I am experiencing a problem where it appears like SearchProtocolHost.exe is updating a PST file. The LastWriteTime for the PST file changes to the current datetime and the file grows slightly larger. I am not sure why this is happening. Environment: Windows 7 Enterprise with SP1 (lastest updates), Office Professional Plus 2010 SearchProtocolHost.exe information: Version 7.0.7600.16385; Date 7/12/2009 9:309 PM I do not regularly use Outlook (maybe once a month), but Outlook is loaded on the computer. I have about 15 large (1GB or larger) PST files on the system. Only one of the files is being effected. As it turns out it is a copy of another file. So I have an original PST file in one folder and a copy of that PST file in another folder. Repeatedly the copy version is being changed. The original is being left alone. I used Sysinternals Process Monitor to track down when the change was occuring. I created a little batch file that I run in DOS that does a directory listing of that file once a second. By looking at Process Monitor, I can see the file datetime is correct, then over the next second something happens and the next time the DOS directory listing runs, I can see the file has changed. Basically I have narrowed the event down to one second of process activity. By using a path filter in Process Monitor, I can see that the only process that touches the file at that moment when the datetime changes (other than the DOS directory listing) is SearchProtocolHost.exe - when it does a number of things including a IRP_MJ_WRITE. And I can tell that the file increased in size at the same time. Based on the time of the file timestamp change, looking at what processes were running at time of the file change, and seeing that a process is doing some sort of write to the file, it seems like it is SearchProtocolHost.exe is making the file change. Since Outlook is not open, the file should not be getting changed. The one thing that I thought of to try is to open Outlook and see what - if any - PST file gets opened. Sure enough, the PST file in question was automatically opened. So I closed the file and closed Outlook. (I opened Outlook again to confirm the PST file was no longer set to be open.) I will monitor what happens tonight and post the results. Again I am not 100% positive that SearchProtocolHost.exe is causing the file change. It is possible that something else is the cause - include a virus or malware. But I can find no evidence of either a virus or malware on this system. And ProcessMonitor is not showing anything else touching the file. In light of the fact that this particular PST file was set to be opened in Outlook it seems like SearchProtocolHost.exe is the culprit. Questions: Does SearchProtocolHost.exe actually perform a function against a PST file open in Outlook (even though Outlook is closed)? If so, that is fine. But why would SearchProtocolHost.exe modify the file? Is this expected and normal process for SearchProtocolHost.exe? Is there something else I should be looking at to see why this is happening? Thanks for the help! UPDATE (5/9/2011 - 8:00 AM ET): As I mentioned above, I closed the PST file (that was getting modified) in Outlook so that Outlook only uses my inbox PST file. I ran Processes Monitor again overnight against the PST file that was no opened in my Outlook session. (Remember that the PST file was selected to be opened in Outlook, but Outlook itself was closed. The results were as I expected - the PST was NOT modified. Since I have monitored the "change" to the PST file occuring regularly during the night (idle/scheduled time???), I have a high level of confidence that I have identified the problem of why this particular file was being effected and the other PST files on my computer not being effected. But I will continue to monitor the file for the next few days. Regarding my question above "Does SearchProtocolHost.exe actually perform a function against a PST file open in Outlook (even though Outlook is closed)?" - at this point the answer seems, yes. And with regards to "Is there something else I should be looking at to see why this is happening?" - as Alex posted below, I will test with Windows Search Service disabled. But I will not be able to test this until after I test the change I made fixes my problem of the PST file being modified. I also still have the open questions: 1) Why would SearchProtocolHost.exe modify the file? 2) Is this expected and normal process for SearchProtocolHost.exe?

Thanks Alex. Please read the edit "update" in my original post. Closing the PST file in Outlook seemed to prevent SearchProtocolHost.exe from modifying the PST file. I will need to monitor for a few days to confirm. After I do that, I will perform your test. I will create another copy of this PST file and another PST file and open both of them in Outlook. Then with Outlook closed, I will see if either or both files are getting modified again. If they are, this should prove that having the file open in Outlook is what causes the file to get indexed and modified. Then, as you suggested, I will disabled Windows Search Service and see that happens. I will post the results. Also, I read about Search Protocol Host in a number of articles on MSDN. But I don't think I found the exact article you were refering to - so would you please post a URL? Thanks!John

Hi, Thanks for your update. Regarding the MSDN article, it is: Indexing Process in Windows Search (Windows) I would like to know more information about how you test this, so that I can see if it can be reproduced in my lab. Meanwhile, please also keep me updated about the results of the tests you mentioned in your last reply. Thanks. Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.