I am experiencing a problem where it appears like SearchProtocolHost.exe is updating a PST file. The LastWriteTime for the PST file changes to the current datetime and the file grows slightly larger. I am not sure why this is happening. Environment: Windows 7 Enterprise with SP1 (lastest updates), Office Professional Plus 2010 SearchProtocolHost.exe information: Version 7.0.7600.16385; Date 7/12/2009 9:309 PM I do not regularly use Outlook (maybe once a month), but Outlook is loaded on the computer. I have about 15 large (1GB or larger) PST files on the system. Only one of the files is being effected. As it turns out it is a copy of another file. So I have an original PST file in one folder and a copy of that PST file in another folder. Repeatedly the copy version is being changed. The original is being left alone. I used Sysinternals Process Monitor to track down when the change was occuring. I created a little batch file that I run in DOS that does a directory listing of that file once a second. By looking at Process Monitor, I can see the file datetime is correct, then over the next second something happens and the next time the DOS directory listing runs, I can see the file has changed. Basically I have narrowed the event down to one second of process activity. By using a path filter in Process Monitor, I can see that the only process that touches the file at that moment when the datetime changes (other than the DOS directory listing) is SearchProtocolHost.exe - when it does a number of things including a IRP_MJ_WRITE. And I can tell that the file increased in size at the same time. Based on the time of the file timestamp change, looking at what processes were running at time of the file change, and seeing that a process is doing some sort of write to the file, it seems like it is SearchProtocolHost.exe is making the file change. Since Outlook is not open, the file should not be getting changed. The one thing that I thought of to try is to open Outlook and see what - if any - PST file gets opened. Sure enough, the PST file in question was automatically opened. So I closed the file and closed Outlook. (I opened Outlook again to confirm the PST file was no longer set to be open.) I will monitor what happens tonight and post the results. Again I am not 100% positive that SearchProtocolHost.exe is causing the file change. It is possible that something else is the cause - include a virus or malware. But I can find no evidence of either a virus or malware on this system. And ProcessMonitor is not showing anything else touching the file. In light of the fact that this particular PST file was set to be opened in Outlook it seems like SearchProtocolHost.exe is the culprit. Questions: Does SearchProtocolHost.exe actually perform a function against a PST file open in Outlook (even though Outlook is closed)? If so, that is fine. But why would SearchProtocolHost.exe modify the file? Is this expected and normal process for SearchProtocolHost.exe? Is there something else I should be looking at to see why this is happening? Thanks for the help!

Hi, Thanks for posting in Microsoft TechNet Forum. SearchProtocolHost.exe is a process of Windows Search service; to get a correct conclusion, I suggest you try to disable Windows search service to check if the PST file will still be modified in this condition. Regarding SearchProtocolHost.exe, there is a description on it in MSDN article: Search Protocol Host The search protocol host is merely a boxed, host process for protocol handlers. Typically, Windows Search creates two such host processes, one that runs in the system security context and one that runs in the user security context. This separation ensures that data specific to a user is never run in the system context. Windows Search also uses the host process to isolate an instance of a protocol handler from other processes or applications. This way, no outside application can access that specific instance of the protocol handler, and if the protocol handler fails unexpectedly, only the indexing process is affected. Because the host process runs third party code (protocol handlers), Windows Search periodically recycles the process to minimize the time a successful attack has to exploit information in the process. Beyond this, the search protocol host does not affect the crawling of URLs or indexing of items. Hope it helps. Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.