Microsoft Search Filter - block or allow?

[pdsnickles]

Here's some info on SearchFilterHost:
Brandon Paddock's Blog » Blog Archive » FAQ: Why does WDS / Windows Vista use so many processes?

I guess it's part of 3 Vista "Services" which mostly have to do with indexing. Is this so that Vista can so quickly find files? Is that all it's for? If so, I should be able to permanently block it without any problems, right?

I really don't need Vista to be able to find everything within 2 seconds. I don't look for things that often and when I do I have a pretty good filing system and can get to them on my own pretty quickly.

People are reporting that these 3 services in the article linked above seem to take up a lot of processor power, too.

So has anyone blocked this? What is the best way to do it, and what is the outcome? Will Vista still be able to find things, only a bit slower, or what?

Please advise. Thank you in advance.

 

[Brink]

Hello Pdsnickles,

I would not recommend to block it since it is probably responsible for other items than just the index. Instead, you can just disable the Windows Search service to disable the index and have Vista use only non-index searched.

http://www.vistax64.com/tutorials/69564-index-enable-disable.html

Hope this helps,
Shawn

 

[pdsnickles]

Thanks Brink. I had already looked at your Indexing tutorial and was thinking of using it, but I was curious about blocking SearchFilterHost anyway. Thanks for the answer and I will try turning off indexing. If I find problems I can turn it off.

One more question maybe you can answer, though:
WHY does Search Filter Host have to contact MS or ? via INTERNET when it is only supposed to be indexing and searching on my hard drive? Why does it need to access the internet to do this??

At the risk of sounding paranoid I don't see why things like this have to constantly "phone home" and yeah, it does make me feel intruded upon and having my privacy invaded - especially when all I have to go in is that they SAY they are only sending back anonymous info. But why can't we block them phoning home without potential problems? I just don't get why there is a need for internet communication re my hard drive and my system!

 

[Brink]

The only thing I can think of is possibly for certificate verification. ??

 

[pdsnickles]

But why would it need to verify certificate verification so often? It should only have to do that once, shouldn't it?
I wish someone who had the skills and time would get to the bottom of this Search Filter having to phone home..
How do we know it's NOT spying on us?
And even if it's not, I still see no legitimate reason for it to have to "phone home" so often.

 

[H2SO4]

Those processes are "containers" in the sense that they run whatever code has been registered to handle particular content types. If I create my own content type (.XYZ files) and a search filter to go with it, so that my proprietary XYZ format can be suitably indexed, my code will run in SearchFilterHost. I can have it paint pretty pictures, send information back through the internet, play tunes... almost whatever I like.

It would be entirely expected for those processes to behave somewhat differently on two separate machines because of the different list of installed apps.

I understand your concern but from a strict security perspective you either trust someone's code or you don't. The moment you install it on your machine, you're giving the vendor who sold you the app that trust. Attempting to hobble some aspects of the app's operation only works if the app has no malicious intent - in other words, if it wasn't designed to try to break out through obstacles put in its path. That's why outbound firewall filtering is such a contentious issue. You end up with legitimate software being "victimised" and prevented from doing its work, while any well-written malware that finds its way onto your machine can simply deactivate the firewall or configure it to let out the malicious payload.

Even people who earn their living reverse engineering code can have trouble verifying each and every action of a large and complex app. If you're nervous about a bit of software, either run it in a virtual machine or invoke it from a non-privileged (user) account, if it's absolutely necessary. Otherwise, don't install it at all.

 

[pdsnickles]

Okay, so if I understand what you are saying, if I am going to run Vista I have to trust Microsoft not to be running malicious code, so therefore I should allow all its processes, right?

Hmmm.

I do not like nor trust Microsoft. I only use Windows because Macs have too many issues surrounding my not being able to get all the programs I want easily and/or reasonably priced. Nor is the Mac computer itself reasonably priced. But it's more an issue of my not being able to easily and reasonably get all the software I want with Mac.

As to Vista, I am seriously considering going back to XP. I really do not like Vista, it's too invasive, hard to find the things I am used to finding (msconfig, for one, but that's just one example, of many)...

But it really does bother me that no one seems to even KNOW exactly why Search Filter Host has to keep connecting to the net. It just is not logical why it should have to do so when I am only dealing with my hard drive, not any net activity at the time it requests connectivity.

Let me be clear: I am not nervous about Search Filter Host ruining my system; no, my system seems to be working fine. What I am concerned about is companies like MS compiling marketing information or whatever other information using my computer as their database. I do not wish to allow this for the above reasons (I do not trust nor like Microsoft as a company).

But I cannot get any clear answer as to what problems it may cause if block Search Filter Host from connecting.

You may say "Okay, well try it." Well, I would except that I use AVG as a firewall and I find it difficult and hard to understand how to go into it and unblock things once they are blocked. Perhaps that makes me lazy or stupid, but really I am not into learning the intracacies of AVG software, I just want it to work, and it does.

So all I really want is an answer as to WHY things like Search Filter Host and .NET Runtime Optimization have to constantly or often access the net and what they are doing when they do so. That doesn't seem unreasonable to me, after all it is MY computer they are accessing.

I asked AVG about this and one of their typical dumbass techs wrote back and said I would have to ask Microsoft but all they know is, it isn't a virus or AVG would block it! ;-) I wrote them back and said that was a stupid answer and that they should know what it is and what it does.

 

[H2SO4]

Okay, so if I understand what you are saying, if I am going to run Vista I have to trust Microsoft not to be running malicious code, so therefore I should allow all its processes, right?

That's a fair summary of what I'm saying. Once you entrust your data and personal information to software as large and complex as an operating system, I personally don't think it makes technical sense to worry about one component. Should an OS company decide to cross the threshold of illegality (and morality?) and actively begin spying on you, they would presumably rig it so that any 3rd-party software firewalls running on the same box would be kept in the dark. Believe me, that would be trivial from their perspective.

The only reason the firewall "works" is because the OS gives it certain information. The minute that an OS vendor made the decision to go rogue and start data mining your personal info, the OS would simply neuter the firewall, or it would arrange for the firewall to continuously swim in a "sea of happy" so the user is always kept in the dark. It's hard to force an analogy here but perhaps it's a bit like trusting a $199.95 home alarm system to reveal whether a suddenly-rogue CIA+FBI+KGB has inspected your home while you were away for the week. Fat chance

You may say "Okay, well try it." Well, I would except that I use AVG as a firewall and I find it difficult and hard to understand how to go into it and unblock things once they are blocked. Perhaps that makes me lazy or stupid, but really I am not into learning the intracacies of AVG software, I just want it to work, and it does.

I know that's rhetorical but I certainly don't think you're stupid - on the contrary. I do believe you're being taken in by "scareware", as I mentioned in another posting, but that's only a function of the way the security software industry operates. There are maaaany people in your position, except they're not as technically adept and they cannot articulate their concerns.

So all I really want is an answer as to WHY things like Search Filter Host and .NET Runtime Optimization have to constantly or often access the net and what they are doing when they do so. That doesn't seem unreasonable to me, after all it is MY computer they are accessing.

Alright, if you'd like to have a bit of a play with this, I can maybe help you to work out exactly what it's doing. The first thing you'll want is a packet sniffer trace so that you can see exactly what info is being sent, to where, and what's coming back in response.

If you download Wireshark (www.wireshark.org), install it, start a capture on the network interface which your machine uses to communicate with the internet, repro the activity which you want to scrutinise, then save the Wireshark capture, you'll then be able to inspect those data courtesy of a 3rd-party tool.

 

[pdsnickles]

I guess you are right about how if MS wanted to spy on us they would not do it in so obvious a way. What makes me mad is that there is no documentation anywhere about why it has to access the internet.

I see every reason why something like Search Filter Host exists on Vista - the searching mechanism is very fast and, well, amazing and useful. My ONLY complaint is about its accessing the internet which makes no sense to me as to why it would need to do so more than once to check your Certificate status.

In the Services panel on Vista when I go to Properties>Dependencies for this Windows Search function it says this:

"Some services depend on other services, system drivers or load order groups. If system component is stopped or is not running properly, dependent services can be affected.
This system depends on the following system components.
Remote Procedure Call (RPC)
DCOM Server Process Launcher"

So my question is, if I turn off Indexing will this negatively affect RPC/DCOM (whatever the heck THOSE are!?) or is it only the other way around, that turning off those or deleting them would affect Windows Search?

I think I am about to turn off Windows Search. I was reading in Brink's "How To Disable" thread, where someone else wrote that this Windows Indexing uses like 95% CPU power when you do a Start search, and that even if you end the search it keeps running for a minute or so at that rate. If that is true, it seems rather excessive does it not?

I wonder though, if turning off Indexing will make it stop trying to access the internet? (Since it has no good reason for doing so in the first place!)

As to the comment I made that I am lazy and stupid: I was exaggerating but only a bit. When it comes to learning the technical details and understanding the computer the way you do for example, I am both stupid and lazy in comparison. I want to find out what is known by others, not look for my own answers, I don't want to make this my hobby. (Not that there's anything wrong with that, it's just that I have other hobbies and time constraints.) I am only here now because I have had Vista shoved down my throat by having to buy a new computer, and I am trying to make the best of it.

 

[H2SO4]

Hail lazy. I'm a subscriber

The dependency hierarchy you described says that Search won't work unless RPC/DCOM services are also active. There is no dependency in the other direction - you can safely disable Search without affecting RPC/DCOM.

RPC/DCOM can be thought of as OS building blocks. They're ways for processes and portions of apps to talk to other portions, and without them virtually nothing would work. Search is just an app. It won't be missed by any of the other (important) services if it's deactivated.

 

[pdsnickles]

Okay, thanks H2S04. I am going to see how my system runs (and if it tries to access the net via Search Filter Host) if I kill the Windows Search service.