anavem.
Medium RiskWindowsLegitimateCommonly Abused
fontdrvhost.exeSYSTEM PROCESS

fontdrvhost.exe - Font Driver Host Security Analysis

fontdrvhost.exe (Usermode Font Driver Host) handles **font rendering** in user mode rather than kernel mode for improved security. Font parsing has historically been a source of **critical vulnerabilities**. Attackers may masquerade malware as fontdrvhost.exe or exploit font vulnerabilities for code execution.

Risk Summary

MEDIUM priority for SOC triage. fontdrvhost.exe is a legitimate font rendering process. Monitor for instances outside System32, unusual parent processes, or multiple unexpected instances which may indicate masquerading.

Overview

What is fontdrvhost.exe?

fontdrvhost.exe hosts user-mode font drivers, isolating font rendering from the kernel.

Core Functions

Font Rendering:

  • Processes TrueType fonts
  • Handles OpenType fonts
  • Isolates font code from kernel

Security Design

Moved to user-mode to:

  • Prevent kernel exploits via fonts
  • Isolate font parsing vulnerabilities
  • Improve system stability

Normal Behavior

Normal Behavior

Expected Process State

PropertyExpected Value
PathC:\Windows\System32\fontdrvhost.exe
Parentwininit.exe or services.exe
UserUMFD-0, UMFD-1, etc.
InstancesMultiple (per session)
NetworkNone

Process Hierarchy

wininit.exe
└── fontdrvhost.exe (UMFD-0)

winlogon.exe
└── fontdrvhost.exe (UMFD-1)

Common Locations

C:\Windows\System32\fontdrvhost.exe

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE

Path:        C:\Windows\System32\fontdrvhost.exe
Parent:      wininit.exe, winlogon.exe
User:        Font Driver Host\UMFD-n
Network:     None

SUSPICIOUS

Path:        C:\Windows\fontdrvhost.exe
             C:\Users\...\fontdrvhost.exe
Parent:      explorer.exe, cmd.exe
User:        Standard user
Network:     Any

Abuse Techniques

Attack Techniques

Technique #1: Process Masquerading (T1036.005)

Malware using fontdrvhost.exe name.

Technique #2: Font Vulnerability Exploitation (T1203)

Historical font parsing vulnerabilities:

  • Malicious font files
  • Triggered by document opening
  • Remote code execution

Detection Guidance

Detection Strategies

Priority #1: Path Verification

Process = "fontdrvhost.exe" AND
Path != "C:\Windows\System32\fontdrvhost.exe"
→ ALERT: CRITICAL

Priority #2: Parent Validation

Process = "fontdrvhost.exe" AND
Parent NOT IN ["wininit.exe", "winlogon.exe", "services.exe"]
→ ALERT: HIGH

Remediation Steps

Protection and Remediation

Defense: Keep Windows Updated

Font vulnerabilities are regularly patched.

If Compromise Suspected

  1. Verify path is System32
  2. Check parent process
  3. Validate user context
  4. Compare hash with known-good

Investigation Checklist

Investigation Checklist

  • Verify path is C:\Windows\System32
  • Confirm parent is wininit.exe or winlogon.exe
  • Check user is UMFD-n
  • Validate no network connections
  • Search for fontdrvhost.exe elsewhere
  • Compare file hash

MITRE ATT&CK Techniques

T1036.005T1203

Related Windows Files

EXCEL.EXEhigh

EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vecto...

Commonly Abused
everything.exelow

Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery...

expressvpn.exemedium

ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2...

hitmanpro.exelow

HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to...

Last verified: January 18, 2026