This post will describe, in great detail, what happens on a granular, network level when Chrome is run for the very first time.

When I launched Google Chrome for the first time (and let it sit for a minute), 32 requests were made, and 7.26 MB of data downloaded.

umair-akbar-ECyp5JjWkAAgG9i 2 - What happens when you launch Google Chrome for the first time?

The first call Chrome makes is to the googleapis domain. It passes my OS type, browser channel (Stable), and version (v76) along. The response is 32KB of flags, features, and more. Not clear what they all do (as many can’t be found in Chromium source) but some are fairly clear.

umair-akbar-ECyp5dZXUAA2lBo - What happens when you launch Google Chrome for the first time?

The next call appears to try and communicate with the Google accounts server (already trying to pair me with a profile?). This call is to https://accounts.google.com, for the /ListAccounts path. The endpoint responds with [“gaia.l.a.r”,[]], meaning no account was found (AFAIK).

Based on the following, I would expect a positive GAIA (Google Accounts and ID Administration) to return with my Google Email address. Since it didn’t, I’m suspect they failed to pair to me anything.

umair-akbar-ECyp531WkAAqsJ9 - What happens when you launch Google Chrome for the first time?

Chrome’s next call is to the http://clients2.google.com endpoint. It passes quite a few extension/app IDs over the wire. Google responds with an XML document pointing towards endpoints in the Web Store that need to be queried. You see those queries later in the session list.

umair-akbar-ECyp6KbXYAA U k - What happens when you launch Google Chrome for the first time?
umair-akbar-ECyp6IgWwAEQlD6 - What happens when you launch Google Chrome for the first time?

A brief tangent now; Chrome fires a request off to http://gstatic.com for some type of translation model. While the response isn’t easy to parse, it holds numerous language codes (as we’d expect in this instance):

umair-akbar-ECyp6hrX4AE USt?format=jpg&name=small - What happens when you launch Google Chrome for the first time?

Back to the extension/app IDs we were investigating earlier. Chrome now begins to issue requests for the corresponding CRX files. The first request is for the Google Drive extension. Honestly, this hardly qualifies as an extension IMHO. One line of JavaScript and a manifest file.

There are 9 extensions downloaded during the first-run. They’re mostly very small, and mainly related to Google Drive and Docs. Also an extension for YouTube, GMail, Chrome Cast, and Payments. Most of these can be seen on the /apps page in the browser itself.

umair-akbar-ECyp8c9WwAA1RbD - What happens when you launch Google Chrome for the first time?

The http://redirector.gvt1.com request is for Chrome Cast. It, for some reason, takes a different route than the other extensions. The same for their “craw” bits, which appear to be tied into Web Store Payments, judging by the locale files. I’m curious why these are served uniquely.

umair-akbar-ECyp80lXkAAyNqS - What happens when you launch Google Chrome for the first time?

I should note, http://redirector.gvt1.com doesn’t actually serve the extension bits. Instead, it does (as it’s name suggests) a redirection. The path to which it directs us is quite odd: /r3—sn-8xgp1vo-5uae.gvt1.com. This pattern looks familiar for some reason—not sure why.

The last thing we see related to these initial extensions is a verify request for each. IDs are sent over the wire, and googleapis responds with a bit of data to check integrity.

umair-akbar-ECyp9N4XkCAwN3X - What happens when you launch Google Chrome for the first time?

That appears to be all of the extension-related work. Next the browser made a call out to http://docs.google.com. Why? No idea. But it 302s to http://accounts.google.com—to the /ServiceLogin endpoint. A custom header appears to store a client_id, as well as a device_id.

umair-akbar-ECyp9fBWkAAm6Zd - What happens when you launch Google Chrome for the first time?

Next up is a request to Google’s /searchdomaincheck endpoint. It simply responds with ‘http://google.com‘. I assume this is asking where search data should go, by default.

umair-akbar-ECyp9wPXYAAA0Iu - What happens when you launch Google Chrome for the first time?

We now come to the very last call to http://clients2.google.com. At this point, it is confirming that none of the extensions need to be updated. What I find odd, though, is that the two which installed via redirector.* are recorded as ‘installedby=other’ instead of internal.

umair-akbar-ECyp F WsAA8ozB - What happens when you launch Google Chrome for the first time?

This wraps up the first-run experience for Google Chrome.

About the Author

USA

Umair Akbar | Cloud Engineer

Umair Akbar is a Senior Information Security Engineer with over 5 years of experience leading the development and daily management of InfoSec systems.

View All Articles