Fontdrvhost.exe file – is it safe and legit?

Several days ago a user on Reddit nicknamed u/14022I posted about Fontdrvhost.exe. It seems they suspected some problems with this particular file on their computer. The question was why it uses so much CPU and Memory? The user thought it could be malicious. They might be right or they might be wrong. We`ll explain.

Can someone tell me why "Usermode Font Driver Host" Use a lot of CPU and Memory? I thought this was a malware? from antivirus

What is Fontdrvhost.exe file?

Fontdrvhost.exe is a verifiable file and part of UMFD-0 (the system account generated by the User Mode Driver Framework component). The executable runs with Administrator privileges. As Microsoft signed this file it is safe. It helps to manage font activity on Windows 10. Fontdrvhost.exe is not virus or malware but it is a legitimate Windows process. Security rating for this file makes up 2% of danger.

Briefly, with the help of this file users can use fonts in different programs. But they will start to have significant troubles once the file is infected or does not work properly. Because the file is a root process you should deal with it carefully. If you do wrong here the Windows’s normal functioning will be affected. You won’t be able to view File explorer and other windows habitually because most fonts won’t simply function.

Is Fontdrvhost.exe malicious file?

At the beginning of 2020 Microsoft in order to secure the safety of this executable changed its location to AppContainer instead of the core. In case it gets hijacked only the container will be breached not the whole kernel. Although in Windows 7, 8, and non-updated Windows 10 the file still is in the core. For the owners of Windows 7 or Windows 8 Microsoft prepared advisory on how to secure the system with workarounds and mitigations.

How to know if Fontdrvhost.exe file is malicious?

So if you suspect that this file might be malicious the first usual step would be to check its location. Under the normal circumstances it should be found in C:\Windows\System32\. The case for a hijacked file might be when the file is located in the C:\Users\[username] folder. The file doesn’t have Microsoft sign and its size can go up to 13MB.

To check the location of the file follow the next steps:

  • Open the Task Manager. You can do this by typing in the search bar or press Ctrl + Shift + Esc.
  • Proceed for the Details tab and look for fontdrvhost.exe.
  • The Username of the file should be UMFD-0 and the location C:\Windows\System32.,.
  • You can also check for the Verified Signer value for fontdrvhost.exe process. And if it says “Unable to verify” then the file might be a virus.

    Is Fontdrvhost.exe malicious file?
    Here find the file in question

    To double check everything right-click the file and click Open file location. Having done so you should be navigated to the file`s location. If it is not C:\Windows\System32\, then the file might be rogue.

    Of course, we advise you to run proper scan with a dedicated software solution but if you are confident enough you can do it by yourself then proceed with the next:

    How to delete the malicious Fontdrvhost.exe file?

  • So you know for sure that the file in question is malicious then you can try to simply delete it.
  • Type Uninstall in the search bar. Select Add or remove programs.
  • Find Usermode Font Driver Host or fontdrvhost and click Uninstall.
  • After having done this, restart the system. The problem should be settled.
  • Is Fontdrvhost.exe malicious file?

    In addition you can navigate to the Registry to see if anything is still left. To do press together Windows +R. Type in Regedit and click Ok. And under HKEY_LOCAL_MACHINE>Software look for any malicious entries left. Here we warn you. A user should really be confident in their knowledge before entering and doing any changes here. Any misdoing and the system can be seriously damaged. Know your own risks.

    Andrew Nail

    Cybersecurity journalist from Montreal, Canada. Studied communication sciences at Universite de Montreal. I was not sure if a journalist job is what I want to do in my life, but in conjunction with technical sciences, it is exactly what I like to do. My job is to catch the most current trends in the cybersecurity world and help people to deal with malware they have on their PCs.

    Leave a Reply

    Back to top button