The Windows Process Journey — ctfmon.exe (CTF Loader)

“ctfmon.exe” is a user-mode process which is executed from %SystemRoot%\System32\ctfmon.exe. If you are using a 64 bit version of Windows, there is also a 32 bit version of “ctfmon.exe” located at C:\Windows\SysWOW64\ctfmon.exe. By parsing the file information we can see that it is described as a “CTF Loader”. CTF stands for “Collaboration Translation Framework”, it is used by Microsoft Office.

The goal of “ctfmon.exe” is to provide different input capabilities for users such as speech and handwriting recognition. By the way, it will run even if you are not using Microsoft Office.

“Ctfmon.exe” is launched as a child process of the service TabletInputService (“Touch Keyboard and Handwriting Panel Service”), which is hosted by “svchost.exe” — as shown in the screenshot below. Thus, if we want to stop “ctfmon.exe” we can just disable/stop that service. For more information about what is “svchost.exe” you can read the following link https://medium.com/@boutnaru/the-windows-process-journey-svchost-exe-host-process-for-windows-services-b18c65f7073f.

You can follow me on twitter — @boutnaru (https://twitter.com/boutnaru).