What is Google Chrome Doing ?!

[Brandonn2010]

I reinstalled Chrome yesterday to get rid of the m after my version number (I'm ocd). After reinstalling it still had it, but I noticed troubling alerts from AppGuard:


08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Google Installer>.
08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Task Scheduler Engine>.
08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <KeePass Password Safe 1.23>.
08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Catalyst Control Center: Host application>.
08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Catalyst Control Center: Monitoring program>.
08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <AppGuard GUI Application>.
08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <avast! Antivirus>.
08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Windows Explorer>.
08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Desktop Window Manager>.
08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Host Process for Windows Tasks>.

Why is/does Chrome need to access my other running programs?

[Page42]

Quote:

Originally Posted by Brandonn2010

I reinstalled Chrome yesterday to get rid of the m after my version number (I'm ocd). After reinstalling it still had it, but I noticed troubling alerts from AppGuard

I have to ask, Brandonn, what is the significance of the 'm', and why do you want to get rid of it?
As for the rest of your post, I look on with interest as well.

[Brandonn2010]

Quote:

Originally Posted by Page42

I have to ask, Brandonn, what is the significance of the 'm', and why do you want to get rid of it?
As for the rest of your post, I look on with interest as well.

Having the 'm' I believe means there are multiple versions of Chrome, yet I only have 1. Of course even after uninstalling Chrome, deleting the Chrome and now obsolete Chromium folder, and deleting all registry keys, it still has the 'm' after reinstalling, lol.

However, I'm more concerned now by Chrome's behavior. Maybe it is trying to see what programs I have installed? I never read the privacy statements of programs.

[Brandonn2010]

Just caught it trying to access more programs


08/10/12 23:05:01 Prevented <Google Installer> from reading memory of <Apple Push>.
08/10/12 23:05:01 Prevented <Google Installer> from reading memory of <iTunes>.
08/10/12 23:05:01 Prevented <Google Installer> from reading memory of <Steam>.
08/10/12 23:05:01 Prevented <Google Installer> from reading memory of <Console Window Host>.

And for some reason

08/10/12 23:05:01 Prevented <Google Installer> from reading memory of <Google Installer>.

Hehe so if you install Google Chrome install a HIPS as well to watch your browser!

[Amit]

Quote:

Originally Posted by tpro

Hehe so if you install Google Chrome install a HIPS as well to watch your browser!

LOL. Right.

[sukarof]

HIPS is a double edged sword against the bad guys. But you must really know the inner workings of windows to appreciate what is dangerous and not. Therefore can a look at the logs be scary sometimes
I am by no means an expert but the things you report seems to me legit queries. I would guess that Chrome checks if it needs to use, and how, any of the stuff that it is looking for. I can imagine that for example the query for KeePass is logical since I believe that it has a form filling tool. Chrome looks for iTunes to see if it is the default media player and so on.
I hope a more knowledgeable person will correct me if I am wrong in my way of thinking here.

[Hungry Man]

Could be a lot of things. The updater's open source though so I doubt it's outright malicious.

If you've opted to provide anonymous data it could be that.

The installer may check other running programs to see if another instance of the installer is running. It may check for known conflicting programs.

It could be Google spying on you.

HIPS tell you what's happening, not why.

[Brandonn2010]

Also note this never happened before Chrome 21. It happened again this morning after I logged in.

I don't have the expertise to look into this, so I'm hoping one of you can.

[adrenaline7]

I installed chrome since I have read that it has a stronger sandbox than IE's protected mode, and everyone said it was way more secure than FF.

After installtion I used it for a few days. I noticed in process monitor that googleupdaterservice.exe was using disk i/o and accessing my system nearly 100% of the time. I have tested chrome on other systems and the way it hooks into your system is excessive, and I don't want a stupid browser service accessing my system when I'm not even online or using a browser, I could be typing in MS word and open procmon and you will see google crap loading all over in the background for no good reason. See for yourself.

IE or FF don't do that. Google has privacy concerns and at worst Chrome is spyware, at best it very inefficient. Regardless I consider it the most overrated software program ever and it won't be used on any of my systems.

[TheWindBringeth]

Quote:

Originally Posted by sukarof

...I can imagine that for example the query for KeePass is logical since I believe that it has a form filling tool...

KeePass is a standalone password manager. It doesn't integrate with the browser and the browser doesn't have to know of its existence. However, the user could install a KeePass plugin that manipulates the browser or install something in the browser that manipulates KeePass [plugins]. I'd be interested to know if the OP installed such a thing.

Can the OP correlate such messages with something they were doing? For example, do they see the message in response to launching Keepass or when using autotype or ___?

Edit: Given that it is happening with multiple apps around the same moment I think it not triggered by use of one particular one.

[Brandonn2010]

Quote:

Originally Posted by TheWindBringeth

KeePass is a standalone password manager. It doesn't integrate with the browser and the browser doesn't have to know of its existence. However, the user could install a KeePass plugin that manipulates the browser or install something in the browser that manipulates KeePass [plugins]. I'd be interested to know if the OP installed such a thing.

Can the OP correlate such messages with something they were doing? For example, do they see the message in response to launching Keepass or when using autotype or ___?

Edit: Given that it is happening with multiple apps around the same moment I think it not triggered by use of one particular one.

Nothing special. And if you notice the times, it decided to access everything at once. Also, I believe before I reinstalled it, I disabled Google Update from starting with Windows with CCleaner. Perhaps that's why I'm noticing it doing this now, but I still see no reason for it to try and read the memory of so many other programs.

Here is from today:


08/11/12 12:05:02 Prevented process <googleupdate.exe - c:\users\brandon\appdata\local\google\update\install\{f7a09661-955a-40c2-94b9-0ca5e6a21e10}\googleupdatesetup.exe> from launching from <c:\users\brandon\appdata\local\temp\gum9bb3.tmp>.
08/11/12 12:05:01 Prevented process <GoogleUpdateSetup.exe> from writing to <c:\program files (x86)\gum9bb2.tmp>.
08/11/12 12:05:01 Prevented <Google Installer> from writing to <\registry\machine\software\wow6432node\microsoft\windows\currentversion\internet settings\zonemap>.
08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <Google Installer>.
08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <Task Scheduler Engine>.
08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <Microsoft Windows Search Protocol Host>.
08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <KeePass Password Safe 1.23>.
08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <Google Chrome>.
08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <Catalyst Control Center: Host application>.
08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <Catalyst Control Center: Monitoring program>.
08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <AppGuard GUI Application>.
08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <avast! Antivirus>.
08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <Windows Explorer>.
08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <Desktop Window Manager>.
08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <Host Process for Windows Tasks>.
08/11/12 12:01:30 Prevented <Google Chrome> from writing to <\registry\machine\software\classes\wow6432node\interface\{618736e0-3c3d-11cf-810c-00aa00389b71}>.

[Brandonn2010]

It just happened again, except this time I was copying my Wilders username and password from KeePass to Chrome.

[wat0114]

@Brandonn,

if you are concerned about privacy issues, and you want to determine if Google really is broadcasting private information or otherwise, you could check your firewall logs if you run an application firewall that logs outbound comms, or install Wireshark and check the packets relating to Google processes. You would have to ensure WinpCap is included as part of the install. You may not be able to see for sure what type of info is being broadcast, especially in rudimentary firewall logs (Wireshark will display more detail), but at least you'll know from the time/date stamps exactly when the comms occurred, and whether they occurred when you were browsing or not.

[TheWindBringeth]

In addition to the blocked "from reading memory of" operations notice the other four blocked operations. Is there a Google log you can enable/view? Maybe it will add to the picture.

[STV0726]

Quote:

Originally Posted by Page42

I have to ask, Brandonn, what is the significance of the 'm', and why do you want to get rid of it?
As for the rest of your post, I look on with interest as well.

What is the significance of someone washing their hands for 10 minutes or checking to make sure their door is locked 20 times?

None. And even while the people that do so may internally know it is pointless, they cannot stop themselves from repeatedly performing the compulsion to provide relief from the fear or obsession. Hence, Obsessive Compulsive Disorder.

I have it. I understand. I would probably have done the same thing, along with verifying the URL I downloaded it from by staring at it for at least 1 minute, then scanning with my AVs at least twice each and spending a few minutes re-reading "No Threats Found" just to prove to myself my eyes aren't deceiving me.

I know it sounds so stupid but I can't stop.

[Brandonn2010]

Is anyone else with AppGuard and Chrome installed to AppData able to replicate this? Also my exclusion for Chrome is in User Space, and the Chrome folder in AppData is excluded.

[wat0114]

The Alternative installer Chrome, open and left idle at Google.ca over a period of ~ 1 hr, does not seem to broadcast anything out of the ordinary. At startup the Googleupdate.exe does some checks, and after that a small handful of comms from chrome.exe can be seen to remote ports 80 & 443 to Google ip's (eg: 74.125.225.136 & 173.194.39.130). Similar comms can be seen with IE9 left idle at Google.ca. Maybe tone down AppGuard's settings to act as less of a "nanny state" and focus it more as an anti-executable? Just a thought.

[Brandonn2010]

Another new bit of info: I noticed it did it again today, and noticed that it always does it 5 minutes after the hour, meaning it has some kind of schedule.

[Brandonn2010]

In case you haven't seen my post in the AppGuard thread, I reinstalled Chrome today, but used the Chrome installer from Google, not one downloaded from Softpedia. The activity has yet to happen since reinstalling. I don't know why it would be any different. The installers were the same size, and Softpedia's was totally clean on VT. Weird.

[arsenaloyal]

To be honest i have never trusted google chrome,and i have never installed it on any of my machines.

Personally I would recommend you to try SRWare Iron or Comodo Dragon than using google,if you are opting for a chromium based browser.

[Brandonn2010]

Damn it did it again

And arsenloyal I like the original Chrome because of the built-in Flash and PDF viewer, and its sandbox.

I'm sure its activities are harmless, I just want to know why it's doing it.