What is fontdrvhost.exe and Why is it Running?

[Angelus]

HOW-TOWhat is fontdrvhost.exe and Why is it Running?

ByJohn Bryntze
Last Updated on April 23, 2020

Wondering what fontdrvhost.exe is doing running on your Windows 10 machine? s it a valid file? Is it a virus? Great questions. Here’s what you need to know.



COMMENTS

​

If you’re going through Task Manager on a Windows 10 machine, you will see fontdrvhost.exe running in the background. Is it a valid file? Is it a virus? Great questions. Let’s review what it is and if you should be concerned or not.

Jumping right to the end — everything is fine; it is not a virus. If you have Windows 10 and the latest updates, you don’t need to worry about fontdrvhost.exe. The Usermode Font Driver Host (fontdrvhost.exe) is an executable created by Microsoft and built into the core OS.

What is fontdrvhost.exe?
The friendly name is Usermode Font Driver Host and manage font’s activity on the system. In early 2020 Microsoft increased security of this executable, and it is now running in an AppContainer. Meaning that if this process gets hijacked by, for example, malware, it got only permission within this container, not the whole kernel. Before fontdrvhost.exe ran within the core and, if hijacked, could potentially risk the security of the entire system. That is still the case for Windows 7, 8, and non-updated Windows 10. If you are running Windows 10 and have run the latest updates, you are safe. If you are running Windows 7 or Windows 8, there are some mitigations and workarounds you can put in place to secure the system listed in Microsoft security update guide ADV200006.

The file fontdrvhost.exe on Windows 10 (1909 version) is of size 802KB, located in the C:\Windows\System32 folder. Microsoft has signed the file.

UMFD-0? Who is that?
In Task Manager under tab Details and locating fontdrvhost.exe, you will on updated Windows 10 systems see that the executable runs under user name UMFD-0.

UMFD-0 is a system account generated by the User Mode Driver Framework component, and it got limited permission only for the font tasks it needs to execute. You cannot log in as UMFD-0 user on a system as it doesn’t even have permission to run an explorer.exe process.

The Security Identifier (SID) of these accounts always starts with S-1-5-96-0 (compared to a standard user account that starts with S-1-5-21). To find out about SID for your standard local accounts you can go in an elevated cmd.exe run the following command:

wmic useraccount list full
Don’t worry fontdrvhost.exe is a legit file
As we’ve discussed, fontdrvhost.exe is a Microsoft system file. There have been some security issues with the vulnerabilities of the data file. So make sure you are running Windows 10 and the latest updates, and you are safe. On Windows 7 and Windows 8, the file is also legit but could have a security vulnerability. But if you’re following the Microsoft security update guide you are safe.

If any issues, you can verify that the file is signed by Microsoft and running from c:\windows\system32 folder. In Task Manager verify that it runs under the UMFD-0 user. It helps us to ensure it is not a copycat file running from another location.

 

[trompyx]

HOW-TOWhat is fontdrvhost.exe and Why is it Running?

ByJohn Bryntze
Last Updated on April 23, 2020

Wondering what fontdrvhost.exe is doing running on your Windows 10 machine? s it a valid file? Is it a virus? Great questions. Here’s what you need to know.



COMMENTS

​

If you’re going through Task Manager on a Windows 10 machine, you will see fontdrvhost.exe running in the background. Is it a valid file? Is it a virus? Great questions. Let’s review what it is and if you should be concerned or not.

Jumping right to the end — everything is fine; it is not a virus. If you have Windows 10 and the latest updates, you don’t need to worry about fontdrvhost.exe. The Usermode Font Driver Host (fontdrvhost.exe) is an executable created by Microsoft and built into the core OS.

What is fontdrvhost.exe?
The friendly name is Usermode Font Driver Host and manage font’s activity on the system. In early 2020 Microsoft increased security of this executable, and it is now running in an AppContainer. Meaning that if this process gets hijacked by, for example, malware, it got only permission within this container, not the whole kernel. Before fontdrvhost.exe ran within the core and, if hijacked, could potentially risk the security of the entire system. That is still the case for Windows 7, 8, and non-updated Windows 10. If you are running Windows 10 and have run the latest updates, you are safe. If you are running Windows 7 or Windows 8, there are some mitigations and workarounds you can put in place to secure the system listed in Microsoft security update guide ADV200006.

The file fontdrvhost.exe on Windows 10 (1909 version) is of size 802KB, located in the C:\Windows\System32 folder. Microsoft has signed the file.

UMFD-0? Who is that?
In Task Manager under tab Details and locating fontdrvhost.exe, you will on updated Windows 10 systems see that the executable runs under user name UMFD-0.

UMFD-0 is a system account generated by the User Mode Driver Framework component, and it got limited permission only for the font tasks it needs to execute. You cannot log in as UMFD-0 user on a system as it doesn’t even have permission to run an explorer.exe process.

The Security Identifier (SID) of these accounts always starts with S-1-5-96-0 (compared to a standard user account that starts with S-1-5-21). To find out about SID for your standard local accounts you can go in an elevated cmd.exe run the following command:

wmic useraccount list full
Don’t worry fontdrvhost.exe is a legit file
As we’ve discussed, fontdrvhost.exe is a Microsoft system file. There have been some security issues with the vulnerabilities of the data file. So make sure you are running Windows 10 and the latest updates, and you are safe. On Windows 7 and Windows 8, the file is also legit but could have a security vulnerability. But if you’re following the Microsoft security update guide you are safe.

If any issues, you can verify that the file is signed by Microsoft and running from c:\windows\system32 folder. In Task Manager verify that it runs under the UMFD-0 user. It helps us to ensure it is not a copycat file running from another location.

Fontdrvhost.exe is a legitimate Windows process related to font rendering and font management. It is a part of the Windows Font Driver Host service, which is responsible for handling font operations and rendering fonts on your system.

Fontdrvhost.exe runs in the background to ensure that fonts are displayed correctly in various applications and to provide support for different font-related functionalities. It helps improve the overall appearance of text by rendering fonts with proper anti-aliasing, smoothness, and clarity.

The Font Driver Host service is primarily used to load and manage fonts for applications, including both system fonts and user-installed fonts. It provides a centralized platform for font operations, which helps ensure consistent font rendering across different programs and maintains font-related performance optimizations.

You may notice fontdrvhost.exe running when you open applications that involve extensive use of fonts, such as word processors, graphic design software, web browsers, or any other program that relies heavily on text display. It's a background process that runs when needed and shouldn't consume significant system resources under normal circumstances.

It's worth noting that, like any other executable file, malware or viruses can potentially disguise themselves as fontdrvhost.exe to evade detection. However, in a clean and up-to-date Windows installation, fontdrvhost.exe is a legitimate process and does not pose a threat to your system. If you suspect any issues or unusual behavior related to fontdrvhost.exe, it's recommended to perform a system scan with reliable antivirus software to ensure the integrity of your system files.