Is Usermode Font Driver Host Malware?

Usermode Font Driver Host. Is it malware?
Written by Wilbur Woodham

If you have identified the process called Usermode Font Driver Host as a potential cause of your computer running slowly or if you’re curious to learn more about this process, you’ve come to the right place. In this article, we will delve into the details of the process, its purpose, and whether or not it can be classified as malware.

What is Usermode Font Driver Host?

Usermode Font Driver Host is a crucial Windows system process responsible for managing fonts on your system. It operates with administrative privileges to ensure the availability and functionality of a diverse range of fonts in Windows. While it may seem like a straightforward task to display fonts correctly, the process is actually quite complex. Usermode Font Driver Host acts as the fonts driver that Windows relies on for efficient font management and seamless integration with other hardware drivers.

Usermode Font Driver Host Appearance

This is how Usermode Font Driver Host process normally looks in the Task Manager’s Processes tab.

Usermode Font Driver Host launches with the fontdrvhost.exe file. It is a legal Windows file, foreseeingly marked with a Microsoft Windows digital signature. We will further show, how to check whether the file has this signature and a respective certificate.

CONSIDER READING: Microsoft Defender: is it good or bad?

Possible problems

As users report (in this Reddit thread, for example,) fontdrvhost.exe can consume a significant amount of system resources at times. Although this indicates something is wrong, it is unlikely that Usermode Font Driver Host is malware. Usermode Font Driver Host is a root process, and we recommend you not to shut it down.

Consider reading our summary article on the probable causes of PC running slow. However, if you notice that it is fontdrvhost.exe exactly that causes performance issues, the problem behind it could be a corrupted font or a problem with fonts cache.

You might want to try clearing the fonts cache. Follow these instructions to do it:

  • Press Win+R and input services.msc in the text field. Press Enter.
  • The list of Windows services will appear. Find Windows Font Cache Service in the list, right-click it and select Stop.
Stopping Windows Font Cache Service

Stopping Windows Font Cache Service, the first stage of the cleaning font cache process.

  • Press Win+E and Windows Explorer will open. Now you have to get here:
    Be advised! Some of the folders on this path require the administrator’s clearance to access, and some are hidden. Therefore, you might need to paste each subsequent directory to the address line, confirming your intention to access certain folders as administrator.
  • As you get to the needed folder (FontCache), delete all the objects in this directory and delete them.
  • After that, go to C:\Windows\System32 folder and find the FNTCACHE.DAT file. Delete it.
  • Restart your PC. Windows will create the font cache anew, without any problems it could have previously caused.

CAUTION: Be very careful while performing these actions. Don’t make a mistake, especially when editing/removing files in system folders.

Authenticity check

The emergence of the second Usermode Font Driver Host process could justify your concerns about the infection of your PC. It happens sometimes, and the Reddit thread here raises a question on what to do in such a situation. Before employing security software, consider performing preliminary checks. Open Task Manager by pressing Ctrl+Shift+Esc. In its Processes tab (in Windows 10, it opens by default), you will see whether you have more than one debated process running.

It is advisable to check several things about a process you suspect: the locations of the respective file, whether a trustworthy developer has signed this file, and the so-called user name.

Checking file location

  • Within the Task Manager’s Processes tab, find the Usermode Font Driver Host process. You can type its name to find it quickly.
  • Right-click on the process, and in the drop-down menu, select Open file location.
  • Task Manager Processes

    Right-click on the Usermode Font Driver Host process in the Processes tab and select Open file location.

    The executable file should be in the C:\Windows\System32\ directory, which would be the first sign that this file is not corrupted (at least this one). The name of the executable is fontdrvhost.exe.

    Checking digital signature

    You can right-click your file right in the System32 folder and press Properties in the opened menu. Alternatively, you can open the Details tab of the Task Manager and right-click your file there. The processes tab also allows you to access the properties of files, but for that, you have to right-click the related process’s entry.

    Usermode font driver host certificate check

    In file Properties, open the Digital Signatures tab and check the file’s signatures – a tool to ensure its legitimate origin. The signer of the file in question should be Microsoft Windows.

    In file Properties, open the Digital Signatures tab and check the file’s signatures – a tool to ensure its legitimate origin. The signer of the file in question should be Microsoft Windows.

    Checking user name

    Usermode Font Driver Host user name

    In the details tab of the Task Manager, find the fontdrvhost.exe. The user name for the genuine file must be UMFD-0.

    The last thing to check is the file’s user name. Go to the Details tab in Task Manager and find the disputed file there. The wanted User name value is UMFD-0. These characters are the name of the technical system account created by the User-mode Driver Framework platform to assist the management of fonts in Windows.

    If fontdrvhost.exe is malicious

    If at least one of the suggested checks shows unexpected results, it is distinctly possible that Usermode Font Driver Host is malware in your case. You’re probably dealing with a Trojan horse here. It is time to employ antivirus software. Considering your security programs failed to alert you, you need a solution to provide you with decent protection.

    Of course, it is a huge plus if you conduct your own research to find software most suitable for your style, but allow us to recommend you a program of outstanding power, versatility, and efficiency – GridinSoft Anti-Malware. It can function as a primary tool of system protection but also as an additional lightweight scanner utility. The price-performance ratio of this program plays totally in favor of the client.

    READ ALSO: Tips on how to maintain network security.

    Wilbur Woodham
    Wilbur Woodham
    IT Security Expert
    It is better to prevent, than repair and repent!
    When we talk about the intrusion of unfamiliar programs into your computer's work, the proverb "Forewarned is forearmed" describes the situation as accurately as possible. Gridinsoft Anti-Malware is exactly the tool that is always useful to have in your armory: fast, efficient, up-to-date. It is appropriate to use it as an emergency help at the slightest suspicion of infection.
    Gridinsoft Anti-Malware 6-day trial available.
    EULA | Privacy Policy | 10% Off Coupon
    Subscribe to our Telegram channel to be the first to know about news and our exclusive materials on information security.
    User Review
    5 (1 vote)
    Comments Rating 0 (0 reviews)
    Is Usermode Font Driver Host Malware?
    Is Usermode Font Driver Host Malware?
    If you have defined the process named <strong>Usermode Font Driver Host</strong> as a cause of your PC running slowly, or you just discovered this process, and you want to know what it is, you're at the right place. In this article, we will unriddle the process and explain its purpose. We will also find out whether Usermode Font Driver Host is malware.

About the author

Wilbur Woodham

I was a technical writer from early in my career, and consider IT Security one of my foundational skills. I’m sharing my experience here, and I hope you find it useful.

Leave a Reply