Google Chrome And It's Magic Trick!

Magic as always requires an element of deception, making the audience look left when you do something on the right. Google Chrome performs one of these.

• Does it do anything illegal? No.
• Does it do something you have not agreed to? No.
• Are you going to be unhappy? Maybe.

So to start…

Run up task manager.  Make sure you are on the details page and sort the names in alphabetic order.  Then scroll down the list so process name ‘C’ will be visible.  Now open the chrome browser.  Notice all the Chrome instances running, this is correct and healthy.

Did you see the trick?  Of course not!  You were looking in the wrong place.  If you looked on the performance tab you may have just caught the trick performing.  Even better if you looked lower down on the process details list under ‘S’ you may have seen through the trick.

What does the trick do?  Well it executes a program ‘software_reporter_tool’ when Chrome first loads.  If you ‘procmon‘ this process you will see it scans your hard disk and registry.  All of it. Good trick eh?

Are you upset?  Why?  You agreed to it!  Did you not read the T&Cs?

Even being diligent you would have struggled to find this.  As always with these things it does not follow ‘good practice’ hence making it difficult to detect.  The executable is stored in the users ‘appdata’ folder.  Yep, you read that right, it is under ‘%userprofile%\AppData\Local\Google\Software Reporter Tool’.  It is all signed and registered to Google.

There is another side to this trick in that not all my operating systems have this.  Why?  I am not sure.  Do I care?  Not really.  The fact it has done what it has on some of my machines is trouble enough.  Oh and by the way it also copies the runner under ‘%userprofile%\AppData\Local\Google\Chrome\User Data\SwReporter’ for the version run.  So not only do you have one copy per user you now have extra copies per version per user.  This just gets better.

Can you protect against this?  Depends.  If you have application blocking where only ‘Admin’ installed software will run, it may be blocked if it is user installed.  If you block execution of processes outside this ‘good practice’, you may, but this is likely to break something else important.  You might be able to block the directory in a more granular way, which will work until the collection method changes.

What does the tool do?  I have not yet delved deeper to find out, but with the title it has I am sure it is not for my benefit.  In effect they have entered my house had a wander round and gone away.  When I didn’t know, I was fine.  But now I do.  I am now uncomfortable and I can’t make them un-look.

But as always with these things if you don’t pay for something you are the product! 

Simon Thompson (Avanite Developer)