Windows - Security - Retrieve Last Logged-In User Browser History

What the browser history retrieval Worklet does

This Automox Worklet™ extracts browser history from the last logged-in user on Windows endpoints. It parses browser databases from Chrome, Microsoft Edge, and Brave browsers to retrieve URLs visited by that user.

The Worklet automatically detects the user who most recently logged into the endpoint and retrieves their browser history data directly from the browser cache files. It handles user profiles stored in non-standard locations, including redirected user profile directories and user profile disks.

By default, the Worklet returns the 50 most recent sites visited, but you can configure it to retrieve all available browser history from Chrome, Edge, and Brave browsers.

Why audit browser history on your endpoints

Browser history audits help you understand endpoint usage patterns and detect potentially risky web activity. This Worklet enables security teams to investigate suspicious behavior, verify compliance with acceptable use policies, and identify unauthorized access to sensitive sites.

Retrieving browser history directly from endpoints gives you visibility into what users have been accessing, which is essential for forensic investigations and compliance audits. The Worklet extracts this data without requiring manual endpoint access or user cooperation.

How browser history extraction works

1. Evaluation phase: The Worklet queries the Windows Registry at HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList to identify the last logged-in user by SID, then verifies their profile exists and contains a ProfileImagePath.

2. Remediation phase: The Worklet reads browser cache files from AppData\Local directories (Chrome at AppData\Local\Google\Chrome\User Data\Default\History, Edge at AppData\Local\Microsoft\Edge\User Data\Default\History, and Brave at AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\History), extracts URLs using regex pattern matching, and outputs the results sorted by recency.

Browser history retrieval requirements

• Windows Server 2012 or later, or Windows 10 and Windows 11

• Supported browsers: Google Chrome, Microsoft Edge, or Brave Browser

• Administrator or SYSTEM account context required to read user profile registry keys and browser cache files

• PowerShell 3.0 or later

• Set numSites parameter to 0 to retrieve all history (note: this can be extremely time-consuming on older endpoints with extensive browsing history)

Expected browser history audit results

After running this Worklet, you receive formatted output containing the most recent URLs visited by the last logged-in user, separated by browser. Each line displays the domain and full URL extracted from that browser's history cache. The output appears in the Automox activity log, where you can review it for compliance validation, security investigations, or forensic analysis.

If the endpoint has no logged-in users or the last user has no browser profiles, the Worklet will report this status. Failed executions indicate missing user profiles, unavailable browser history files, or insufficient permissions to access the necessary registry keys and file system paths.

How to validate retrieve last logged-in user browser history changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for retrieve last logged-in user browser history.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as the evaluation and remediation scripts.

4. Validate remediation effects from script operations such as Brave-Browser, Get-LocalUser, Sort-Object, then rerun evaluation for compliance.