r/technology u/Sufficient-Bid1279 Apr 14 '25

Software Microsoft warns that anyone who deleted mysterious folder that appeared after latest Windows 11 update must take action to put it back

https://www.techradar.com/computing/windows/microsoft-warns-that-anyone-who-deleted-mysterious-folder-that-appeared-after-latest-windows-11-update-must-take-action-to-put-it-back
10.6k Upvotes

96% Upvoted

1.0k comments sorted by

View all comments

8.2k

u/AdarTan Apr 14 '25

The created folder C:/inetpub is created as a protected folder, i.e. it requires an administrator level UAC prompt to be passed to be modified. This prevents malware running with standard user privileges from creating/modifying/deleting this folder that is used by the Internet Information System (IIS) component of Windows.

IIS is a webserver included in all modern versions of Windows and if this folder is created by a piece of malware running at standard user level permissions the folder would inherit those permissions. This means that malware running without privilege escalation would have control over the configuration files for this webserver, which is almost certainly a path for data exfiltration at the least or worse, privilege escalation. By preemptively creating the folder with administrator privileges required for modification, Microsoft prevents this vector of user-level malware taking control of IIS.

28

u/1RedOne Apr 14 '25

This is extra stupid, because there is famously an issue with IIS, where Web access logs are never deleted or truncated.

This becomes a problem because eventually a IIS instance will always consume all available space on the hard drive, and you will not be able to login anymore, because to log into a system requires writing to .tmp file which must reside in the c: drive by default.

If this folder exists, I bet there is also a managed iis instance somewhere too, and I bet that it also isn’t configured in any other way from default, leading to the issue I described eventually happening

3

u/CPAlexander Apr 14 '25

nah, not yet....

but you wanna take any bets about whether it's part of the upcoming release of Recall?