Several days ago a user on Reddit nicknamed u/14022I posted about Fontdrvhost.exe. It seems they suspected some problems with this particular file on their computer. The question was why it uses so much CPU and Memory? The user thought it could be malicious. They might be right or they might be wrong. We`ll explain.
What is Fontdrvhost.exe file?
Fontdrvhost.exe is a verifiable file and part of UMFD-0 (the system account generated by the User Mode Driver Framework component). The executable runs with Administrator privileges. As Microsoft signed this file it is safe. It helps to manage font activity on Windows 10. Fontdrvhost.exe is not virus or malware but it is a legitimate Windows process. Security rating for this file makes up 2% of danger.
Briefly, with the help of this file users can use fonts in different programs. But they will start to have significant troubles once the file is infected or does not work properly. Because the file is a root process you should deal with it carefully. If you do wrong here the Windows’s normal functioning will be affected. You won’t be able to view File explorer and other windows habitually because most fonts won’t simply function.
At the beginning of 2020 Microsoft in order to secure the safety of this executable changed its location to AppContainer instead of the core. In case it gets hijacked only the container will be breached not the whole kernel. Although in Windows 7, 8, and non-updated Windows 10 the file still is in the core. For the owners of Windows 7 or Windows 8 Microsoft prepared advisory on how to secure the system with workarounds and mitigations.
How to know if Fontdrvhost.exe file is malicious?
So if you suspect that this file might be malicious the first usual step would be to check its location. Under the normal circumstances it should be found in C:\Windows\System32\. The case for a hijacked file might be when the file is located in the C:\Users\[username] folder. The file doesn’t have Microsoft sign and its size can go up to 13MB.
To check the location of the file follow the next steps:
You can also check for the Verified Signer value for fontdrvhost.exe process. And if it says “Unable to verify” then the file might be a virus.
To double check everything right-click the file and click Open file location. Having done so you should be navigated to the file`s location. If it is not C:\Windows\System32\, then the file might be rogue.
Of course, we advise you to run proper scan with a dedicated software solution but if you are confident enough you can do it by yourself then proceed with the next:
How to delete the malicious Fontdrvhost.exe file?
In addition you can navigate to the Registry to see if anything is still left. To do press together Windows +R. Type in Regedit and click Ok. And under HKEY_LOCAL_MACHINE>Software look for any malicious entries left. Here we warn you. A user should really be confident in their knowledge before entering and doing any changes here. Any misdoing and the system can be seriously damaged. Know your own risks.