Skip to content

Instantly share code, notes, and snippets.

@IISResetMe

IISResetMe/Log-ChromeExtension.ps1

Created June 13, 2019 13:48
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save IISResetMe/9745435b94a69975d723b378fae40ab1 to your computer and use it in GitHub Desktop.
Save IISResetMe/9745435b94a69975d723b378fae40ab1 to your computer and use it in GitHub Desktop.
Download ZIP
Discover chrome extensions and log information about them to event log
Raw
Log-ChromeExtension.ps1
<#
.SYNOPSIS
Inventory Chrome Extension information and dump the info to the Windows Event Log
.DESCRIPTION
This is a simplified adaptation of zsattler's Set-ChromeExtensions.ps1 which writes extension info to a WMI namespace for SCCM to pick up
This version writes the information to a custom Windows Event Log instead, easily picked up for WEF or similar log forwarding tools.
Original script: https://github.com/zsattler/PowerShell/blob/master/Set-ChromeExtensions/Set-ChromeExtensions.ps1
Original blog post: https://zsattler.wordpress.com/2017/02/27/chrome-extension-inventory-for-sccm/
.EXAMPLE
PS C:\> .\Log-ChromeExtension.ps1
Enumerates all profiles on the OS, their chrome profile paths and any extensions contained within.
Writes all info to the "ChromeExtensions" Event Log channel
.INPUTS
NONE
.OUTPUTS
NONE
.NOTES
Requires administrative privileges to enumerate all profiles on the machine
Author: Mathias R. Jessen (@IISResetMe)
#>
$logName = 'ChromeExtensions'
$logSource = 'ChromeExtensionTracker'
if (-not(Get-Eventlog -List | Where-Object {$_.LogDisplayName -eq $logName})) {
New-EventLog -LogName $logName -Source $logSource
}
$PSDefaultParameterValues['Write-EventLog:LogName'] = $logName
$PSDefaultParameterValues['Write-EventLog:Source'] = $logSource
function Parse-ChromeExtensionManifest {
param(
[string]$Path
)
$info = [ordered]@{}
# Resolve the parent directory
$ParentDirectory = Split-Path $Path -Parent |Get-Item -LiteralPath {$_}
# Find the latest modified date in the extension folder
$Date = $ParentDirectory |Get-ChildItem |Sort-Object LastWriteTime -Descending |Select-Object -First 1 -ExpandProperty LastWriteTime
# Convert manifest.json into a psobject
$Manifest = Get-Content -LiteralPath $Path |ConvertFrom-Json
# Locate messages.json if present
if(-not ($defaultLocale = $Manifest.default_locale)){
$defaultLocale = 'en'
}
$MessagesInfo = $ParentDirectory |Get-ChildItem -Filter messages.json -Recurse -File |Where-Object DirectoryName -Like "*\$defaultLocale" |Select-Object -First 1
if ($MessagesInfo) {
$Messages = $MessagesInfo |Get-Content | ConvertFrom-Json
}
# Parse contents of manifest
foreach($Field in 'Name','Description','Version'){
$info["$Field"] = if ($Manifest."$Field" -match '__MSG_(?<msgID>.*)__') {
$MsgID = $Matches['msgID']
$Messages."$MsgID".message
}
else {
$Manifest."$Field"
}
}
$info['ExtensionID'] = $Path -replace '^.*\\extensions\\([^\\]+).*$', '$1'
$info['Manifest'] = $Path
$info['LastModified'] = $Date
[PSCustomObject]$info |Add-Member -MemberType ScriptMethod -Name ToString -Force -Value {
return @'
Name: {0}
ExtensionID: {1}
Manifest: {2}
Description: {3}
Version: {4}
LastModified: {5:o}
'@ -f $this.Name, $this.ExtensionID, $this.Manifest, $this.Description, $this.Version, $this.LastModified
} -PassThru
}
$ActivityID = New-Guid
Write-EventLog -EntryType Information -EventId 1 -Message "Enumerating Chrome extensions on host $env:COMPUTERNAME`r`n`r`nActivityID: $ActivityID"
$ProfilePaths = Get-ItemPropertyValue -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' -Name ProfileImagePath
foreach ($ProfilePath in $ProfilePaths) {
Write-Host "Now searching $ProfilePath"
$ChromeProfilePath = Join-Path -Path $ProfilePath -ChildPath 'appdata\local\google\chrome\user data\default\extensions'
if (Test-Path -LiteralPath $ChromeProfilePath -ErrorAction SilentlyContinue) {
$Manifests = Get-ChildItem -LiteralPath $ChromeProfilePath -Filter manifest.json -Recurse -File
foreach ($ManifestInfo in $Manifests) {
$ExtensionInfo = Parse-ChromeExtensionManifest -Path $ManifestInfo.FullName
Write-EventLog -EntryType Information -EventId 10 -Message "Chrome Extension found:`r`n`r`n$ExtensionInfo`r`n`r`nActivityID: $ActivityID"
}
}
}
Write-EventLog -EntryType Information -EventId 2 -Message "Done enumerating Chrome extensions on host $env:COMPUTERNAME`r`n`r`nActivityID: $ActivityID"
@IISResetMe
Copy link
Author

Sample log message for the Google Keep extension:

Chrome Extension found:

Name: Google Keep Chrome Extension
ExtensionID: lpcaedmchfhocbbapmcbpinfpgnhiddi
Manifest: C:\Users\iisresetme\appdata\local\google\chrome\user data\default\extensions\lpcaedmchfhocbbapmcbpinfpgnhiddi\3.1.19042.1285_0\manifest.json
Description: Save to Google Keep in a single click!
Version: 3.1.19042.1285
LastModified: 2019-01-30T13:33:50.4145973+01:00

ActivityID: bd8d00b8-a958-4339-98e8-4a8d226832e2

Full event log entry:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
    <System>
        <Provider Name='ChromeExtensionTracker'/>
        <EventID Qualifiers='0'>10</EventID>
        <Level>4</Level>
        <Task>1</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime='2019-01-31T10:55:38.132283900Z'/>
        <EventRecordID>509</EventRecordID>
        <Channel>ChromeExtensions</Channel>
        <Computer>win-01.labs.iisreset.me</Computer>
        <Security/>
    </System>
    <EventData>
        <Data>Chrome Extension found:

Name: Google Keep Chrome Extension
ExtensionID: lpcaedmchfhocbbapmcbpinfpgnhiddi
Manifest: C:\Users\iisresetme\appdata\local\google\chrome\user data\default\extensions\lpcaedmchfhocbbapmcbpinfpgnhiddi\3.1.19042.1285_0\manifest.json
Description: Save to Google Keep in a single click!
Version: 3.1.19042.1285
LastModified: 2019-01-30T13:33:50.4145973+01:00

ActivityID: bd8d00b8-a958-4339-98e8-4a8d226832e2</Data>
    </EventData>
</Event>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment