Process

ubiquitoussigned

searchindexer.exe

SearchIndexer.exe is the Windows Search service, which builds and maintains the index that powers fast file and content search across the Start menu, Explorer, and Outlook. It runs continuously as SYSTEM and is a normal, often busy, background process.

Microsoft CorporationFirst seen 2026-06-08
CategorySystemTagssearchmicrosoftcore-windows

File identity

File details
File type
PE32+ executable
Magic
PE32+ executable (GUI)
Original name
SearchIndexer.exe.mui
Internal name
SearchIndexer.exe
Product
Windows® Search
Signing information
Status
Signed
Publisher
Microsoft Corporation
Signer
Microsoft Windows
Issuer
Microsoft Windows Production PCA 2011
Signature rate
100%
File version1
  • 7.0.26100.8457 (WinBuild.160101.0800)100%
File size1
  • 984.00 KB100%

Execution context

File paths1
  • C:\Windows\System32\SearchIndexer.exe100%
User context0

Not observed.

Integrity level0

Not observed.

Instances1
  • 1100%
Session1
  • Session 0100%
Token privileges3
  • SeTcbPrivilege100%
  • SeChangeNotifyPrivilege100%
  • SeImpersonatePrivilege100%

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles1
Command-line patterns0

Not observed.

Indicators

Hashes

Not observed.

Analysis

About this process

SearchIndexer.exe crawls files, email, and other content and stores a searchable index, so that queries return instantly instead of scanning the disk each time. It is the WSearch service, started by services.exe and running as NT AUTHORITY\SYSTEM from C:\Windows\System32\SearchIndexer.exe. Its normal children are SearchProtocolHost.exe and SearchFilterHost.exe, the helpers that open and parse content for indexing.

Legitimately, SearchIndexer runs all the time and can use noticeable disk and CPU while catching up on indexing. Its known helper children are expected. Anything else is not.

Security notes

SearchIndexer.exe is largely a baseline. As an always-running SYSTEM service it is a candidate for code injection (T1055), where implanted code inherits its privileges and blends into normal indexing activity, so unusual loaded modules, network connections, or unexpected child processes are what would point to abuse.

Its trusted name also makes it an impersonation target (T1036.005): a SearchIndexer.exe outside System32, with the wrong parent, or running as the wrong account is the deviation to investigate.

Anomaly signals5
  • Image path other than C:\Windows\System32\SearchIndexer.exehigh
  • Parent other than services.exehigh
  • Children other than SearchProtocolHost.exe and SearchFilterHost.exehigh
  • Outbound network connections from SearchIndexermed
  • Running as an account other than NT AUTHORITY\SYSTEMmed

Telemetry

OS prevalence1
  • Microsoft Windows 11 Enterprise Evaluation100%
Observation timeline
First seen
2026-06-08
Last seen
2026-06-08
Machines
1
References

Subsearch

Hasbeen seen inof searchindexer.exe?
Edit this page on GitHub