Get Installed Browser Extensions

What the browser extension auditor does

This Automox Worklet™ enumerates browser profiles across all user accounts on a Windows endpoint and retrieves a complete inventory of installed extensions. The Worklet scans Chromium-based browsers including Microsoft Edge, Google Chrome, and Brave Software Brave, as well as Mozilla Firefox.

For each detected browser profile, the Worklet reads the extension manifest files and extracts the extension name and version. Extensions that use locale-based naming conventions (where names are referenced via __MSG_* tokens in manifest.json) are properly resolved using the browser's locale files.

Results are formatted hierarchically in the Activity Log, organized by user account, browser, profile, and individual extension. This structure makes it easy to track which extensions exist on which endpoints and which users have them installed.

Why audit browser extensions across your environment

Browser extensions can introduce significant security and compliance risks to your organization. Malicious or poorly-maintained extensions can access sensitive data, inject scripts into web traffic, or create backdoors for attackers. IT teams need visibility into what extensions exist on endpoints to identify unauthorized, outdated, or suspicious add-ons.

This Worklet provides the foundational inventory needed to enforce browser extension policies. Once you understand what extensions are installed across your fleet, you can use Automox policies to remove unwanted extensions, enforce approved add-ons, or block extension installations entirely.

Extension auditing also supports compliance frameworks like CIS Benchmarks, which recommend controlling browser functionality and restricting extension capabilities. By running this Worklet regularly, you maintain an audit trail of extension usage patterns and can respond quickly to security incidents involving compromised add-ons.

How browser extension detection works

1. Evaluation phase: The Worklet queries Win32_UserProfile to identify all local user profiles on the endpoint. For each profile, it checks for browser data directories in %LOCALAPPDATA% (Edge, Chrome, Brave) and %APPDATA%\Mozilla\Firefox (Firefox). If profile folders exist, the Worklet scans for extension metadata files.

2. Remediation phase: The Worklet reads manifest.json from each extension directory, extracts the name and version fields, and handles internationalized names by reading from the _locales\en\messages.json file. For Firefox, the Worklet parses extensions.json and filters for active extensions. All discovered extensions are output to the Activity Log in a hierarchical, human-readable format.

Browser extension discovery requirements

• Windows 10 or Windows 11 (Server 2016 and later also supported)

• At least one of the following browsers installed: Microsoft Edge (Chromium), Google Chrome, Brave Browser, or Mozilla Firefox

• Automox Agent running with sufficient permissions to read user profile directories (typically System or Administrator context)

• PowerShell 5.0 or later available on the endpoint

• Run this Worklet immediately via RunNow rather than as a scheduled policy for accurate, on-demand reporting

Expected browser inventory output

After running this Worklet, the Activity Log will display a complete extension inventory organized hierarchically by user account, browser, and profile. Each extension entry shows the extension name and version number, allowing you to identify which extensions are deployed and whether they are running current versions. You can verify this change through the Automox Activity Log or by checking the endpoint configuration directly.

Use this output as a baseline to detect unauthorized extensions, identify outdated add-ons that need updating, or verify that specific extensions required by your organization are present. You can run the Worklet on a schedule or on-demand as your security posture and compliance requirements change. If no extensions are found for a user-browser-profile combination, that profile simply does not appear in the output.

How to validate get installed browser extensions changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for get installed browser extensions.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as the evaluation and remediation scripts.

4. Validate remediation effects from script operations such as Brave-Browser, ForEach-Object, Get-CimInstance, then rerun evaluation for compliance.