Usermode Font Driver Host: What fontdrvhost.exe Is and When It Is Malware

Usermode Font Driver Host is a legitimate Windows process. Its executable file is fontdrvhost.exe. Windows uses it to handle font-related work in user mode, which helps isolate font parsing from more sensitive parts of the operating system.

In normal conditions, you may see one or more fontdrvhost.exe processes in Task Manager. Some entries can run under special Windows accounts such as UMFD-0 or UMFD-1. That looks strange, but it is usually normal. The process becomes suspicious when the file is not located in C:\Windows\System32\fontdrvhost.exe, has no Microsoft signature, or is launched from AppData, Temp, a startup folder, or another user-writable location.

Quick answer: is Usermode Font Driver Host malware?

What you see	Likely meaning	What to do
C:\Windows\System32\fontdrvhost.exe, signed by Microsoft	Normal Windows component	Do not delete it. Troubleshoot high resource usage if needed.
Runs as UMFD-0 or UMFD-1	Usually normal Windows isolation account	Verify path and signature, but do not treat the account name alone as malware.
File is in AppData, Temp, Downloads, or Startup	Suspicious copy using a Windows-like name	Do not trust it. Scan and check persistence entries.
High CPU/RAM after opening apps or font menus	Font cache, bad font, driver/app conflict, or Windows issue	Rebuild font cache, update Windows, and isolate third-party software.

What is fontdrvhost.exe?

fontdrvhost.exe stands for Usermode Font Driver Host. Windows uses this process for font rendering and font handling tasks. Modern Windows separates many font-related operations from the kernel for stability and security. That way, a malformed font or a vulnerable font-parsing path has less direct access to critical system components.

This is why Microsoft community discussions often describe UMFD accounts as Windows-created accounts for User Mode Font Driver Host. These accounts are not normal interactive user accounts. They are used by Windows to isolate font work with limited privileges.

The process is expected on Windows 10 and Windows 11. Deleting it from System32 is not a fix and can damage Windows behavior.

Normal file location

The legitimate file should be here:

C:\Windows\System32\fontdrvhost.exe

To check it:

1. Open Task Manager.
2. Find Usermode Font Driver Host or fontdrvhost.exe.
3. Right-click it and choose Open file location.
4. Confirm that it opens C:\Windows\System32.
5. Right-click the file, open Properties → Digital Signatures, and verify Microsoft as the signer.

Why it can run as UMFD-0 or UMFD-1

Seeing UMFD-0, UMFD-1, or a similar account can be alarming because it does not look like your normal username. In most cases, it is not an intruder. Windows can create these isolated accounts for the font driver host process. They may also have small profile folders under C:\Users.

Do not delete those folders just because the name is unfamiliar. First verify that the running process points to the Microsoft-signed file in System32. If that check passes, the UMFD account name is usually expected Windows behavior.

When fontdrvhost.exe may be malware

Malware can use the same name as a legitimate Windows file. Microsoft Security Intelligence has documented threats that copied clean Windows-looking names such as fontdrvhost.exe into %APPDATA% and used startup persistence. That is why the file path matters more than the process name.

Investigate immediately if:

• the file is not in C:\Windows\System32;
• the file is unsigned or not signed by Microsoft;
• it starts from AppData, Temp, Downloads, or a random folder;
• there is a startup shortcut such as fontdrvhost.lnk pointing outside System32;
• you see new scheduled tasks or registry Run entries launching this file;
• antivirus detects other files in the same folder.

How to check authenticity

1. Open the file location from Task Manager.
2. Confirm the path is exactly C:\Windows\System32\fontdrvhost.exe.
3. Open file properties and check the Microsoft digital signature.
4. Use Windows Security to run a full scan.
5. If the file path is unusual, upload the file hash or sample to a trusted multi-engine scanner from a safe environment.

High CPU or RAM usage

High resource usage by fontdrvhost.exe is usually not a sign that the process itself is malicious. Common causes include a corrupted font cache, a problematic font file, graphics/font rendering issues, Office or browser font menu problems, remote desktop sessions, or a third-party app repeatedly loading fonts.

Try these fixes in order:

1. Restart Windows once and check whether usage returns to normal.
2. Install pending Windows updates.
3. Update graphics drivers from the PC or GPU vendor.
4. Temporarily close apps that heavily use fonts: Office apps, browsers, design tools, PDF editors, and games with overlays.
5. Rebuild the Windows font cache if the process spikes when opening font menus.
6. Use a clean boot to isolate third-party services if the issue returns after every restart.

How to rebuild the font cache

If font menus freeze, text disappears, or fontdrvhost.exe keeps using memory, rebuilding the font cache may help:

1. Press Win + R, type services.msc, and press Enter.
2. Find Windows Font Cache Service.
3. Stop the service.
4. Open C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache.
5. Delete font cache files in that folder.
6. Restart Windows.

How to remove a fake fontdrvhost.exe

If the file is outside System32, do not delete only the visible EXE and stop. A fake copy may be relaunched by a startup shortcut, scheduled task, registry Run key, or another loader.

1. Disconnect from the internet if the system shows ransomware, credential theft, or redirect symptoms.
2. Keep Windows Security active and run a full scan.
3. Check Task Manager startup entries for anything launching the suspicious path.
4. Check Task Scheduler for recently created tasks.
5. Check shell:startup for shortcuts pointing to fontdrvhost.exe outside System32.
6. Remove companion files from the same suspicious folder only after scanning or documenting them.
7. Change passwords from a clean device if the fake file was executed from an untrusted download.

Need a second opinion?

If the process is not the Microsoft-signed System32 file, or if it keeps returning through startup entries, verify the system before trusting it.

Official references

• Microsoft Q&A: UMFD-0 user and User Mode Font Driver Host
• Microsoft Security Intelligence: malware using legitimate-looking names such as fontdrvhost.exe

FAQ

Can I delete fontdrvhost.exe?

No, not if it is the Microsoft-signed file in C:\Windows\System32. It is part of Windows font handling. If a copy exists outside System32, treat that copy as suspicious and investigate it.

Why are there multiple fontdrvhost.exe processes?

Multiple instances can appear because Windows isolates font work across sessions or accounts. Verify the path and signature instead of judging by process count alone.

Is UMFD-0 a hacker account?

Usually no. UMFD-0 is normally associated with Windows User Mode Font Driver Host isolation. It is not a regular login account. The important check is whether the related process is the Microsoft-signed System32 file.

Why does fontdrvhost.exe use high memory?

High memory can be caused by font cache issues, a bad font, a graphics/font rendering bug, Office/browser font menus, or third-party apps. Rebuild the font cache and update Windows before assuming malware.

What is the safest way to confirm it is clean?

Open the file location from Task Manager, confirm C:\Windows\System32\fontdrvhost.exe, check the Microsoft digital signature, and scan the system. If the path is different, do not trust the file.

Bottom line: Usermode Font Driver Host is normally a legitimate Windows component. Do not delete the System32 file. Investigate only when the file path, signature, startup behavior, or antivirus context points to a fake copy.