-
-
-
-
-
-
Building a Browser Extension Inventory Report (Chrome/Edge/Firefox)
-
Internet Explorer - Distinguish Standalone and Edge IE Mode Starts
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Building a Browser Extension Inventory Report (Chrome/Edge/Firefox)
This article shows how to collect detailed inventory information about all installed browser extensions. The solution presented includes a Splunk dashboard that visualizes the collected data.
The scripts listed in this guide are managed in vast limits’ public GitHub repository.
Solution Brief: Browser Extension Inventory
- Extensions and metadata are stored in browser profiles.
- A PowerShell script extracts extension info from browser profiles. The script inspects all browser profiles in the current user’s Windows user profile.
- The script is executed by uberAgent for each user logged on to the endpoint. The script’s output is captured by uberAgent and forwarded to the (Splunk) backend.
- A Splunk dashboard visualizes the collected data.
Background Information
Listing Chrome Profiles
Getting the Location of the User Data Directory
- Default location on Windows:
%LocalAppData%\Google\Chrome\User Data - Documentation
Parsing the JSON file ‘Local State’ to Find Profile Directories
- Profile objects are children of the following:
profile>info_cache -
Profile properties related to the user:
gaia_given_namegaia_idgaia_namenameshortcut_nameuser_name
-
Profile names
- Default profile:
Default - Additional profiles:
Profile
- Default profile:
-
Locating profile directories
- Profile directories are subdirectories of the user data directory
- Names of profile directories are idential to profile names
Listing Edge Profiles
Getting the Location of the User Data Directory
- Default location on Windows:
%LocalAppData%\Microsoft\Edge\User Data - Everything else is identical to Chrome
Collecting Chrome Extension Inventory Data
‘Preferences’ vs. ‘Secure Preferences’
Extensions are listed in one of two possible JSON files located in the profile directory: Preferences or Secure Preferences. The script checks both.
Note: Secure Preferences is typically used instead of the Preferences file.
Extension Settings
Extension settings are children of the following: extensions > settings > <extension ID>.
Relevant settings for inventory purposes include:
-
from_webstore: was the extension installed from the Chrome Web Store? -
install_time: timestamp of the last update (format: FILETIME / 10 [= microseconds since Jan 1st 1601]) -
path: extension path, either absolute or relative to the profile subdirectoryExtensions -
location: 1 = user data subdirectoryExtensions, 5 = Chrome installation directory -
state: 1 = enabled -
was_installed_by_default: [part of Chrome, not removable?] -
version: extension version
Collecting Firefox Extension Inventory Data
Getting the Location of the Profile Directory
- Default location on Windows:
%AppData%\Mozilla\Firefox\Profiles
Extension Settings
The configuration of Firefox extensions is stored in each profile’s extensions.json file. Within that file, extension settings are children of: addons.
Relevant settings for inventory purposes include:
-
sourceURI: installation source (Firefox Addons or a different site?) -
updateDate: timestamp of the last update (format: Unix epoch in ms) -
location:app-profile= browser profile -
active:true= enabled -
version: extension version
Configuring uberAgent to Run the Inventory Script
Note: you can find the latest version of the script in vast limits’ public GitHub repository.
- Store the script file in
C:\Program Files\vast limits\uberAgent\scriptsasGet-BrowserExtensionInfo.ps1. - Create a new timer in uberAgent’s configuration. With the settings shown below, the script is executed in each user session five minutes after uberAgent is started. The script execution is repeated every 24 hours.
[Timer]
Name = BrowserExtensionInventory
Interval = 86400000
Start delay = 300000
Persist interval = true
Script = powershell.exe -executionpolicy bypass -file "C:\Program Files\vast limits\uberAgent\Scripts\Get-BrowserExtensionInfo.ps1"
ScriptContext = UserSessionAsUser
<!--NeedCopy-->
Restart the agent to start collecting data.
Script Output
The output from the inventory script looks like this:
OsUser="helge" Browser="Chrome" ProfileDir="Default" ProfileName="Person 1" ProfileGaiaName="Helge Klein" ProfileUserName="email@domain.com" ExtensionId="cmcmennehclgdccnlmnjladhlkmclbkb" ExtensionName="uberAgent" ExtensionVersion="3.0.6" ExtensionFromWebstore="True" ExtensionState="1" ExtensionInstallTime="1606912508508" ExtensionInstalledByDefault="False"
<!--NeedCopy-->
Splunk Dashboard
Once inventory data is sent from endpoints with uberAgent to Splunk, install the Splunk app that is part of this practice guide. You can find it in this guide’s GitHub repository or in Splunkbase.
The dashboard provides a timeline of the top 10 extensions along with a data table listing all browser extensions. Selecting an extension’s row in the table brings up additional charts and tables that list all extension instances in full detail.
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.