Troubleshooting Windows Search CPU Consuming Problem

  • Article

I have heard a lot of complains from my friends and the community that desktop search interferes their daily usage of the computer. These applications, such as Windows Search(also known as WDS, Windows Desktop Search, and the builtin search engine in Vista/2008), Google Desktop Search, index your files while the computer is idle. In this theory, it should not affect your PC’s performance. However, sometimes you can notice that your CPU usage goes up to 100% (or 50% for a dual core system, with 100% usage for one of the cores) for quite a few minutes, even when you are busily working with some applications. This not only brings down the performance of your current applications, but also affects your battery life if you are using a laptop in mobile, and boring fan noise.

So, it is really a nasty problem. When you bring up task manager, you can see something relates with Search is sucking power from your CPU. In my experience, the name is SearchFilterHost.exe. Let’s take a look at it with Sysinternal’s Process Explorer, to understand the relationship of the services.

snap099

This is a child process of Windows Search. Without any thoughts, I killed this process, and after a short while it restarted, again with 50%+ CPU usage. Nasty. It’s quite hard to identify Windows Search problem because it cannot tell you what kind of thing it is working on (except those guys who can understand minidumps and can trace into the process, who is really a minority in our IT guys). But by its name, I can know it is a filter host, and with another child process in this tree, I can understand the two process is working on search job, one for the protocol of the file, one for the filter of the file.

Filter daemon is a common part of Microsoft Search architecture. SharePoint, SQL and Windows Search using this daemon to load ifilters, and extract information from different types of files. If this process takes a lot of CPU power, it is quite possible the ifilter is suffering from some problem. And it’s quite likely, the ifilter encountered something it cannot process.

Let’s take a look at the threads of SearchFilterHost. You can notice that one of the thread, RPCRT4.dll, is sucking CPU power. RPC stands for Remote Procedure Call, this can be another evidence.

snap100

Now, I’m suspecting there’s a corrupt or misformat file caused the problem. Because it’s corrupt, the ifilter might not be able to process it correctly, and the dead cycles drained all the processing power of the core.  But with no log of activity from Windows Search, how can I know which file caused the problem?

Process Monitor is the tool this time. It is also from Sysinternal, as a combination or replacement for FILEMON/REGMON. Run it with filter setting to include all related processes, monitor only file activities, and wait for the problem to reappear.

snap102

After a short while, CPU usage goes up again. Stop the capture, and take a look at the log.

snap103

Only SearchIndexer is working, and this already lasts for quite a moment. This is abnormal, because it should load protocol daemon and filter daemon to process different files. Another evidence for the suspect of corrupt file. Now scroll up, try to find what is the last file it accessed.

snap101

Now it is clear, the indexer loaded “KurzfassungvonInhalt.docx” into memory, and stuck there for a few minutes. That file, should be the root cause of the problem.

I really didn’t have a idea that why this file is on my harddisk. But then I remembered this file was sent to me by one of my friend in Germany, she told me she had a word doc which she cannot open any more, and asked me to try to fix it if possible. If you open this file by Word, you will see an error notice.

snap105

I removed the file, and the CPU usage problem went away.

In a similar case, I observed some doc files which produced by WPS Pro edition(a Office clone in China, while its personal edition does not have the problem) caused the same problem. These files can be opened in MS Word, but cannot be processed by the ifilter. I don’t have the idea with doc files from OpenOffice,  but these experiences might help you to identify the reason if you are suffering from the same problem.

Process Explorer and Process Monitor can be downloaded from https://technet.microsoft.com/en-us/sysinternals/default.aspx, or www.sysinternals.com. Don’t capture too many events with Process Monitor at one time, otherwise your RAM will run out.