Audit Installed VSCode Extensions with PowerShell

The recent incident of malicious extensions in the Visual Studio Code Marketplace got me thinking about how to audit extensions across a large estate. This post includes a script to get installed extensions on a local or remote computer.

You’re probably aware of the recent discovery of malicious extensions in the VSCode Marketplace.

‘Theme Darcula dark’ – Described as “an attempt to improve Dracula colors consistency on VS Code,” this extension was used to steal basic information about the developer’s system…downloaded over 45,000 times

‘python-vscode’ – This extension was downloaded 1,384 times despite its empty description and uploader name of ’testUseracc1111,’. Analysis of its code showed that it is a C# shell injector that can execute code or commands on the victim’s machine.

VSCode extensions are installed in the user profile and do not appear in Configuration Manager or Intune inventory. Although Defender for Endpoint is able to centrally report on installed Edge browser extensions in the user profile, this does not extend to VSCode.

Enterprise reporting

The script below is just the first part of a solution to audit installed VSCode extensions. Suggestions to capture information across a large estate include:

Use PoshRSJob or PSThreadJob to rapidly query online computers over the network
Save the output to the local registry and use RegKeytoMof to bring it into the Configuration Manager inventory
Save the output to a file or registry key and upload to LogAnalytics

Example script output

The VSCode extension script below is similar to the Chrome Extension script published some time ago.

This is what the output looks like:

C:\> Get-VSCodeExt

ExtensionID         : eliostruyf.vscode-msgraph-autocomplete
Version             : 1.2.0
Publisher           : Elio Struyf
Path                : c:/Users/gd/.vscode/extensions/eliostruyf.vscode-msgraph-autocomplete-1.2.0
MarketPlaceURL      : https://marketplace.visualstudio.com/items?itemName=eliostruyf.vscode-msgraph-autocomplete
MarketPlaceInstalls : 4359
Source              : https://github.com/estruyf/vscode-msgraph-autocomplete

ExtensionID         : redhat.vscode-yaml
Version             : 1.12.2
Publisher           : Red Hat
Path                : c:/Users/gd/.vscode/extensions/redhat.vscode-yaml-1.12.2
MarketPlaceURL      : https://marketplace.visualstudio.com/items?itemName=redhat.vscode-yaml
MarketPlaceInstalls : 12120909
Source              : https://github.com/redhat-developer/vscode-yaml.git

PowerShell Script

Get-VSCodeExts.ps1:

This article was originally posted on Write-Verbose.com

Enterprise reporting#

Example script output#

PowerShell Script#

Enterprise reporting

Example script output

PowerShell Script