The three processes used by the Windows Search service are SearchIndexer.exe, SearchProtocolHost.exe, and SearchFilterHost.exe. Sometimes you may even see multiple instances of the latter two running simultaneously (especially if multiple users are logged in).
So why are they divided up in this way? To find out, let’s look at what each of the processes does.
SearchIndexer.exe
This process runs as a system service under the SYSTEM account. It is responsible for maintaining the index, servicing queries, as well as deciding what to crawl and when.
SearchProtocolHost.exe
This process sometimes runs under the SYSTEM account, and other times runs in the context of the current user. It hosts a Protocol Handler responsible for enumerating items in a specific store (such as the File System, Outlook, UNC shares, Lotus, etc).
Why is it seperate?
-
Access - Sometimes it needs to run in the context of the SYSTEM account (ie. to index the filesystem, even when a user is not logged in). Other times it needs to run in the context of the user, so that it can access data that is ACL’d for that user (network shares, Offline files) or accessed via a program the user is running (Outlook, Thunderbird).
-
Reliability - If a protocol handler, which may be written by a third-party, crashes - it will not crash the indexer itself. This reduces the risk of index corruption, and ensures that you can still issue queries even if a protocol handler crashes or hangs.
-
Security - Isolating code that interacts with possibly untrusted data stores can mitigate vulnerabilities in said code.
SearchFilterHost.exe
This process hosts the actual IFilters. These filters are responsible for processing individual items, such as files, in a data store.
Why is it seperate?
-
Security - This process is tightly locked down. For example, it cannot even read the filesystem. It runs with reduced privileges (kind of like Protected Mode IE). Why is this important? Well think back to the WMF file vulnerability a year or so ago. Google Desktop Search would trigger the vulnerability whenever it indexed one of those such files. If you received it as an e-mail attachment, you would have a 0-click attack because they don’t sandbox the indexing process. This wasn’t a problem for WDS users because we have always isolated filtering to a seperate locked-down process.
-
Reliability - Same as with the Protocol Handlers. IFilters are very often third-party code, and may be subjected to corrupted files. Keeping them seperated improves robustness to crashes / hangs in third-party code or when dealing with corrupted data.
June 20th, 2007 at 11:01 pm
Makes perfect sense, thanks for the explanation.
June 20th, 2007 at 11:05 pm
Brandon,
I never really thought through what each of those processes do or why they’re separated but it does make a lot of sense, especially restricting SearchFilterHost.exe so much. Interesting stuff to say the least.
Slightly related but I’m working on a property handler for media files (AVI is most important format but others too) using XMP. It’s basically alpha quality. If it interests you, you can check it out a http://sourceforge.net/projects/vistaprophand . Sorry to talk about this in a comment but I couldn’t figure out a way to email you directly.
July 7th, 2007 at 8:38 am
Hi Brandon,
Why do I keep getting a message from searchprotocolhost.exe saying “Database login failed: Catastrophic failure.” It is running under the User, not the System. Am I missing an update?
Any help would be appreciated.
July 9th, 2007 at 1:56 am
I can see why they need to be separate processes. What I’m struggling with is why searchprotocolhost.exe feels the need to grab 40% of my CPU capacity when there are other apps active, preventing me from doing anything productive…
August 10th, 2007 at 6:51 pm
the problem with my SearchProtocolHost.exe is that is constantly reading random music files all day long after disabling all mediacenter sharing, zune sharing, and others. Its alwasy slowing me down to 15 fps during games becasue I can disabled it all day long in services.msc and other places…but it always seems to run no matter what I tell Vista..
December 1st, 2007 at 11:37 pm
Hello, thanks for such a nice review and explanation for the three mysterious looking processes.
But what I am troubled about is the CPU/Memory use these process are making and that too unwanted.
On my XP machine these processes came only after I installed Win Desktop Search 3.1, is there any way to keep these proces s disabled preferably or keeping low memory…..
Regards,
MADHUR
February 6th, 2008 at 9:20 am
Disable XML indexing by going to control panel, Indexing Options and unchecking XML as an extension (its under the advanced button). There appears to be a bug in indexing XML files. WDS should drop its CPU usage considerably. I personally recommend limiting the number and type of files indexed. I have unchecked my music files (I use itunes, so no need to index) and graphics/file formats I don’t use (3gp etc). I also have unchecked .zip and .rar files. I keep all those files in one spot anyway.
February 20th, 2008 at 2:04 am
I really hate Vista Search they took a good idea and just ruined it with poor execution. The indexer is slow, hard to configure and uses a ton of resources.
….
I can’t pause it, I can’t schedule it, I cannot get it to just index groups. On day one of setting up Vista all I really want is all the filenames to be indexed like Avafind and then do the content indexing at night when I’m asleep (or not at all). I also only want to include certain groups like documents, music and movies in the “content” index, basically an opt in setup. However someone at Microsoft decided that people should be forced an agonizing setup ordeal one file extension at a time.
…
The only thing I really like about Vista Search is that it has a field in the Start Menu.
May 12th, 2008 at 12:18 pm
I run ZoneAlarm and searchprotocolhost comes up in bursts where it will access the internet 20 times 5 seconds apart. This annoys me enough I will not click “remember this” to give it permanent permission. Why does it hit the internet so much and so often? It is supposed to be indexing stuff on my system. I can see a once a day attempt to get updates, but this is way too much.