A friend’s machine had the Google Chrome home page set to piesearch.com
But there is no homepage set in settings.
Checking the Chrome Shortcut in Start Menu we can see it’s been modified, so we remove the piesearch parameter. This setting needs Administrative privilege to change because Chrome was installed to “All Users”
That fixed the homepage, but now searching in the omnibox resulted in searches from coldsearch.com NOT google which had been set before:
When settings were opened it was advised this was set by the administrator, and the default could not be changed.
I did a ProcMon trace and used filter Details Contains coldsearch to identify registry keys with the value coldsearch but got no hits.
So I changed ProcMon filter to
- Process Name is Chrome.exe
- Result is Success
Then using ProcMon –> Tools | Summary could quickly identify the folders Chrome accessed files from:
We could see app settings loading from C:\Users\<Username>\AppData\Local\Google\Chrome
However renaming this folder didn’t remove the search setting.
To find where the setting might be stored I used SearchMyFiles http://www.nirsoft.net/utils/search_my_files.html )
And limited the search to those folders found with ProcMon to speed it up:
This machine was not supposed to have any Group Policy settings, so I removed the Registry.pol file, which represents Local Machine Group Policy.
Using the tool here https://sdmsoftware.com/gpoguy/free-tools/library/registry-pol-viewer-utility/ we could view the .pol file (Requires .NET 3.5, Free registration required to download)
With the Registry.Pol file removed, Chrome was back to Normal.
Finally we cleaned up the Mozilla Firefox directory settings by backing up, then deleting the files under C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles
Microsoft Edge had not been affected, and Internet Explorer settings modification had been blocked by Windows Defender.