this month. This vulnerability, classified as a Windows Process Activation Elevation of Privilege flaw, could be exploited by an authenticated attacker to perform file management operations with SYSTEM-level privileges, according to Microsoft's security bulletin. The issue affects both Windows 10 and Windows 11. After users began speculating about the origin of the inetpub folder, Microsoft updated the bulletin to confirm its source. Once the patch for CVE-2025-21204 is installed, the updated bulletin explains, a new "%systemdrive%\inetpub" folder will be created on the device. Microsoft advises against deleting this folder, even if IIS is not active on the system. // Related Stories The new folder is part of the changes introduced to "enhance" Windows security, so both end users and IT admins shouldn't bother to investigate the matter any further. What Microsoft hasn't explained, however, is how exactly an empty folder helps protect the system from a privilege escalation vulnerability. Microsoft's guidance to leave the inetpub folder alone may disappoint users who prefer to maintain strict custom folder structures on their local drives. Personally, knowing there's an empty folder in my system root that I "shouldn't" delete is the kind of thing that could eventually drive me insane. For users not affected by computing-related OCD tendencies, though, this odd addition may be easier to ignore – for now.