CrowdStrike Update Causes BSOD Issues Globally – Audit Available 🛡️ Learn more

TRY NOW

Chrome ExtensionInstallBlocklist Group Policy Audit

Operating System Security

List Devices With the “ExtensionInstallBlocklist” Group Policy Enabled

With Chrome being the most popular browser by far, it is important that you manage the browser well, after all it is one of the last lines of defense to protect users from clicking malicious links or downloading the wrong file. One of those ways that users can easily make a mistake, is by installing one of Chrome’s extensions. It is not uncommon that malicious extensions are approved in Chrome’s web store, or that existing extensions get modified by a malicious actor. In these cases extensions could steal browser history data, steal form inputs or redirect users to malicious sites. All reasons to ensure you manage which extensions a user is allowed to use.

Using this block list group policy is just one of the possible measures, to explore all of them you can find more info in the Pro Tips blog post.

Before running the audit, add the following registry keys to your custom registry scanning. Repeat the same number of times as the number of Chrome extensions you are blocking, increasing the Regvalue by 1 each time (1,2,3,4,5, etc.).

  • Rootkey: HKEY_LOCAL_MACHINE
  • Regpath: Software\Policies\Google\Chrome\ExtensionInstallBlocklist
  • Regvalue: 1

Chrome block list GP audit

Google Chrome ExtensionInstallBlocklist GP Query

Select Top 1000000 tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tblAssets.Username,
  tblAssets.Userdomain,
  Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
  tblAssets.IPAddress,
  tsysIPLocations.IPLocation,
  tblAssetCustom.Manufacturer,
  tblAssetCustom.Model,
  tsysOS.OSname As OS,
  tblAssets.Version,
  tblAssets.SP,
  Case
    When TsysLastscan.Lasttime < GetDate() - 1 Then
      'Last registry scan more than 24 hours ago! Information may not be up-to-date. Try rescanning this machine.'
  End As Comment,
  Case
    When SubQuery1.Valuename Is Not Null And SubQuery1.Valuename <> ''
    Then 'Yes'
    Else 'No'
  End As ValuenameFound,
  SubQuery1.Value,
  Case
    When tblErrors.ErrorText Is Not Null Or
      tblErrors.ErrorText != '' Then
      'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
    Else ''
  End As ScanningErrors,
  TsysLastscan.Lasttime As LastRegistryScan,
  SubQuery1.Lastchanged,
  tblAssets.Firstseen,
  tblAssets.Lastseen,
  tblAssets.Lasttried
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
  Inner Join tsysIPLocations On tsysIPLocations.LocationID =
      tblAssets.LocationID
  Inner Join tblState On tblState.State = tblAssetCustom.State
  Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
      Max(tblErrors.Teller) As ErrorID
    From tblErrors
    Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
      ScanningError.ID
  Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
  Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
      tblErrors.ErrorType
  Inner Join TsysLastscan On tblAssets.AssetID = TsysLastscan.AssetID
  Inner Join TsysWaittime On TsysWaittime.CFGCode = TsysLastscan.CFGcode
  Left Join (Select Top 1000000 tblRegistry.AssetID,
      tblRegistry.Regkey,
      tblRegistry.Valuename,
      tblRegistry.Value,
      tblRegistry.Lastchanged
    From tblRegistry
    Where
      tblRegistry.Regkey Like
      '%Software\Policies\Google\Chrome\ExtensionInstallBlocklist' And
      (tblRegistry.Valuename = '1' Or tblRegistry.Valuename = '2' Or
        tblRegistry.Valuename = '3' Or tblRegistry.Valuename = '4' Or
        tblRegistry.Valuename = '5')) SubQuery1 On SubQuery1.AssetID =
      tblAssets.AssetID
Where tblAssetCustom.State = 1 And TsysWaittime.CFGname = 'registry'
Order By tblAssets.Domain,
  tblAssets.AssetName,
  SubQuery1.value

Show

Hide

NO CREDIT CARD REQUIRED

Ready to get started?
You’ll be up and running in no time.

Explore all our features, free for 14 days.