Process

ubiquitoussigned

ctfmon.exe

ctfmon.exe is the process behind Windows text input services, handling things like alternative input methods, language switching, handwriting, and speech for the desktop. It runs quietly per user whenever someone is signed in, and is a routine part of the interactive session.

Microsoft CorporationFirst seen 2026-06-08
CategorySystemTagsshellmicrosoftcore-windows

File identity

File details
File type
PE32+ executable
Magic
PE32+ executable (GUI)
Original name
CTFMON.EXE.MUI
Internal name
CTFMON
Product
Microsoft® Windows® Operating System
Signing information
Status
Signed
Publisher
Microsoft Corporation
Signer
Microsoft Windows
Issuer
Microsoft Windows Production PCA 2011
Signature rate
100%
File version1
  • 10.0.26100.1 (WinBuild.160101.0800)100%
File size1
  • 68.00 KB100%

Execution context

File paths1
  • C:\Windows\System32\ctfmon.exe100%
User context0

Not observed.

Integrity level0

Not observed.

Instances1
  • 1100%
Session1
  • Session 1100%
Token privileges1
  • SeChangeNotifyPrivilege100%

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles4
Command-line patterns0

Not observed.

Indicators

Hashes

Not observed.

Analysis

About this process

ctfmon.exe runs the Text Services Framework, which coordinates input method editors (IMEs), keyboard layouts, and alternative text input for applications. One instance runs per interactive user, started as part of bringing up the session, and runs as that user. The genuine binary lives at C:\Windows\System32\ctfmon.exe.

Legitimately, ctfmon.exe is present on every signed-in desktop, doing its work in the background. It supports input rather than launching programs, so it does not normally start other processes or reach the network.

Security notes

ctfmon.exe is mostly a baseline process: its value is a steady identity, the logged-on user's account, a Microsoft signature, no children, and no network, so deviations are easy to see. The realistic abuse is impersonation (T1036.005), where malware borrows the obscure but familiar name from the wrong path or runs under the wrong account.

As a persistent per-user process it could also be an injection target (T1055). A ctfmon.exe that loads unusual modules, opens network connections, or spawns anything is acting outside its normal role.

Anomaly signals5
  • Image path other than C:\Windows\System32\ctfmon.exehigh
  • Unsigned image or a signer other than Microsofthigh
  • Running as NT AUTHORITY\SYSTEM rather than the logged-on userhigh
  • ctfmon spawning child processes or making outbound connectionshigh
  • More instances than interactive usersmed

Telemetry

OS prevalence1
  • Microsoft Windows 11 Enterprise Evaluation100%
Observation timeline
First seen
2026-06-08
Last seen
2026-06-08
Machines
1
References

Subsearch

Hasbeen seen inof ctfmon.exe?
Edit this page on GitHub