Process

ubiquitoussigned

searchhost.exe

SearchHost.exe renders the Windows search interface, the box and flyout on the taskbar that searches apps, files, and the web. It is the Windows 11 successor to the older SearchUI.exe and SearchApp.exe. It runs per user as part of the desktop.

Microsoft CorporationFirst seen 2026-06-08
CategorySystemTagssearchmicrosoftcore-windows

File identity

File details
File type
PE32+ executable
Magic
PE32+ executable (GUI)
Original name
SearchHost.exe
Internal name
SearchHost.exe
Product
Microsoft® Windows® Operating System
Signing information
Status
Signed
Publisher
Microsoft Corporation
Signer
Microsoft Windows
Issuer
Microsoft Windows Production PCA 2011
Signature rate
100%
File version1
  • 2126.8901.20.0100%
File size1
  • 41.50 KB100%

Execution context

File paths1
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe100%
User context0

Not observed.

Integrity level0

Not observed.

Instances1
  • 1100%
Session1
  • Session 1100%
Token privileges1
  • SeChangeNotifyPrivilege100%

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules10
Named pipes1
  • \MsFteWds100%
Process handles1
Command-line patterns0

Not observed.

Indicators

Hashes

Not observed.

Analysis

About this process

SearchHost.exe is a packaged (UWP) system app that presents the taskbar search experience and its results, distinct from SearchIndexer.exe, which builds the file index it can draw on. It runs as the logged-on user, launched as part of the session, from a Windows SystemApps package folder rather than System32, and is signed by Microsoft.

Legitimately, SearchHost is present on Windows 11 desktops and suspended when idle. Because the search UI integrates web results, some network activity to Microsoft's search endpoints is normal, which sets it apart from the other shell hosts.

Security notes

SearchHost.exe is a baseline process. Its identity is fixed, the logged-on user's account, a packaged Microsoft signature, and no child processes, so deviations stand out. Unlike the purely local shell hosts it does talk to Microsoft's search service, so the meaningful network signal is connections to unrelated hosts, not network activity as such. The realistic abuse is impersonation (T1036.005), where malware uses the name from a path outside the genuine packaged location.

As a persistent per-user process it could also be injected into (T1055). A SearchHost that spawns programs or reaches hosts outside the search service is acting outside its role.

Anomaly signals5
  • Image path outside the Windows SystemApps package locationhigh
  • Unsigned image or a signer other than Microsofthigh
  • Running as NT AUTHORITY\SYSTEM rather than the logged-on userhigh
  • Spawning command shells or other programshigh
  • Outbound connections to hosts unrelated to Microsoft searchmed

Telemetry

OS prevalence1
  • Microsoft Windows 11 Enterprise Evaluation100%
Observation timeline
First seen
2026-06-08
Last seen
2026-06-08
Machines
1
References

Subsearch

Hasbeen seen inof searchhost.exe?
Edit this page on GitHub