Removing old Per-User Google Chrome Installs

One of the fun challenges I’ve been meaning to look at for a while has been how to deal with old instances of Chrome that are sat in user profiles (we recently changed over and pushed Chrome out via GPO, but many users had the per-user install already on their PC).

While having these old installs isn’t a major issue as they aren’t being used (and are often left in profiles of users who have left the business), they do get flagged by security scanners such as Nessus as being security risks (I managed to find a copy of Chrome 3.0 installed somewhere!), and so cleaning them up has long been on my todo list.

Thankfully fellow reddit user bloodygonzo came to my rescue when I was asking about this on r/sysadmin and was able to provide the powershell script he had written to do exactly this.

First you need to ensure that the Execution Policy is set on each PC you intend to run this script on, you can either do this by hand using the Set-ExecutionPolicy RemoteSigned command from an elevated PowerShell prompt, or you can use a GPO to set this on any number of machines at once via a registry entry (this requires Group Policy Preferences which was part of XP SP2 I think):

  1. Open Group Policy Management Editor
  2. Browse to Computer Configuration> Preferences>Windows Settings> Registry
  3. Right click and create a new registry item:

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
Value name: ExecutionPolicy
Value type: REG_SZ
Value data: RemoteSigned

  1. Now create a second registry item that will cover 32-bit Powershell on 64-bit machines:

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Wow6432Node\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
Value name: ExecutionPolicy
Value type: REG_SZ
Value data: RemoteSigned

On the “Common” tab…
Check Item-level targeting
Press the “Targeting” button
Create a new “Environment Variable” item
Name: PROCESSOR_ARCHITECTURE
Value: AMD64

Once this has applied out to all your computers you should be able to then use either a logon script or something like the awesome PDQ Deploy to push this script out to all the computers you want to run it on.

Do note that because it iterates through all the user profile folders on each machine you will need to ensure that you run the script using administrator credentials or else it will fail (this is easy to do using PDQ Deploy).

<# Filename: Remove_Chrome.ps1

   Description: Removes file traces of Google Chrome from all user profiles directories
   and currently logged on user registry keys. There are no input or output parameters, 
   but if you want to do a dry run you can add -whatif at the end of each Remove-Item command.    

   Purpose: When Chrome for Business was rolled out not all traces of user installed Chrome was removed. In order to get rid
   of reported security vulnerabilities there is a need to manually remove these files/keys.
#>
# Set the root directory where User Chrome is installed.
# Uncomment the below line for XP systems
$RootDirectory= "C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\Application\*"

# Or Comment out the above line and uncomment this one for Vista/Win7 systems
# $RootDirectory= "C:\Users\*\AppData\Local\Google\Chrome\Application\*"

#Check for HKey Users registry drive. Create if needed
#if(!(Get-PSDrive -name HKU)){
    New-PSDrive HKU Registry HKEY_USERS
#}
# Set Registry paths for user installed chrome. (Users who are not logged on will not be checked)
$ChomeAddRemoveKey="HKU:\S-1-5-21*\Software\Microsoft\Windows\CurrentVersion\Uninstall"
$ChromeKey= "HKU:\S-1-5-21*\Software\Google\Update"

# Delete all files under Chrome's user install directory
Remove-Item -recurse -force $RootDirectory
# Find and remove all user specific chrome installs from the registry.
Get-ChildItem $ChromeAddRemoveKey -ErrorAction SilentlyContinue | Where-Object {($_.PSChildName -eq 'Google Chrome') -or ($_.PSChildName -eq 'Chrome')} | Remove-Item -force
Get-ChildItem $ChromeKey -ErrorAction SilentlyContinue -recurse | Where-Object {($_.PSChildName -eq '{8A69D345-D564-463c-AFF1-A69D9E530F96}') -or 
    ($_.PSChildName -eq '{00058422-BABE-4310-9B8B-B8DEB5D0B68A}')} | Remove-Item -force

Nick

Im a Sys-Admin for a growing UK company working down on the sunny South Coast of England, I love all things techie, especially Exchange and Virtualisation stuff. When not tinkering I can normally be found playing online games such as Planetside 2, Dayz and Battlefield 4.

  • Hello, great script. Modified it a bit to catch a new guid, added deletion of shortcuts, and also added -recurse for the registry deletions to make a powershell error disappear when registry key (folder) has subkey (subfolder).

    # Set the root directory where User Chrome is installed.

    $RootDirectory= “C:Users*AppDataLocalGoogleChromeApplication*”
    $ProfileStartMenuShortcut= “C:Users*AppDataRoamingMicrosoftWindowsStart MenuProgramsGoogle Chrome”
    $ProfileDesktopShortcut= “C:Users*DesktopGoogle Chrome.lnk”

    #Check for HKey Users registry drive. Create if needed
    #if(!(Get-PSDrive -name HKU)){
    New-PSDrive HKU Registry HKEY_USERS
    #}
    # Set Registry paths for user installed chrome. (Users who are not logged on will not be checked)
    $ChromeAddRemoveKey=”HKU:S-1-5-21*SoftwareMicrosoftWindowsCurrentVersionUninstall”
    $ChromeKey= “HKU:S-1-5-21*SoftwareGoogleUpdate”

    # Delete all files under Chrome’s user install directory
    Remove-Item -recurse -force $RootDirectory

    # Delete Chrome shortcuts from user Profiles
    Remove-Item -recurse -force $ProfileStartMenuShortcut
    Remove-Item -force $ProfileDesktopShortcut

    # Find and remove all user specific chrome installs from the registry.
    Get-ChildItem $ChromeAddRemoveKey -ErrorAction SilentlyContinue | Where-Object {
    ($_.PSChildName -eq ‘Google Chrome’) -or
    ($_.PSChildName -eq ‘Chrome’)
    } | Remove-Item -force
    Get-ChildItem $ChromeKey -ErrorAction SilentlyContinue -recurse | Where-Object {
    ($_.PSChildName -eq ‘{8A69D345-D564-463C-AFF1-A69D9E59630F}’) -or
    ($_.PSChildName -eq ‘{8A69D345-D564-463C-AFF1-A69D9E530F96}’) -or
    ($_.PSChildName -eq ‘{00058422-BABE-4310-9B8B-B8DEB5D0B68A}’)
    } | Remove-Item -recurse -force