Google Chrome allows other programs on your computer to install system-wide Chrome extensions. Chrome even allows these extensions to prevent you from disabling or removing them via Chrome’s Extensions page.
The terrible Ask Toolbar included with Java security updates is one of the most common examples of this, but this technique could be used by other programs — and even malware.
Control Panel
If the extension’s developer is behaving properly, you will be able to uninstall a globally installed extension from the Windows Control Panel. They will be shown alongside the other applications you have installed on your system in the Programs and Features section. Uninstall them from the Control Panel, if you can.In the case of the Ask Toolbar, Ask.com graciously allows us to remove it from our system via the Control Panel, although they don’t even allow us to disable it from within Chrome. However, a developer could just as easily create a malicious extension and prevent you from uninstalling it via the Programs and Features window, so we’ll cover how you could get rid of this extension manually.
Windows Registry
Chrome allows other programs to associate extensions with Chrome via the Windows Registry. We’ll need to use the registry editor to deal with such extensions. To open it, press the Windows key to open the Start menu (or Start screen, on Windows 8), type regedit into the Start menu (or at the Start screen), and press Enter.Locate the following key in the registry:
HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions (On 32-bit versions of Windows)
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Google\Chrome\Extensions (On 64-bit versions of Windows)
Each key (folder) under the Extensions key represents a globally installed Chrome extension. You can check which extension a key contains by opening the key and examining the Path value.
In our example here, we haven’t yet found the terrible Ask Toolbar, but we have located an obnoxious “SweetIM” toolbar that hitched a ride on some unscrupulous software.
To get rid of this extension, we’ll need to delete its key by right-clicking it and selecting delete.
To delete the extension’s files as well, we could note the location displayed in the Path box, navigate to that folder on our computer, and delete the extension’s .crx file (or the entire folder containing it).
Remove a Managed Extension
We haven’t yet found the Ask toolbar, so we know it’s not attached to Chrome through the registry. It must be located in one of Chrome’s extension folders.To open your Chrome user data folder, enter the following into Windows Explorer’s address bar:
%LOCALAPPDATA%\Google\Chrome\User Data
Open your profile folder – generally named Default, unless you have created a new profile – and open the Extensions folder inside it. You should be in a folder like the following:
C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Extensions
If you have a variety of extensions and apps installed, you’ll see quite a few subfolders. To determine which one is associated with the Ask Toolbar (or whatever globally installed extension you want to remove), we can open Chrome’s Extensions page, enable the Developer mode check box, and view the Ask Toolbar’s extension ID.
Locate the folder with the same name as the extension ID, delete it, and restart Chrome. The extension will be removed.
Unfortunately, in the case of the Ask Toolbar, the folder we deleted will immediately be recreated. Ask.com runs an Updater.exe process in the background, and it appears to recreate the extension’s folder each time you open Chrome. This ensures that the Ask Toolbar comes along whenever you create a new Chrome profile.
This example just goes to show that, if you have malicious software running in the background, you’ll need to neutralize the malware by removing its associated browser extensions. The malicious software can keep recreating extensions even after you remove them manually.
Luckily, we can just uninstall the Ask Toolbar from the Control Panel, so this doesn’t really matter in this example. However, Ask.com have provided an excellent example to malware authors looking to get around Chrome’s protection against globally installed extensions.
Chrome also provides a way for programs to globally install extensions using a preferences file located in Chrome’s application directory. However, you likely won’t find any extensions using this method to install themselves. Thanks to a long-standing bug, extensions using a preferences file will be automatically uninstalled each time Chrome updates itself to a new version. You can find more information about the preferences file method over at Chrome’s developer site.
No comments:
Post a Comment