FAQ: Why does WDS / Windows Vista use so many processes?
The three processes used by the Windows Search service are SearchIndexer.exe, SearchProtocolHost.exe, and SearchFilterHost.exe. Sometimes you may even see multiple instances of the latter two running simultaneously (especially if multiple users are logged in).
So why are they divided up in this way? To find out, let’s look at what each of the processes does.
SearchIndexer.exe
This process runs as a system service under the SYSTEM account. It is responsible for maintaining the index, servicing queries, as well as deciding what to crawl and when.
SearchProtocolHost.exe
This process sometimes runs under the SYSTEM account, and other times runs in the context of the current user. It hosts a Protocol Handler responsible for enumerating items in a specific store (such as the File System, Outlook, UNC shares, Lotus, etc).
Why is it seperate?
-
Access – Sometimes it needs to run in the context of the SYSTEM account (ie. to index the filesystem, even when a user is not logged in). Other times it needs to run in the context of the user, so that it can access data that is ACL’d for that user (network shares, Offline files) or accessed via a program the user is running (Outlook, Thunderbird).
-
Reliability – If a protocol handler, which may be written by a third-party, crashes – it will not crash the indexer itself. This reduces the risk of index corruption, and ensures that you can still issue queries even if a protocol handler crashes or hangs.
-
Security – Isolating code that interacts with possibly untrusted data stores can mitigate vulnerabilities in said code.
SearchFilterHost.exe
This process hosts the actual IFilters. These filters are responsible for processing individual items, such as files, in a data store.
Why is it seperate?
-
Security – This process is tightly locked down. For example, it cannot even read the filesystem. It runs with reduced privileges (kind of like Protected Mode IE). Why is this important? Well think back to the WMF file vulnerability a year or so ago. Google Desktop Search would trigger the vulnerability whenever it indexed one of those such files. If you received it as an e-mail attachment, you would have a 0-click attack because they don’t sandbox the indexing process. This wasn’t a problem for WDS users because we have always isolated filtering to a seperate locked-down process.
-
Reliability – Same as with the Protocol Handlers. IFilters are very often third-party code, and may be subjected to corrupted files. Keeping them seperated improves robustness to crashes / hangs in third-party code or when dealing with corrupted data.
Trackbacks & Pingbacks
- Slow running Laptop - Page 3 - Tech-101 Free Computer Support
- Searchprotocolhost searchfilterhost | Axsomboard
Comments are closed.
Makes perfect sense, thanks for the explanation.
Brandon,
I never really thought through what each of those processes do or why they’re separated but it does make a lot of sense, especially restricting SearchFilterHost.exe so much. Interesting stuff to say the least.
Slightly related but I’m working on a property handler for media files (AVI is most important format but others too) using XMP. It’s basically alpha quality. If it interests you, you can check it out a http://sourceforge.net/projects/vistaprophand . Sorry to talk about this in a comment but I couldn’t figure out a way to email you directly.
Hi Brandon,
Why do I keep getting a message from searchprotocolhost.exe saying “Database login failed: Catastrophic failure.” It is running under the User, not the System. Am I missing an update?
Any help would be appreciated.
I can see why they need to be separate processes. What I’m struggling with is why searchprotocolhost.exe feels the need to grab 40% of my CPU capacity when there are other apps active, preventing me from doing anything productive…
the problem with my SearchProtocolHost.exe is that is constantly reading random music files all day long after disabling all mediacenter sharing, zune sharing, and others. Its alwasy slowing me down to 15 fps during games becasue I can disabled it all day long in services.msc and other places…but it always seems to run no matter what I tell Vista..
Hello, thanks for such a nice review and explanation for the three mysterious looking processes.
But what I am troubled about is the CPU/Memory use these process are making and that too unwanted.
On my XP machine these processes came only after I installed Win Desktop Search 3.1, is there any way to keep these proces s disabled preferably or keeping low memory…..
Regards,
MADHUR
Disable XML indexing by going to control panel, Indexing Options and unchecking XML as an extension (its under the advanced button). There appears to be a bug in indexing XML files. WDS should drop its CPU usage considerably. I personally recommend limiting the number and type of files indexed. I have unchecked my music files (I use itunes, so no need to index) and graphics/file formats I don’t use (3gp etc). I also have unchecked .zip and .rar files. I keep all those files in one spot anyway.
I really hate Vista Search they took a good idea and just ruined it with poor execution. The indexer is slow, hard to configure and uses a ton of resources.
….
I can’t pause it, I can’t schedule it, I cannot get it to just index groups. On day one of setting up Vista all I really want is all the filenames to be indexed like Avafind and then do the content indexing at night when I’m asleep (or not at all). I also only want to include certain groups like documents, music and movies in the “content” index, basically an opt in setup. However someone at Microsoft decided that people should be forced an agonizing setup ordeal one file extension at a time.
…
The only thing I really like about Vista Search is that it has a field in the Start Menu.
I run ZoneAlarm and searchprotocolhost comes up in bursts where it will access the internet 20 times 5 seconds apart. This annoys me enough I will not click “remember this” to give it permanent permission. Why does it hit the internet so much and so often? It is supposed to be indexing stuff on my system. I can see a once a day attempt to get updates, but this is way too much.
I agree with Richard in #9 comment:
I would really like to know WHY Vista needs to access the net so often when I am just searching for things on my hard drive??
Vista is really annoying and seems very Big Brotherish. I hate UAC and I hate Search Filter Host.
How can I stop this file from trying to access the web, my firewall alerts me everytime and it seems to happen about every few minutes, it’s a real bother.
I’m not prepared to stop the alerts as other programs do try to access the web without my permission which I want to know.
Thanks
Hi Stephen,
Which process are you referring to? Do you have Outlook installed and being indexed? If so, the MAPI protocol handler (which runs in SearchProtocolHost.exe) will load the MAPI store which may result in Outlook contacting the mail server. This is just MAPI / Outlook working as designed, and performing the same operations it normally performs in the Outlook.exe process.
Hope that helps,
Brandon
The program is Microsoft Search Filter Host, it tries to access the Internet everytime I open a photo or goto my pictures folder, this is such a pain as I do alot of photo editing and such, I have blocked it with my firewall but I get the alerts quite frequently. Any way to disable this program, its:
C:/WINDOWS/SYSTEM32/SEARCHFILTERHOST.EXE
Could be a bug in your firewall software. Which firewall program are you using? Firewalls that show alerts for things like this are generally overkill and even problematic, since the user is very rarely in a position to actually answer the question being asked.
Second, why bother blocking it? Can’t you just click Allow and not get the warnings again?
Third, SearchFilterHost.exe itself doesn’t really do anything. It loads handlers that do the work depending on what type of file is being indexed. It could be that you loaded a handler that is trying to access the network (either directly or indirectly). Although to be honest I’m not sure SearchFilterHost even allows network access… I’ll try to see what I can find out. Which OS is this on?
Oh, only about TWENTY instances of this running on my Vista system, and it was snappy at startup, but VERY slow just running a few programs, and 50-60% CPU usage (NOT attributed to these processes / instances). WTF? Vista, what a bag of crap, and anyone paying for Vista AND Windows 7 is a fool – Vista was a Windows 7 BETA, nothing more, nothing less. Personally, after years of Windows experience and general tech experience, I’m sick of being an unpaid Beta Tester – if companies can’t afford to bring competent, fully-tested products to market, they should not bother at all – we’ll not be dying of malnutrition without them, and probably we’ll all have more money and more time (that doesn’t mean the impossible ideal of bug-free, that means ready-for-market in an ethical sense, not in a ‘we can bullshit them to accept these bugs so the product is ready’ sense).
Fuck Microsoft, and fuck ANY company making DLNA products, bullshitting the consumer that DLNA is a ‘standard’ or a ‘certification’ Sharp with your crap Blue-Ray player, I’m looking at you, worthless bag of crap crashes just because it doesn’t understand a file’s codec?? What world do you live in, one where there’s only one file format and you can’t even program an error message and refuse the file gracefully? My £15 Sumvision player could play it, your £150 BD Player couldn’t and needed a hard reset, well done, idiots.
Collective delusion of the market is so ugly – but not as ugly as the face of those who encourage it due to being too incompetent to perform up to standard with their products. Go kill yourselves, or perhaps just do your jobs, no?!
Make that about SEVENTY-TWO instances (72 instances, of interestingly 72KB RAM each). Indexing is switched-off. Now I’ve had to resort to disabling the process, meaning if anyone ever wants to search this 500GB drive quickly, they will need to delve into the services.msc as the Microsoft interface and control panels just don’t do their job, yet again… apologies to Microsoft if this is an infected PC (I’ve standard AV scanned it, Malwarebytes scanned it, MBR checked, and Rootkit checked, so it’s more Microsoft’s fault if it IS infected still, sorry, I’ve put my time in).
Regardless of technical skill and learning curves – why these things have to be convoluted instead of elegantly-designed, I don’t know!
Fuck Microsoft and Windows Vista.