Preventing Third Party Extensions from Installing in Google Chrome

As part of my effort to dump Google Chrome, I deleted my old Google Chrome profiles so that I could create a new empty one for the sole purpose of working on the few add-ons that I'm already working on. Every time I created a new profile in Chrome, I would get extensions in that profile that I didn't install (a Conduit toolbar and an extension called General Crawler). I looked in the control panel, but no apps referenced these extensions and nothing I uninstalled fixed the problem. After some digging, I found out how this was happening and wanted to share.

Google Chrome supports adding entries in the registry that point to extensions. When a new Chrome user is created, these entries are read and then the extensions are installed, with no way for the user to intervene. In my case, the following keys were in my registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\adejipnaieabipfpgddkkbahfmlkmilg
path=>C:\Users\USERNAME\AppData\Local\CRE\adejipnaieabipfpgddkkbahfmlkmilg.crx
version=>2.3.15.10

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel
path=>C:\Users\USERNAME\AppData\Roaming\Media Finder\Extensions\gencrawler_gc.crx
version=>2.5

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\lpmkgpnbiojfaoklbkpfneikocaobfai
path=>C:\Users\Mike Kaply\AppData\Roaming\Media Finder\Extensions\mf_plugin_gc.crx
version=>1.1.0

To prevent this from happening, remove these registry entries and the corresponding CRX files.

UPDATE: You can do this by creating a file called nochromeext.reg and putting these lines in it:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions]

Then open the Windows file manager and double click file. It will delete the entries for you.

And if you have an app that does this, make sure you remove these entries when you are uninstalled. I'm talking to you, Conduit.

I will confess that when Firefox first decided to block third-party add-ons, I was very vocal about not liking the decision. After experiencing how many apps do this to Firefox and Chrome, though, I have changed my tune and am happy with the decision. It helped that it was easy to change this behavior for enterprises.

Hypocrite alert: Now that I know about this, I'm going to recommend it to any of my clients that need a way to install Chrome extensions outside of the store. As much as I hate it, there's really no other good way to install a Chrome extension.

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

26 thoughts on “Preventing Third Party Extensions from Installing in Google Chrome

  1. Heh, this is kinda funny in the context of your previous post... you wanted extensions installed from a non-Web Store source, well here you go!

    Chrome should definitely go the Firefox route and not allow external programs to automatically install add-ons without the user's permission.

    • Well, this is a completely different problem.

      These extensions were installed without my knowledge by third party software.

      My previous post was about my choice to go to a website and explicitly install a Chrome extension.

      I should be able to install a Chrome extension if I choose. I shouldn't have to put up with extensions I didn't choose to install.

  2. | It helped that it was easy to change this behavior for enterprises.

    I want this, the ability to block specific plugins from installing in a Firefox custom build. How do you do this?

  3. Mike, thanks for the Chrome tip. I was actually suffering from that and no matter what I deleted off my hard drive I couldn't seem to kill a Chrome extension. Now I can!

  4. Mike, Firefox has this exact same mechanism:

    https://developer.mozilla.org/en-US/docs/Adding_Extensions_using_the_Windows_Registry

    Recently, both Firefox and Chrome have attempted to start warning users when extensions are installed this way. But the problem is that in the limit it is impossible for the browser to know: the third-party software could change whatever storage the browser uses to keeps track of install authorization.

    The core problem is that current desktop operating systems don't have any concept of application-isolated storage. Until this changes, the best defense against this kind of problem is to be very careful about the native software you install. Native software has no isolation: Once it's running on your machine, it can do anything, and there's no way to remove it if it doesn't want to be removable.

    Note that both Firefox Addons and Chrome extensions can include native software. In Chrome, we have several barriers that make writing such extensions extremely uncommon (far less than 1% of extensions in the store include native code). I'm not sure about Firefox - I assume the situation is similar.

    If you'd like to know more, I'm sure the people that work on Add-ons at Mozilla would love to talk your ear off about it. It's a very hard problem.

    • There's a big difference between what Firefox does and what Chrome does. Firefox RUNS the extensions from the third party location. So when the application is uninstalled, the code isn't there to run anymore.

      Chrome INSTALLS the extension into Chrome. While that might make it easier for a user to disable and remove, it seems to have encouraged companies to put their CRX files outside of their install directories (like Conduit).

      Also, because Chrome installs the extension, it's next to impossible to figure out where the extension actually came from. With Firefox, I can look at file paths and see where the extension actually lives.

      • I don't see how there is more incentive to put the extension outside the install directory in Chrome than in Firefox. In both models, this would be a good strategy to live on past uninstallation of the third-party software, and works equally well.

        Installing the extension the way Chrome does isn't necessary in order to allow users to disable and uninstall. All you need in order to do that is some amount of indirection between what the browser considers installed and what third-parties are requesting to be installed.

        The actual reason for Chrome's behavior is to eliminate instability that would otherwise be caused by third-party software modifying extensions while Chrome is using them. Our system allows software to modify their registered extensions whenever they want, and Chrome simply picks up the new versions next time it restarts. This idea actually came to us from a Firefox developer; apparently it had been a problem there.

        I like your proposal to provide power users a way to track sideloaded extensions back to their source. I don't think this is a problem for typical users, since they can just disable or uninstall the extension in their profile and be done with it. By creating new profiles over and over, you hit a bit of a corner case. I've created crbug.com/142697 to track this.

        • So any time the version is bumped, the add-on is updated. That's good to know.

          I'm curious, do you think that the decision to only allow extensions to be installed from the store will increase the number of "sideloaded" extensions?

          Don't you think that it will create a worse problem in that sites will encourage users to download executables instead of just extensions?

  5. OH THE HILARITY

    First you talked out of your ass during the changes made to protect Firefox users from malicious add-ons and now you made a 180 degree turn.

    How does it feel to eat crow now and how everyone else was right back then?

  6. I mainly use the chrome engine in Avant browser.How do I disable the third party extensions from installing in Google Chrome engine in Avant browser?

    • If you are having the same problem (extensions just show up), I would search the registry for .crx and see what you find.

  7. Thank You for this information. Every little bit helps foil the plans of evildoers, who prey on the technically challenged.

    I'm grateful that vgrabber is gone, and my chrome is polished.

    For those who don't often see windows registry:
    You'll want to remove the entries from hk_current_user, as well as in hkey_local_machine, as Mike pointed out.

  8. God Bless you! I have rid my self of Internet Turbo Conduit evil spammy crapware finally!
    I have like 20 host file entries going to 127.0.0.0 to try to keep them from respawning, but I kept missing this!
    THANKS

  9. I have this General Crawler extension repeatedly turning up in my Google Chrome extensions. It's not obviously causing problems that I can see right now, but I suspect it allowed a horrible add on called CouponDropDown in which itself was a hassle to remove, I have to disable and remove General Crawler daily yet still it returns next time I boot up and use Chrome.

    Apart from going into tools>extensions and removing it there, I have not been able to find a solution as to how to remove it permanently.

    Help would be appreciated.

    TIA

  10. Hey.

    This is very helpful.... to the extent that there are people like you out there who understand code dealing with this problem. I have no idea where to find registries and all the other obvious things you discussed.

    I just un-installed these programs when they show up using the setting > extensions option. Something tells me this is not enough. So please put up a step by step guide for people like me.

    Thanks

  11. Hi,

    I have made an extension for my app. Presently i got an installer to install my app. I need help in embedding my extension into the installer so that the extension for chrome installs automatically with the installation of my app.

    Thanks

  12. Wow! Thanks for the information on removing this evil registry entry. I've been trying for quite a while to get rid of the AVG Secure Search software that somehow attached to Chrome. Easy fix, now that you explained where to look!

    Thanks!

  13. Hi, can you please write step by step how to go to the registry to delete the sentences you said ?? no everybody knows like you, thanks.

  14. hi, thankyou for this information. I am having trouble at the moment with an extension comming up all the time even though i go to settings, extensions and disable the extension. Could you give me a step by step of how to get rid of this problem. im not a computer wiz kid so i know nothing about going into files etc. i would be most grateful. I am using windows 7