Employees in an organization may use their company-owned devices for non-work-related purposes. Admins can inspect employees browsing histories to understand what they have surfed on the internet with their corporate devices. However, manually checking the browsing history on every device is tiresome. Hence, you can deploy scripts from the Hexnode portal to fetch browsing history from Windows devices remotely.
Disclaimer:
The Sample Scripts provided below are adapted from third-party Open-Source sites.
PowerShell script to get the browsing history of Google Chrome
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ UserName = "USERNAME"
$ UserName
$ Path = "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History"
if ( - not ( Test - Path - Path $ Path ) ) {
Write - Verbose "[!] Could not find Chrome History for username: $UserName"
}
$ Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
$ Value = Get - Content - Path "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History" | Select - String - AllMatches $ regex | % { ( $ _ . Matches ) . Value } | Sort - Unique
$ Value | ForEach - Object {
$ Key = $ _
if ( $ Key - match $ Search ) {
New - Object - TypeName PSObject - Property @ {
User = $ UserName
Browser = 'Chrome'
DataType = 'History'
Data = $ _
}
}
}
Replace “USERNAME” with the username from which you would like to retrieve browsing history.
PowerShell script to get the browsing history of Microsoft Edge
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ UserName = "USERNAME"
$ UserName
$ Path = "$Env:systemdrive\Users\$UserName\AppData\Local\Microsoft\Edge\User Data\Default\History"
if ( - not ( Test - Path - Path $ Path ) ) {
Write - Verbose "[!] Could not find Edge History for username: $UserName"
}
$ Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
$ Value = Get - Content - Path "$Env:systemdrive\Users\$UserName\AppData\Local\Microsoft\Edge\User Data\Default\History" | Select - String - AllMatches $ regex | % { ( $ _ . Matches ) . Value } | Sort - Unique
$ Value | ForEach - Object {
$ Key = $ _
if ( $ Key - match $ Search ) {
New - Object - TypeName PSObject - Property @ {
User = $ UserName
Browser = 'Edge'
DataType = 'History'
Data = $ _
}
}
}
Replace “USERNAME” with the username from which you would like to retrieve browsing history.
PowerShell script to get the browsing history of Firefox
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ UserName = $ args [ 0 ]
#DOWNLOAD SQLITE
if ( - not ( Test - Path - Path C : \ sqlite . zip - PathType Leaf ) ) {
Invoke - WebRequest - Uri "https://www.sqlite.org/2022/sqlite-tools-win32-x86-3380500.zip" - OutFile C : \ sqlite . zip
}
#Extract to SQLITE Folder
if ( - not ( Test - Path - Path "C:\SQLite3\sqlite-tools-win32-x86-3380500\sqlite3.exe" ) ) {
Expand - Archive C : \ sqlite . zip - DestinationPath C : \ SQLite3 - Force
}
#READ DATA FROM TABLE
try {
$ Path = "C:\Users\$UserName\AppData\Roaming\Mozilla\Firefox\Profiles\"
$Profiles = Get-ChildItem -Path " $ Path \ * . default - release* \ " - ErrorAction SilentlyContinue
ForEach ( $ item in $ Profiles ) {
$ DataSource = "$item\places.sqlite"
$ tables = C : \ SQLite3 \ sqlite - tools - win32 - x86 - 3380500 \ sqlite3 . exe $ DataSource . tables
if ( $ tables - match "moz" ) {
C : \ SQLite3 \ sqlite - tools - win32 - x86 - 3380500 \ sqlite3 . exe $ DataSource "SELECT url from moz_places"
}
}
}
catch
{
write - host $ _ . Exception . Message
}
Please note that while deploying the script from the portal, provide the username from which you would like to retrieve browsing history in the field corresponding to Arguments.
PowerShell script to get the browsing history of Internet Explorer
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ Null = New - PSDrive - Name HKU - PSProvider Registry - Root HKEY _ USERS
$ Paths = Get - ChildItem 'HKU:\' -ErrorAction SilentlyContinue | Where-Object { $_.Name -match ' S - 1 - 5 - 21 - [ 0 - 9 ] + - [ 0 - 9 ] + - [ 0 - 9 ] + - [ 0 - 9 ] + $ ' }
ForEach($Path in $Paths) {
$User = ([System.Security.Principal.SecurityIdentifier] $Path.PSChildName).Translate( [System.Security.Principal.NTAccount]) | Select -ExpandProperty Value
$Path = $Path | Select-Object -ExpandProperty PSPath
$UserPath = "$Path\Software\Microsoft\Internet Explorer\TypedURLs"
if (-not (Test-Path -Path $UserPath)) {
Write-Verbose "[!] Could not find IE History for SID: $Path"
}
else {
Get-Item -Path $UserPath -ErrorAction SilentlyContinue | ForEach-Object {
$Key = $_
$Key.GetValueNames() | ForEach-Object {
$Value = $Key.GetValue($_)
if ($Value -match $Search) {
New-Object -TypeName PSObject -Property @{
User = $UserName
Browser = ' IE '
DataType = ' History '
Data = $ Value
}
}
}
}
}
}
Notes:
It is recommended to manually validate the script execution on a system before executing the action in bulk.
Hexnode will not be responsible for any damage/loss to the system on the behavior of the script.
