Preventing Third Party Extensions from Installing in Google Chrome
As part of my effort to dump Google Chrome, I deleted my old Google Chrome profiles so that I could create a new empty one for the sole purpose of working on the few add-ons that I'm already working on. Every time I created a new profile in Chrome, I would get extensions in that profile that I didn't install (a Conduit toolbar and an extension called General Crawler). I looked in the control panel, but no apps referenced these extensions and nothing I uninstalled fixed the problem. After some digging, I found out how this was happening and wanted to share.
Google Chrome supports adding entries in the registry that point to extensions. When a new Chrome user is created, these entries are read and then the extensions are installed, with no way for the user to intervene. In my case, the following keys were in my registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\adejipnaieabipfpgddkkbahfmlkmilg path=>C:\Users\USERNAME\AppData\Local\CRE\adejipnaieabipfpgddkkbahfmlkmilg.crx version=>2.3.15.10 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel path=>C:\Users\USERNAME\AppData\Roaming\Media Finder\Extensions\gencrawler_gc.crx version=>2.5 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\lpmkgpnbiojfaoklbkpfneikocaobfai path=>C:\Users\Mike Kaply\AppData\Roaming\Media Finder\Extensions\mf_plugin_gc.crx version=>1.1.0
To prevent this from happening, remove these registry entries and the corresponding CRX files.
And if you have an app that does this, make sure you remove these entries when you are uninstalled. I'm talking to you, Conduit.
I will confess that when Firefox first decided to block third-party add-ons, I was very vocal about not liking the decision. After experiencing how many apps do this to Firefox and Chrome, though, I have changed my tune and am happy with the decision. It helped that it was easy to change this behavior for enterprises.
Hypocrite alert: Now that I know about this, I'm going to recommend it to any of my clients that need a way to install Chrome extensions outside of the store. As much as I hate it, there's really no other good way to install a Chrome extension.
Heh, this is kinda funny in the context of your previous post... you wanted extensions installed from a non-Web Store source, well here you go!
Chrome should definitely go the Firefox route and not allow external programs to automatically install add-ons without the user's permission.
Well, this is a completely different problem.
These extensions were installed without my knowledge by third party software.
My previous post was about my choice to go to a website and explicitly install a Chrome extension.
I should be able to install a Chrome extension if I choose. I shouldn't have to put up with extensions I didn't choose to install.
| It helped that it was easy to change this behavior for enterprises.
I want this, the ability to block specific plugins from installing in a Firefox custom build. How do you do this?
There's no way to block specific plugins from installing in a build, you can block certain locations on the user's machine from being searched for add-ons or you can default to disabling add-ons in certain locations. See:
http://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
Mike, thanks for the Chrome tip. I was actually suffering from that and no matter what I deleted off my hard drive I couldn't seem to kill a Chrome extension. Now I can!
Mike, Firefox has this exact same mechanism:
https://developer.mozilla.org/en-US/docs/Adding_Extensions_using_the_Windows_Registry
Recently, both Firefox and Chrome have attempted to start warning users when extensions are installed this way. But the problem is that in the limit it is impossible for the browser to know: the third-party software could change whatever storage the browser uses to keeps track of install authorization.
The core problem is that current desktop operating systems don't have any concept of application-isolated storage. Until this changes, the best defense against this kind of problem is to be very careful about the native software you install. Native software has no isolation: Once it's running on your machine, it can do anything, and there's no way to remove it if it doesn't want to be removable.
Note that both Firefox Addons and Chrome extensions can include native software. In Chrome, we have several barriers that make writing such extensions extremely uncommon (far less than 1% of extensions in the store include native code). I'm not sure about Firefox - I assume the situation is similar.
If you'd like to know more, I'm sure the people that work on Add-ons at Mozilla would love to talk your ear off about it. It's a very hard problem.
There's a big difference between what Firefox does and what Chrome does. Firefox RUNS the extensions from the third party location. So when the application is uninstalled, the code isn't there to run anymore.
Chrome INSTALLS the extension into Chrome. While that might make it easier for a user to disable and remove, it seems to have encouraged companies to put their CRX files outside of their install directories (like Conduit).
Also, because Chrome installs the extension, it's next to impossible to figure out where the extension actually came from. With Firefox, I can look at file paths and see where the extension actually lives.
I don't see how there is more incentive to put the extension outside the install directory in Chrome than in Firefox. In both models, this would be a good strategy to live on past uninstallation of the third-party software, and works equally well.
Installing the extension the way Chrome does isn't necessary in order to allow users to disable and uninstall. All you need in order to do that is some amount of indirection between what the browser considers installed and what third-parties are requesting to be installed.
The actual reason for Chrome's behavior is to eliminate instability that would otherwise be caused by third-party software modifying extensions while Chrome is using them. Our system allows software to modify their registered extensions whenever they want, and Chrome simply picks up the new versions next time it restarts. This idea actually came to us from a Firefox developer; apparently it had been a problem there.
I like your proposal to provide power users a way to track sideloaded extensions back to their source. I don't think this is a problem for typical users, since they can just disable or uninstall the extension in their profile and be done with it. By creating new profiles over and over, you hit a bit of a corner case. I've created crbug.com/142697 to track this.
So any time the version is bumped, the add-on is updated. That's good to know.
I'm curious, do you think that the decision to only allow extensions to be installed from the store will increase the number of "sideloaded" extensions?
Don't you think that it will create a worse problem in that sites will encourage users to download executables instead of just extensions?
OH THE HILARITY
First you talked out of your ass during the changes made to protect Firefox users from malicious add-ons and now you made a 180 degree turn.
How does it feel to eat crow now and how everyone else was right back then?
> How does it feel to eat crow now and how everyone else was right back then?
It's delicious.
I mainly use the chrome engine in Avant browser.How do I disable the third party extensions from installing in Google Chrome engine in Avant browser?
If you are having the same problem (extensions just show up), I would search the registry for .crx and see what you find.
Thanks for this blog post! It was the first result in Google to get my favorite extension Autonito to work again.
Thank You for this information. Every little bit helps foil the plans of evildoers, who prey on the technically challenged.
I'm grateful that vgrabber is gone, and my chrome is polished.
For those who don't often see windows registry:
You'll want to remove the entries from hk_current_user, as well as in hkey_local_machine, as Mike pointed out.
God Bless you! I have rid my self of Internet Turbo Conduit evil spammy crapware finally!
I have like 20 host file entries going to 127.0.0.0 to try to keep them from respawning, but I kept missing this!
THANKS
I have this General Crawler extension repeatedly turning up in my Google Chrome extensions. It's not obviously causing problems that I can see right now, but I suspect it allowed a horrible add on called CouponDropDown in which itself was a hassle to remove, I have to disable and remove General Crawler daily yet still it returns next time I boot up and use Chrome.
Apart from going into tools>extensions and removing it there, I have not been able to find a solution as to how to remove it permanently.
Help would be appreciated.
TIA
I found some info here that might help
http://support.mozilla.org/en-US/questions/719095
(yes, I know it's mozilla, but it has chrome info)
Hey.
This is very helpful.... to the extent that there are people like you out there who understand code dealing with this problem. I have no idea where to find registries and all the other obvious things you discussed.
I just un-installed these programs when they show up using the setting > extensions option. Something tells me this is not enough. So please put up a step by step guide for people like me.
Thanks
FYI, Google is doing something about these with Chrome 25:
http://blog.chromium.org/2012/12/no-more-silent-extension-installs.html
Hi,
I have made an extension for my app. Presently i got an installer to install my app. I need help in embedding my extension into the installer so that the extension for chrome installs automatically with the installation of my app.
Thanks
The info you are looking for is here:
http://developer.chrome.com/extensions/external_extensions.html
But Google is disabling it in Chrome 25.