Over at Gordon’s Tech blog, the author has put together an extensive list of folders and files that apps utilize in order to start without the user’s knowledge. Although many legitimate apps do so, malware also uses these locations. Additionally, bits of old apps you deleted years ago can hang around and cause problems, so cleaning out periodically is a good idea.
Here’s Gordon’s list which, long and confusing as it is, is arguably incomplete because he doesn’t mention things like browser plugins:
— User Login Items (~/Library/Preferences/com.apple.loginitems.plist) — ~/Library/LaunchDaemons — ~/Library/LaunchAgents — ~/.bash_profile — /Library/LaunchDaemons — /Library/LaunchAgents — /Library/StartupItems — /System/Library/LaunchDaemons/ — /System/Library/LaunchAgents — /System/Library/StartupItems — /Library/Preferences/loginwindow.plist can have Login Items that apply to all users — /etc/profile — /etc/mach_init.d/ — /etc/rc/ and /etc/rc.local - totally unsupported, and not created by default (but probably still work) — Network/Library/LaunchDaemons, but I don’t know)? — /etc/mach_init_per_login_session.d/ and /etc/mach_init_per_user.d/ — cron launched @reboot items (yes, cron is still there), this might even work for everyone’s crontabs — /Library/Security/SecurityAgentPlugins that have been loaded by being listed in the proper spots in /etc/authorization — /private/var/root/Library/Preferences/com.apple.loginwindow.plist, in the LoginHook key (runs as root, passed the username)MCX (WorkgroupManager) login hooks (runs as root, but passed the username) note: below this network home directories are more reliably available, as is a connection to the WindowsServer — MenuBar items from ~/Library/Preferences/com.apple.systemuiserver.plist and /Library/Preferences/com.apple.systemuiserver.plist (+MXC added items) — /Library/Preferences/loginwindow.plist, in the key (array of paths) AutoLaunchedApplicationDictionary (everyone gets this launched at login, runs as user) (+MXC added items) — LoginItems (generally GUI items) ~/Library/Preferences/com.apple.loginitems.plist and possibly /Library/Preferences/com.apple.loginitems.plist (have not tried) (+MXC added items)
You can inspect each location by copying it to the clipboard, then opening a Finder window and tapping Shift+Cmd+G, before pasting in the location text. To edit any of the plists or config files mentioned in the list, you’ll need an app like TextWrangler, or Xcode (although beware that Xcode weighs in at several gigabytes of disk space).
The list is messy and is so extensive because of Apple’s 40-year Unix heritage, although Apple could reign-in much of this mess via the SIP tool introduced with El Capitan. Maybe they will in the next release of OS X.
Moving beyond Gordon’s analysis, two free apps can help begin to sort out the mess and discover what apps are attempting to run in the background of your Mac:
- KnockKnock: Malware installs itself persistently, to ensure it is automatically executed each time a computer is restarted. KnockKnock uncovers persistently installed software in order to generically reveal such malware.
- Etrecheck: EtreCheck is a free tool that explains what is going on inside your Macintosh. It consolidates information from over 50 different diagnostics tasks and displays it all on one concise report.
If you fancy undertaking a spring cleaning spree then be very careful and only delete things you know for sure you don’t want. The same applies to files – don’t delete if (a) you don’t know what you’re doing, and (b) you’re not sure if the entry in the list is something you definitely don’t need.