Have you ever experienced these frustrations on your Mac?
- An app appears in the menu bar but not in your login items.
- Safari redirects to adware sites or changes its homepage without your permission.
- Unknown processes consume CPU in the background.
Unfortunately, with these types of unexpected events, removing the app from login items isn’t enough to solve the problem. There are many underlying hidden components, and Apple doesn’t expose them in the typical macOS interface.
We’ll show how you can monitor and take action against these hidden login items to troubleshoot unique Mac problems.
Understanding the macOS Startup Routine
When you press the power button, your Mac boots up with a series of familiar events:
- You hear an audible startup sound (newer Macs don’t do this).
- The Apple logo appears along with the progress bar.
- You see the login screen appear when this completes (or the desktop if you have automatic login enabled).
Behind the scenes, macOS starts the launchd process. This is responsible for starting, stopping, and managing every other process, including the system and individual user accounts. The process is highly optimized and takes only a few moments.
To examine this yourself, open the Activity Monitor app, and choose View > All Processes. At the top, you’ll see two main processes: kernel_task and launchd, with their process IDs (PID) as 0 and 1.
This shows that launchd is the primary parent process when the system starts. It is also the last process to exit when the system shuts down.
The core responsibility of launchd is to launch other processes or jobs on a scheduled or on-demand basis. These come in two types: LaunchDaemons and LaunchAgents.
What Are LaunchDaemons and LaunchAgents?
LaunchDaemons typically run as root, regardless of whether a user is logged in or not. They cannot display information using the graphical user interface and affect the entire system.
For example, the locationd process detects the geographical location of the Mac, while bluetoothd process manages Bluetooth. The list of daemons lives in the following locations:
/System/Library/LaunchDaemonsfor native macOS processes
/Library/LaunchDaemonsfor installed third-party apps
LaunchAgents start when a user logs in. Unlike daemons, they can access the user interface and display information. For example, a calendar app can monitor the user’s calendar account for events and notify you when the event occurs. The list of agents lives in the following locations:
/Library/LaunchAgentsfor all user accounts
~/Library/LaunchAgentsfor a specific user account
/System/Library/LaunchAgentsfor macOS only
Before you log in, launchd runs services and other components specified in PLIST files from the LaunchDaemons folder. Once you’ve logged in, launchd will run services and components defined in PLIST files from the LaunchAgents folders. Those in /System/Library are all part of macOS and protected by System Integrity Protection.
The preference files follow the standard reverse domain naming system. It begins with the company name, followed by an application identifier, and ends with the property list file extension (.PLIST). For example, at.obdev.LittleSnitchHelper.plist is the helper file for the LittleSnitch app.
How to Catch LaunchDaemons and LaunchAgents
Unlike those in the System folder, the public LaunchDaemon and LaunchAgent folders are open to both legitimate and illegitimate apps. You can monitor these folders automatically with Folder Actions.
Open the AppleScript Editor app by searching for it in Spotlight. Click Preferences and choose General > Show Script menu in menu bar.
Click the Script Menu icon and choose Folder Actions > Enable Folder Actions. Then select Attach Script to Folder in that same menu.
A dialog box will pop up. From here, select add – new item alert.
Click OK to open a Finder window. Now select the user LaunchDaemon folder (listed above) and click Choose.
Repeat the above procedure for every LaunchAgents folder.
When done, open Finder and click Go > Go to Folder or press Shift + Cmd + G to open the navigation dialog box. Type ~/Library/LaunchAgents and click Go.
Right-click the LaunchAgents folder, and choose Services > Folder Actions Setup to bind the new item alert script to each folder.
In the dialog box that pops up, you’ll see the list of folders in the left column and script in the right column. If you don’t see any scripts, click the Plus button and add new item alert.scpt.
Consider Monitoring These Folders With Apps
If you’d like some additional options for alerts on these folders, you can try a few third-party tools.
EtreCheck is a macOS diagnostic tool that displays the load status of third-party LaunchDaemons and LaunchAgents, among other info. When you run EtreCheck, it collects a variety of information about your Mac and presents it in an easy-to-read report. It also has additional help options when dealing with adware, suspicious daemons and agents, unsigned files, and more.
Open EtreCheck and click Scan. This will take a few minutes, and once it’s done, you’ll see a full summary of your computer. This including major and minor issues, hardware specification, software compatibility issues, the status of LaunchDaemons and LaunchAgents, and more.
The app is free for the first five reports, then requires a $10 in-app purchase for continued use.
Lingon X is another tool that lets you start an app, a script, or run a command automatically on a schedule. It can also monitor all LaunchDaemons and LauchAgents folders in the background and show a notification when something changes. You can see all the items graphically and adjust them as needed.
This tool is free to try, and costs $15 for a full license.
How to Remove LaunchDaemons and LaunchAgents
The public /Library/LaunchAgents and /Library/LaunchDaemons folders are vulnerable to both legitimate and illegitimate apps. A legitimate app might use it for marketing, while illegal apps can use them to steal data and infect the system.
For adware and malware to be successful, they must persist in every user session. To do this, malware and adware authors create malicious code and put it in the LaunchAgent or LaunchDaemon folder. Every time your Mac starts, launchd will ensure that the malicious code runs automatically. Thankfully, security apps can help protect against this.
Use Mac Security Apps
The free KnockKnock works on the principle of persistence. It lists persistently installed apps and their components in a neat interface. Click the Scan button, and KnockKnock will scan all known locations where malware might be present.
The left pane contains the categories of persistent apps, with names and a brief description. Click on any group to display the items in the right pane. For example, click Launch Items in the left pane to view all the LaunchAgents and LaunchDaemons.
Each row gives detailed information about the app. This included signed or unsigned status, the path to the file, and antivirus scan results from VirusTotal.
Another free security app from Objective-See, BlockBlock continuously monitors persistence locations. The app runs in the background and shows you an alert whenever malware adds a persistent component to macOS.
Not every third-party PLIST file is malicious, though. They could come from anywhere, including:
- Components of installed apps
- Remnants of old apps you no longer use
- Leftovers from previous macOS upgrades
- Migration Assistant leftovers
- PUPs (potentially unwanted programs), adware, and malware.
You don’t want to delete any components of installed apps. However, it’s perfectly safe to remove the remnants of old apps and leftovers from previous macOS upgrades (unless you want to continue using those apps).
There’s no unique uninstall process for this—simply trash the PLIST file and reboot. Or you can cut and paste it to your desktop to have a copy and be on the safe side. Don’t delete any items from the System LaunchAgents or LaunchDaemons folders, as they’re required for macOS to run smoothly.
Stay Cautious of Launch Threats on Mac
If you follow these steps, then you’ll know about new threats ahead of time and can solve any problems. Adware and PUPs are rising in popularity, with new variants of malware coming up all the time.
Thankfully, macOS has plenty of ways to keep you safe.
The trick is to monitor these folders and run frequent diagnostic checks. If you’re in doubt, always Google the potentially malicious process names. But if you avoid the mistakes that infect your Mac with malware, you shouldn’t need to worry.