35

I work as admin in a college environment. One of the challenges is to stop the services installed by students with CS major. Some time back they got the admin access and installed launch agents and daemons on some systems.The students have also added some plists as com.apple.myprog.run. The problem is these are not present in the launchagents directory or in the launchdaemons directory.

So my question is how to find the path for these daemon services.Then next step is how to stop these. Since some of these could start again and again(based on certain flags).

bneely
  • 3,933
  • 5
  • 30
  • 42
Prashant
  • 699
  • 1
  • 7
  • 11

4 Answers4

32

If you want to stop the item for this boot simply issue an unload command to launchd via launchctl. For a permanent fix add a disabled key into the plist with value true or delete/move the file to a folder where launchd will not scan it automatically.

  • launchctl unload /System/Library/LaunchAgents/com.apple.AppStoreUpdateAgent.plist

The man page for launchctl has nice documentation for controlling jobs. As for the general defeating of CS majors, you might also consider that they edited the existing apple plists to make them do something you don't expect, so it will prove to be far easier to just reinstall the OS and migrate the user data back from a backup (paying particular note to note re-install any plist files in the /System/Library, /Library space (and perhaps also audit the ~/Library of admin users). Losing admin / root against someone that knows how to change the system is basically game over and the defense (finding and disabling) the changes is very time consuming as opposed to offense (reinstalling the system from a known good source and use configuration management tools to ensure changed files are detected).

bmike
  • 226,393
  • 78
  • 398
  • 871
  • the point is I don't know where the plist has been stored. I have searched in the LaunchAgents directory and I don't see the apps plist there. – Prashant Jan 17 '12 at 00:26
  • They can be anywhere. You could boot into safe mode and compare a launchctl list output to the normal boot list. mdfind will show you the files containing the rogue jobs (if they didn't exclude them from spotlight). You could also theoretically run fs_usage against launchd itself to track which files it read during boot, but again the logistics of getting fs_usage running that soon at boot combined with the fact that you still need to inspect each and every plist file means you have a lot of work cut out to "detect the changes and surgically remove them" as opposed to start clean. – bmike Jan 17 '12 at 00:35
  • 2
    If you really want to find every .plist on the system this will do it. It's a long list. `find / -type f -name "*.plist"` – afragen Jan 17 '12 at 02:37
  • `man launchctl` **unload** *In previous versions, this option would modify the configuration file. Now the state of the Disabled key is stored elsewhere on-disk.* ..( – Nakilon Sep 01 '15 at 12:33
  • @Nakilon Could you be precise about versions? Are you referring to the 10.11 overhaul of launchd or another "previous version"? – bmike Sep 01 '15 at 13:16
  • @bmike, I'm still on 10.9.4, and man page states: "Darwin 1 May, 2009" – Nakilon Sep 01 '15 at 17:51
  • You should be using `unload -w` instead of just `unload` if you want to preserve the changes. However, in Monterrey, I am finding that even `unload -w` doesnt work. – CarriMegrabyan Aug 13 '22 at 23:16
  • Is this something, you are finding? Even adding the `plist` file to `/var/db/com.apple.xpc.launchd` with correct syntax doesnt work. Is anybody else find this? – CarriMegrabyan Aug 13 '22 at 23:20
  • Thanks @CarriMegrabyan for resurrecting this decade old question. I would support asking a newer version of this if you wanted to cover the latest OS and how it is different. – bmike Aug 13 '22 at 23:21
  • I already did. The OP doesnt mention a particular version of the OS, and a lot of people will come to this, so I thought it might be better to have one page where there is a correct answer to this question. But I will do what you suggested as well – CarriMegrabyan Aug 13 '22 at 23:23
28

The easiest way I've found to do this is

sudo launchctl list | grep "rough name of what you want to find"
sudo launchctl remove "label.of.the.file"
Oantby
  • 421
  • 4
  • 2
  • Thanks, this is exactly what I wanted. How to delete the service after deleting the file! – chmac Apr 19 '18 at 17:06
  • 1
    what is the difference between `remove` and `unload -w`. I did try `unload -w` after disabling SIP, but it doesnt seem to be working. – CarriMegrabyan Aug 13 '22 at 23:09
  • @CarriMegrabyan `remove` operates by label. `unload` operates by file. `-w` on `unload` says, effectively, to make the change permanent (mark the list as disabled, so it won't be reloaded on restart). You explicitly note that you've disabled SIP for whatever you're trying to disable, but haven't stated what that is. If it's more involved, it's maybe worth a separate SE question. – Oantby Aug 14 '22 at 03:33
5

Try checking these locations:

/Users/your username/Library/LaunchAgents/

/Library/LaunchAgents/

/Library/LaunchDaemons/

/System/Library/LaunchAgents/

/System/Library/LaunchDaemons/

Cory T
  • 181
  • 1
  • 4
4

You can do a "launchctl dumpstate" and it will show all the loaded services and the path to the startup .plist and contents.

You will probably want to run it through something like less as it dumps a lot of information.

silicontrip
  • 163
  • 5