Knowledgebase

Fontdrvhost.exe file – is it safe and legit?

Several days ago a user on Reddit nicknamed u/14022I posted about Fontdrvhost.exe. It seems they suspected some problems with this particular file on their computer. The question was why it uses so much CPU and Memory? The user thought it could be malicious. They might be right or they might be wrong. We`ll explain.

What is Fontdrvhost.exe file?

Fontdrvhost.exe is a verifiable file and part of UMFD-0 (the system account generated by the User Mode Driver Framework component). The executable runs with Administrator privileges. As Microsoft signed this file it is safe. It helps to manage font activity on Windows 10. Fontdrvhost.exe is not virus or malware but it is a legitimate Windows process. Security rating for this file makes up 2% of danger.

Briefly, with the help of this file users can use fonts in different programs. But they will start to have significant troubles once the file is infected or does not work properly. Because the file is a root process you should deal with it carefully. If you do wrong here the Windows’s normal functioning will be affected. You won’t be able to view File explorer and other windows habitually because most fonts won’t simply function.

At the beginning of 2020 Microsoft in order to secure the safety of this executable changed its location to AppContainer instead of the core. In case it gets hijacked only the container will be breached not the whole kernel. Although in Windows 7, 8, and non-updated Windows 10 the file still is in the core. For the owners of Windows 7 or Windows 8 Microsoft prepared advisory on how to secure the system with workarounds and mitigations.

How to know if Fontdrvhost.exe file is malicious?

So if you suspect that this file might be malicious the first usual step would be to check its location. Under the normal circumstances it should be found in C:\Windows\System32\. The case for a hijacked file might be when the file is located in the C:\Users\[username] folder. The file doesn’t have Microsoft sign and its size can go up to 13MB.

To check the location of the file follow the next steps:

  • Open the Task Manager. You can do this by typing in the search bar or press Ctrl + Shift + Esc.
  • Proceed for the Details tab and look for fontdrvhost.exe.
  • The Username of the file should be UMFD-0 and the location C:\Windows\System32.,.
  • You can also check for the Verified Signer value for fontdrvhost.exe process. And if it says “Unable to verify” then the file might be a virus.

    Here find the file in question

    To double check everything right-click the file and click Open file location. Having done so you should be navigated to the file`s location. If it is not C:\Windows\System32\, then the file might be rogue.

    Of course, we advise you to run proper scan with a dedicated software solution but if you are confident enough you can do it by yourself then proceed with the next:

    How to delete the malicious Fontdrvhost.exe file?

  • So you know for sure that the file in question is malicious then you can try to simply delete it.
  • Type Uninstall in the search bar. Select Add or remove programs.
  • Find Usermode Font Driver Host or fontdrvhost and click Uninstall.
  • After having done this, restart the system. The problem should be settled.
  • In addition you can navigate to the Registry to see if anything is still left. To do press together Windows +R. Type in Regedit and click Ok. And under HKEY_LOCAL_MACHINE>Software look for any malicious entries left. Here we warn you. A user should really be confident in their knowledge before entering and doing any changes here. Any misdoing and the system can be seriously damaged. Know your own risks.

    Andrew Nail

    Cybersecurity journalist from Montreal, Canada. Studied communication sciences at Universite de Montreal. I was not sure if a journalist job is what I want to do in my life, but in conjunction with technical sciences, it is exactly what I like to do. My job is to catch the most current trends in the cybersecurity world and help people to deal with malware they have on their PCs.

    Recent Posts

    Remove Pbmsoultions.com Pop-up Ads

    About Pbmsoultions.com Pbmsoultions.com pop-ups can not launch out of the blue. If you have actually…

    2 days ago

    Remove Prizestash.com Pop-up Ads

    About Prizestash.com Prizestash.com pop-ups can not expose out of the blue. If you have actually…

    2 days ago

    Remove Verifiedbreaking.com Pop-up Ads

    About Verifiedbreaking.com Verifiedbreaking.com pop-ups can not launch out of nowhere. If you have actually clicked…

    2 days ago

    Remove Themoneyminutes.com Pop-up Ads

    About Themoneyminutes.com Themoneyminutes.com pop-ups can not launch out of the blue. If you have actually…

    2 days ago

    Remove News-xcidizi.com Pop-up Ads

    About News-xcidizi.com News-xcidizi.com pop-ups can not introduce out of nowhere. If you have clicked some…

    2 days ago

    Remove Everytraffic-flow.com Pop-up Ads

    About Everytraffic-flow.com Everytraffic-flow.com pop-ups can not launch out of nowhere. If you have actually clicked…

    2 days ago