Background indexing

The recent problem with Microsoft WMF files is disturbing because it brings to light attack vectors most of us hadn't thought about before.

Any trojan or virus has to be opened for it to attack. That doesn't necessarily mean that the payload itself is an executable file; in this case the Microsoft Windows Picture and Fax Viewer (Shimgvw.dll) is the flawed application that allows the exploit. But you would expect that you would have to actively do something (download and open a file) before being at risk.

Not necessarily. If, for example, you have Google Desktop installed, all you need is to have downloaded an infected file - even a simple ftp download would be enough, because Google Desktop will blindly call the shimgvw.dll library when it indexes the file.

While Google Desktop is an add-on you don't necessarily have, the next version of Windows will have its own automatic indexing. Macs already have this (Spotlight), so if a similar OS level flaw turned up there, we'd have the same problem. Of course all of this comes from "ease of use", which are three words I'm disliking more every day.

The other aspect of this is the propietary DLL. If the code were open source, it would probably already be fixed. Instead, Microsoft is "investigating the issue to determine the appropriate course of action for customers". Isn't that good to know?

Back to Mac's: The Spotlight search tool is often described as the best part of Mac OS X Tiger. It was the "breakthrough feature in OS X version 10.4--the reason to get Tiger" (http://www.pcworld.com/news/article/0,aid,120646,00.asp) and so on. Microsoft will be adding a similar feature to its Vista release; full indexing is apparently a hot feature.

So how come I never use it?

Oh, Spotlight pops up every now and then when I accidentally hit its hot key, but except when I played with it to find out what it was all about and how it worked, I've never had a reason to use it. That must be because I never have to find files, right? Must be nice to have such a great memory, you say.

Nope. My memory is as flaky as anyone else. I often have to find files. But.. Why would you ever want to just find a file? "Oh, I was just curious where I put that foo-bah file.. thanks, Spotlight!". Or "Ayup, I just wanted to check that it's still there. I see it is, thanks" or "I wonder which of my files have the word 'extra' in them?".

Not very likely or very often. Usually when I want to find files it's because I want to DO something with them. I want to delete them, copy them, edit them, or look at them. Spotlight isn't particularly helpful for any of that. It brings up a list of matching files, but you have to take it from there.

That's why I'm more apt to be running "grep" or "find" at the command line. I can do:

 vi `grep -l foo *html`
 find . -empty -delete
 find . -name '*.html' -exec cp {} /tmp \;
 

and of course much, much more.

The command line version of Spotlight (mdfind) can be piped to other commands, but although in some ways it has much more power than the venerable "find" and "grep" that I do use constantly, in other ways it really has less. For one thing, both Spotlight and mdfind ignore text files with extensions they doesn't understand. I'll talk more about that in another article, but for me, the limitations far exceed the usefulness.

I feel sorry for the Apple developers who worked on Spotlight. I'm sure they put a lot of effort into it, and likely think it's a great feature. I suppose it must be disappointing that so many of us don't use it and don't want it even running. It can really bog down your machine when you are doing things like copying down a lot of files or moving things around; if you aren't going to use it anyway, why waste those cpu cycles and the disk space for the index?

Indeed. So let's get rid of it, shall we?

The first step is to become root. You can do everything with "sudo", but we have a few steps here, so it's easiest to start with "sudo su -". Give your ordinary password, and you have a root prompt.

To disable Spotlight from starting up at boot, edit /etc/hostconfig and change the Spotlight line:

 SPOTLIGHT=-NO-
 

For each disk drive, turn off Spotlight indexing:

 mdutil -i off /
 mdutil -i off /myotherdrive
 

Note that you'll see errors if the disk is very busy when you do that. Wait till the disk activity stops and try again.

Then run:

 mdutil -E /
 mdutil -E /myotherdrive
 

If there's any "mdimport" running in Activity Monitor or ps, kill it.

This gets rid of the index, but doesn't remove the .Spotlight directory, so:

  cd /
  rm -rf .Spotlight*
  cd /myotherdrive
  rm -rf .Spotlight*
 

Reboot after all this and you shouldn't be bothered by Spotlight again.

Some web sites have suggested using the System Preferences > Spotlight > Privacy tab but apparently that can cause other problems.

Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here