Spent a few hour today debugging why Chrome was closing immediately after opening on my work laptop. I had previously shutdown Windows (10.0.19044.3693), but did not complete it after prompts for closing applications. I use Chrome at work, but Firefox for personal computers.
I could use another browser, but I have a lot of tabs (most of them suspended). I use Session Buddy to backup session.
I checked the Application Logs in Event Viewer:
[1824:17892:0108/172754.060:WARNING:remote_commands_service.cc(221)] Client is not registered.
When I opened Chrome in Incognito mode, I could get a browser window that would stay open. When I open Chrome normally, I would get a User Account Control (UAC) prompt noting that Google Chrome Updater.exe is asking for elevated permissions.
This seemed suspicious so I ran a MalwareBytes scan which came back negative. I am usually cautious running anything suspicious on my host machine and run security related applications through VMs, containers, or sandboxed.
Googling this and chrome closes immediately after opening did not yield any helpful results.
Since Incognito mode was working I suspected it could be an extension causing an issue. I ran chrome with extensions disabled:
"%ProgramFiles%\Google\Chrome\Application\chrome.exe" --disable-extensions
This resulted in the same open and close.
It's worth noting that I had the UAC set at the highest level. This prevents me from doing anything but accepting the prompt.
I could keep using Chrome if I ignored the prompt by setting to the following level:
This is no way to live.
Uninstall/Re-install
I don't know what version of Chrome I had before reinstalling. The current version is 120.0.6099.200. I tried uninstalling and re-installing Chrome. I also deleted the existing folders and renamed my user profile:
Rename-Item -Path "C:\Users\jtong\AppData\Local\Google\Chrome\User Data" "User Data Backup"
No dice and now Incognito browsers also close after opening. The profile data is not what was causing the issue.
Diving Deeper
I decided to see what was trying to run in an elevated context and why is the publisher Unknown. The Show more details options yields:
Ok, I check that C:\Users\jtong\AppData\Roaming\Microsoft\Windows\Dependencies, but don't find Google Chrome Updater.exe, instead I see System Runtime Monitor.exe. I submit this to VirusTotal and I get these results.
No good, but not terrible. Interesting that Windows Defender hasn't flagged this and the scans came in clean.
I delete this file and keep an eye on on the directory. It looks like Google Chrome Updater.exe gets created, but once I click Yes, the file gets renamed to System Runtime Monitor.exe. This looks to be the Windows Defender System Guard Runtime Monitor that does this. Maybe it wraps around the existing executable and adds hooks (conjecture - could check hash of original file and renamed file).
I try running the Google Chrome Updater.exe in a non-admin command prompt and get Access is denied. and the file is immediately removed. Hm...
What if Chrome is trying to update, but something is wrong with Google Chrome Updater.exe. It looks like Chrome or something is generating this file every time it tries to start. I start Chrome again and rename the Google Chrome Updater.exe to tmp.exe. I then use the latest version of cURL in it's place. I click Yes to the prompt and Chrome opens... and doesn't close. Seems like Chrome shutdowns if an error code is returned from the updater without wiping the flag that indicates it should update.
Takeaways
Chrome can get in a weird state for multiple reasons.
There is no signature validation of the expected updater that Chrome tries to execute.
Time for a new laptop.