Re: About That “inetpub” Folder ...

On Tue, 6/10/2025 12:11 PM, Oscar wrote:

On Mon, 9 Jun 2025 23:58:35 -0000 (UTC), Lawrence D'Oliveiro
<ldo@nz.invalid> wrote
 

Lately, a mysterious empty folder called inetpub has been appearing
on Windows machines after recent Microsoft security updates.

 
I have it, where the folder has a date of 3/6/2025 but I have no idea what
it is used for. Mine isn't empty though.
 
dir /s/a/l/on/b inetpub
c:\inetpub\custerr
c:\inetpub\temp
c:\inetpub\custerr\en-us
c:\inetpub\custerr\en-us\500-100.asp
c:\inetpub\temp\apppools
c:\inetpub\temp\iis temporary compressed files
c:\inetpub\temp\apppools\apc1690.tmp
c:\inetpub\temp\apppools\apc17c9.tmp
c:\inetpub\temp\apppools\apc1846.tmp
c:\inetpub\temp\apppools\apc1855.tmp
c:\inetpub\temp\apppools\apc7cb.tmp
c:\inetpub\temp\apppools\apcc4f.tmp
c:\inetpub\temp\apppools\apcef03.tmp
c:\inetpub\temp\apppools\apcf898.tmp
c:\inetpub\temp\apppools\apcfaea.tmp
c:\inetpub\temp\apppools\apcfe26.tmp
c:\inetpub\temp\apppools\bindinginfo.tmp
 
Can someone just give me the best way to get rid of it safely?
 

Is IIS running on your machine ?

Run "control.exe", select "Programs and Features", look for "Windows Features'.
Look in there for the IIS entry, examine whether tick boxes have been
asserted at some time, to install it.

   Turn Windows features on or off

        Internet information Services
            FTP Server
            Web management Tools
            World Wide Web Services
        Internet information Services Hostable Web Core

You can check in Task Manager, and see if "IIS" process is running.

My machine has an iisSetup but no iis.exe .

*******
# In a deletion attempt of any size, you can scan for junctions first.
# There shouldn't really be any junctions in here.
# We will use the resident "robocopy.exe" program for content deletion.
# We can do this, because the outer permission looks to be "not protecting"
# any inner content, and not attempting to interfere with an actual IIS running.

c:
cd \            # Now at top level C: , will be making a folder.
md oscartemp    # Make an empty folder.

robocopy.exe  C:\oscartemp\  C:\inetpub  /MIR  /v     # Normally, we'd save the output in a log file, but this run is short.
                                                      # Mirroring an empty directory, deletes the contents of the second directory.
rd oscartemp    # Remove the empty folder.

For the next part, we can try my first attempt at deleting
an entire OS partition. I cloned a C: partition to make
a K: partition, which would have all the same permissions.
The first part of the recipe in this post, uses Junction from Sysinternals,
to deal with the junctions first. Junctions cause indigestion for
a number of Windows tools. Some of the tools "step over" junctions
and emit a warning for each one avoided.

   https://al.howardknight.net/?STYPE=msgid&MSGI=%3C100mia4%243bjrp%241%40dont-email.me%3E

Using what we learned, we can now attack the empty folder C:\inetpub .
We're still cd'ed to the top of C: via "cd \" in an Administrator command Prompt.

rd C:\inetpub\          # First try removing it, without using a mallet
                        # If the folder is really empty, and perms OK, this should remove the dir.
                        # Do next steps, if it resists.

takeown /F    C:\inetpub\    /r /d y
icacls        C:\inetpub\    /grant Administrators:F /t
rd            C:\inetpub\    /S /Q                       # Recursive descent, just in case

That should be enough.

Summary: You shouldn't be removing this at the moment, and hopefully, it should
         have some perms at the top level to make the top level folder immutable.

         You can easily remove that folder using Linux, but that's not accepted
         here as an answer, if you offered it as an answer. We use the mallets at hand.

         The "takeown" and "icacls" are part of the "itsmine.cmd" two line script.
         I didn't invent this, only copied it.

         Removing a C: partition entirely, is normally difficult. That's why I was
         surprised an Office path or similar, did not throw a wrench in the works.
         Some OS versions have had fairly interesting namespace paths injected,
         and those can't even be copied into Thunderbird (which handles UTF-8),
         let alone be deleted.

         Microsoft has a test philosophy, where they "throw wrenches into everything",
         then stand back and observe the user population for "blowback". That's one
         of the reasons these things are so tough. When they did the C:\inetpub ,
         they weren't half trying. They can apply their extreme difficulty mantra
         if they want. When I make a reference to immutable, it isn't really immutable,
         merely... inconvenient for end users to do. It takes fifty web pages to
         describe the permissions model of Windows. Only the person who invented it,
         really understands it, and he may have written a book.

   Paul