What is fontdrvhost.exe and Why is it Running?
Wondering what fontdrvhost.exe is doing running on your Windows 10 machine? s it a valid file? Is it a virus? Great questions. Here’s what you need to know.
If you’re going through Task Manager on a Windows 10 machine, you will see fontdrvhost.exe running in the background. Is it a valid file? Is it a virus? Great questions. Let’s review what it is and if you should be concerned or not.
Jumping right to the end — everything is fine; it is not a virus. If you have Windows 10 and the latest updates, you don’t need to worry about fontdrvhost.exe. The Usermode Font Driver Host (fontdrvhost.exe) is an executable created by Microsoft and built into the core OS.
What is fontdrvhost.exe?
Fontdrvhost.exe is a Windows system process. Also known as Usermode Font Driver Host, the fontdrvhost.exe process is responsible for managing fonts on your Windows system. It’s around 802KB in size (as of Windows 10 version 1909) and is typically found in the System32 folder.
In early 2020 Microsoft increased security of this executable, and it now runs in an AppContainer. This means that, if this process gets hijacked by malware, it can only breach the container, not the whole kernel. Before fontdrvhost.exe ran within the core and, if hijacked, could potentially risk the security of the entire system.
That is still the case for Windows 7, 8, and non-updated Windows 10. If you are running Windows 10 and have run the latest updates, you are safe. If you are running Windows 7 or Windows 8, there are some mitigations and workarounds you can put in place to secure the system listed in Microsoft security update guide ADV200006.
UMFD-0? Who is that?
In Task Manager under tab Details and locating fontdrvhost.exe, you will on updated Windows 10 systems see that the executable runs under user name UMFD-0.
UMFD-0 is a system account generated by the User Mode Driver Framework component, and it got limited permission only for the font tasks it needs to execute. You cannot log in as UMFD-0 user on a system as it doesn’t even have permission to run an explorer.exe process.
The Security Identifier (SID) of these accounts always starts with S-1-5-96-0 (compared to a standard user account that starts with S-1-5-21). To find out about SID for your standard local accounts you can go in an elevated cmd.exe run the following command:
wmic useraccount list full
Don’t worry: fontdrvhost.exe is a legit file
As we’ve discussed, fontdrvhost.exe is a Microsoft system file. There have been some security issues with the vulnerabilities of the data file. So make sure you are running Windows 10 and the latest updates, and you are safe. On Windows 7 and Windows 8, the file is also legit but could have a security vulnerability. But if you’re following the Microsoft security update guide you are safe.
If any issues, you can verify that the file is signed by Microsoft and running from c:\windows\system32 folder. In Task Manager verify that it runs under the UMFD-0 user. It helps us to ensure it is not a copycat file running from another location.
Do you have additional questions about fontdrvhost.exe, which I didn’t answer? Please post your question or comment in our free discussion forums.
