Windows Search Engine Process – Part 1

Windows 7 like its predecessor and Microsoft SQL and SharePoint servers has a search engine based on the MSSearch indexing which replaced the Indexing Service found in earlier versions of Windows such as, Windows XP and Windows Server 2003. The search engine is logically made up of the following processes:

Indexer processSearchIndexer.exe is the main feature of the Windows Search engine and is responsible for core indexing and querying activity on your system. The process us implemented as a Windows service called Windows Search service (WSearch) and runs in the context of the LocalSystem account but has all privileges removed except the ability to read files and interact with the NTFS change Journal.

System-wide Protocol HostSearchProtocolHost.exe is a separate process that hosts protocol handlers to isolate them from the main indexer process. Protocol handlers are plug-ins assessing different stores, retrieving documents and pushing the information to the SearchFilterHost for filtering.  This process runs within the same LocalSystem context as the main indexer process because it requires access to all files on the system.

Per-user Protocol Host – The difference between this process and the previous one (System-wide Protocol Host) is that this process runs within the security context of a logged-on user. It is a process that hosts protocol handlers to isolate them from the main indexer process. This process is needed because some data stores (such as, Outlook email) must be accessed using the credentials of the logged-on user to be indexed.

Search Filter Host processSearchFilterHost.exe hosts IFilters which are used to extract text from files and others items. IFilters are hosted within a separate process instead of within the main indexer power to protect the Windows Search service from possible crashes and ensure stability and security of the indexing engine. IFilters code may be considered as non-trusted code as these can be written by third-part vendors apart from Microsoft.  These run within a separate process that has very restricted permissions while, the indexer process runs a single instance of SearchFilterProcess.exe and this process holds all IFilter parsing documents that come from the system-wide and per-user SearchProtocolHost processes.