How-To

What is fontdrvhost.exe and Why is it Running?

Wondering what fontdrvhost.exe is doing running on your Windows 10 machine? s it a valid file? Is it a virus? Great questions. Here’s what you need to know.

If you’re going through Task Manager on a Windows 10 machine, you will see fontdrvhost.exe running in the background. Is it a valid file? Is it a virus? Great questions. Let’s review what it is and if you should be concerned or not.

Jumping right to the end — everything is fine; it is not a virus. If you have Windows 10 and the latest updates, you don’t need to worry about fontdrvhost.exe. The Usermode Font Driver Host (fontdrvhost.exe) is an executable created by Microsoft and built into the core OS.

What is fontdrvhost.exe?

The friendly name is Usermode Font Driver Host and manage font’s activity on the system. In early 2020 Microsoft increased security of this executable, and it is now running in an AppContainer. Meaning that if this process gets hijacked by, for example, malware, it got only permission within this container, not the whole kernel. Before fontdrvhost.exe ran within the core and, if hijacked, could potentially risk the security of the entire system. That is still the case for Windows 7, 8, and non-updated Windows 10. If you are running Windows 10 and have run the latest updates, you are safe. If you are running Windows 7 or Windows 8, there are some mitigations and workarounds you can put in place to secure the system listed in Microsoft security update guide ADV200006.

The file fontdrvhost.exe on Windows 10 (1909 version) is of size 802KB, located in the C:\Windows\System32 folder. Microsoft has signed the file.

 

UMFD-0? Who is that?

In Task Manager under tab Details and locating fontdrvhost.exe, you will on updated Windows 10 systems see that the executable runs under user name UMFD-0.

UMFD-0 is a system account generated by the User Mode Driver Framework component, and it got limited permission only for the font tasks it needs to execute. You cannot log in as UMFD-0 user on a system as it doesn’t even have permission to run an explorer.exe process.

The Security Identifier (SID) of these accounts always starts with S-1-5-96-0 (compared to a standard user account that starts with S-1-5-21). To find out about SID for your standard local accounts you can go in an elevated cmd.exe run the following command:

wmic useraccount list full

Don’t worry fontdrvhost.exe is a legit file

As we’ve discussed, fontdrvhost.exe is a Microsoft system file. There have been some security issues with the vulnerabilities of the data file. So make sure you are running Windows 10 and the latest updates, and you are safe. On Windows 7 and Windows 8, the file is also legit but could have a security vulnerability. But if you’re following the Microsoft security update guide you are safe.

If any issues, you can verify that the file is signed by Microsoft and running from c:\windows\system32 folder. In Task Manager verify that it runs under the UMFD-0 user. It helps us to ensure it is not a copycat file running from another location.

Do you have additional questions about fontdrvhost.exe, which I didn’t answer? Please post your question or comment on our free Windows 10 discussion forum.

Click to comment
To Top