fontdrvhost.exe

fontdrvhost.exe is the User Mode Font Driver host (UMFD). Parsing fonts is complex and historically dangerous: for years a malformed font was a reliable way to attack the Windows kernel, because font rendering lived in the kernel-mode win32k component. Windows 10 moved that work into fontdrvhost.exe, a tightly restricted user-mode process, so a font-parsing bug is contained instead of handing an attacker the kernel. The genuine binary lives at C:\Windows\System32\fontdrvhost.exe.

Like dwm.exe, one fontdrvhost.exe runs per session, started by that session's winlogon.exe, and each runs under a dedicated per-session virtual account named Font Driver Host\UMFD-0, UMFD-1, and so on. One for session 0 and one for the console session, plus more for remote sessions, is normal. The process runs with very limited privileges by design.

fontdrvhost.exe only services font requests. It does not start other programs or reach the network, and it stays running for the life of its session.

fontdrvhost.exe is rarely abused directly. Like the compositor, its worth to an analyst is as a baseline: a fixed identity with a known parent, a dedicated UMFD account, low privilege, and no network or child processes, so any deviation stands out. The simplest abuse is impersonation (T1036.005), where malware borrows the obscure but trusted name from the wrong path or runs under the wrong account.

The process exists because fonts are an exploitation surface, and it is the mitigation rather than the target. Font parsing is still attacked, but a successful exploit now lands inside this sandbox instead of the kernel. To turn that into real access an attacker has to escape the restricted process and elevate (T1068), so a fontdrvhost.exe that runs outside its UMFD account, gains privileges, or spawns anything is a sign the containment has failed.