This month’s security updates for Windows 11 create a new empty folder on drive C. It is called “inetpub,” and it does not contain any extra folders or files. Its properties window shows 0 bytes in size and that it was created by the system itself. Neowin checked a bunch of Windows 11 PCs with the April 2025 security updates installed, and all of them had inetpub on drive C.
↫ Taras Buria at Neowin
So this folder, inetpub, is most likely coming from Microsoft’s Internet Information Services, the company’s web server. IIS is part of Windows, but inactive by default, and it seems some buggy update script somewhere forgot to remove the folder or created it by accident. Regardless, it seems you can remove it without any issue, so if you see it on your Windows’ root drive, just delete it any be on your merry way.
Still though, something about this seems odd, right? Internet Information Services as a core product hasn’t been updated since 2018 when version 10 came out, which doesn’t necessarily mean specific Windows updates might not have changed it since then, but it doesn’t exactly inspire confidence. The Internet Information Services’ website also hasn’t been updated in ages, and is broken in places, further adding to the feeling IIS seems to be mostly abandoned, only kept going as part of Windows updates because it’s, well, part of Windows.
I’m not trying to insinuate there’s anything nefarious or dangerous going on with this silly folder glitch or anything; I was just surprised to see such an outdated, seemingly abandoned web server suite still being a default part of Windows today.
Windows has yet another empty unused folder now – As exciting as watching paint dry :F
it is like the left hand doesnt know what the right does
IIS Express is also still available for anyone that wants to run it for development purposes.
https://learn.microsoft.com/en-us/iis/extensions/introduction-to-iis-express/iis-express-overview
Dumb mistake to create this directory when IIS (Internet Information Server — MS web server) is disabled. I am not sure how most of the rest of the analysis follows though. What does it have to do with IIS being secure or not?
IIS is still supported and I have no doubt it is still being actively maintained with security updates. The fact that this folder was enabled hints that they are still touching it at least. However, it is important to understand what IIS is.
IIS is a web server for serving web sites in a production environment. From your computer. At one point in computing history, IIS was at the absolute forefront of Microsoft’s battle for industry dominance. It was meant to compete with both Netscape and Apache. These days, it is off by default. Why is that?
1) Microsoft “lost” the web server battle. Long ago, both NGINX and Apache left them behind
2) Microsoft does not want you serving web pages off your own computer. They want you to use Azure (the Cloud).
3) If you are serving web pages, Microsoft wants you to be using .NET and .NET ships with its own webserver:
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel?view=aspnetcore-9.0
4) For developers that need more than Kestrel (see above) there is IIS Express. So IIS is not meant for dev workflows.
5) You do not run production websites from your regular Windows machine.
6) The role of IIS is to serve static content, handle certificates, and the like. These are solved problems. It does everything it needs to do as well as it needs to given that Microsoft is no longer trying to “win” the non-.NET on premise web server hosting market. As above, innovation on the reverse proxy and web server features (including performance) is happening withing .NET itself (see Kestrel and YARP). When serving .NET apps via IIS, most of the work is happening outside IIS.
7) In other words, IIS is “complete”. It is mature. It is not strategic. There is no reason to invest in it other than security updates.
8) IIS is still widely used in the same way that desktop Linux is widely used. Small percentages of large markets are still large. It is still an important capability for Windows. I am sure that at least a few major Microsoft customers really care about it. There is certainly no reason to remove it even if it is “done”.
Honestly, it is refreshing to find something that Microsoft supports but otherwise leaves alone. Although, to be fair, that describes most of the their “abandoned” GUI frameworks as well (like MFC or Windows Forms that is still seeing small updates in the current .NET previews).
The fact that Microsoft does not make much noise about IIS anymore, especially on non-server machines, should not surprise us. That said, there is no reason to jump to the conclusion that its continuing existence is a problem we need to be concerned with.
LeFantome,
I agree with all your other points. Many of us have moved on to newer platforms, but saying it only serves static content doesn’t really do it justice. It can be compared to nginx. In ancient times I used IIS for dynamic websites and it’s programmable filters. I recall one project where I used IIS filters to dynamically inject scripts into a closed source CRM that the company wanted to extend.
It’s funny that “inetpub” is cropping up on machines that don’t have IIS. Makes one wonder what component is doing that since it implies that the inetpub directory is hard coded outside of IIS components.
I’m not saying that Thom is biased, I’m just strongly implying it could be the case.
I read this and immediately said “no… no way is Microsoft leaving a server component in supported windows without updates or maintenance”
And so I google’d it, and quickly found out that it is actively maintained and within the support period. I certainly did it quicker than it took Thom to write this.
that_guy,
I assume you didn’t mean to reply to my comment? It doesn’t seem related.
Of course we agree.
IIS is a fully capable stand-alone web-server that served a good chunk of the web in times past. As I said, I am sure that at least a few big players are still using IIS to its fullest.
My point was not what IIS is capable of but how Microsoft wants you to use it. If you are serving dynamic websites with .NET, you are meant to use the Kestrel web-server. You can use Kestrel in concert with IIS but IIS is meant to be handling the static stuff in that case. You of course have access to all IIS features but the actual application server is still Kestrel. My point in saying this is that, given how Microsoft has positioned them, one would fully expect development in IIS itself to atrophy while continuing to see investment and new features in Kestrel and .NET and this is exactly what we see.
This post title is highly misleading. IIS is not enabled on Windows by “default”.
And this recent patch only creates an empty folder related to IIS (which may or may not be a bug at this point, we shall see).
IIS is actively developed – Windows 2022/Windows 11 added HTTP/3 support for example. But that’s not architectural to the IIS platform itself.
Frankly, there’s not a lot that *needs* to have changed since the current version came out for Windows 2016/Windows 10.
IIS is highly modular so most of the active work happens outside the core product. Microsoft also tends not to think of it being used via management apps much anymore but controlled programmatically, so the UI hasn’t received much of a refresh in quite a while.
IIS however underpins Exchange (ie, outlook.com and the new Outlook “app” pushed to Win10/Win11/Office users), it underpins Office Online and Sharepoint – which means it also runs OneDrive which basically every Windows machine is made to have now. Most of Azure and O365 you’re hitting IIS servers somewhere in the chain. And on the private side, if you’re using ASP.NET based sites, especially if you’re doing it via Azure, you’re almost certainly using IIS.
IIS isn’t outdated, nor abandoned, and it’s not going anywhere.
“Internet Information Services as a core product hasn’t been updated since 2018 when version 10 came out,”
This is actually good news. I’m sick of Microsoft changing software all the time, obvious example is Win 10 -> Win 11.
People should be happy that IIS has remained stable and a web site you built in 2018 will still be working today (well you would need to update ssl certificates, you know what I mean).
Wrongly creating the folder is another classic Microsoft screw up; showing their lack of quality control.
A little late to the discussion, but this article clip should be updated as per the updates on the linked article itself – it is NOT safe to remove the folder, as Microsoft has purposefully included it as part of the mitigation strategy against CVE-2025-21204. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204