1. The LaunchDaemons folders contain items that will run as root, generally background processes.
   
   
2. The LaunchAgents folders contain jobs, called agent applications, that will run as a user or in the context of userland.
   
   
3. If your job needs to run even when no users are logged in, put it in /Library/LaunchDaemons.
   - If it is only useful when users are logged in, put it in /Library/LaunchAgents,
   or in the personal LaunchAgents directories of specific users.
   
   
4. Do not put your job in /System/Library, which is reserved for system-provided daemons.
   
   
5. Startup files are found in various locations, some are provided in the following tables.
   
   

Please be aware that many of the "old ways" of doing things are still supported, such as:

• /Library/StartupItems/
• /System/Library/StartupItems/
• /etc/rc.local
• /etc/mach_init.d/
• /etc/mach_init_per_login_session.d/
• /etc/mach_init_per_user.d/

1. See what NON-APPLE kernel extensions are being loaded in /System/Library/Extensions/,
   kextstat | grep -v apple
   Some examples of what you might find are listed below: com.subrosasoft.watcher = FileDefense from SubrosaSoft. at.obdev.KUC = Little Snitch, 1.x at.obdev.nke.LittleSnitch = Little Snitch, 2.x com.vmware.kext.vmx86 = vmWare, 1 of 4 com.vmware.kext.vmci = vmWare, 2 of 4 com.vmware.kext.vmioplug = vmWare, 3 of 4 com.vmware.kext.vmnet = vmWare, 4 of 4 com.macally.driver.ICEKey = Macally ICEKey keyboard. com.cisco.nke.ipsec = VPN client from Cisco. net.pocketmac.driver.BlackberryUSBDev = Blackberry USB iSync hack. org.openafs.filesystems.afs = OpenAFS client. com.AmbrosiaSW.AudioSupport = AudioHijack or WireTap. com.symantec.kext.SymEvent2 = Symantec AntiVirus, 1 of 2. com.Symantec.kext.SAVAPComm = Symantec AntiVirus, 2 of 2. com.sophos.kext.sav = Sophos Anti-Virus. com.bresink.driver.BRESINKx86Monitoring = Assorted tools from Marcel Bresink. com.airgrab.driver.AirGrabFirewallModule = Hawking HWUG1A (RT73) USB WiFi NIC EXAMPLE:
   - To STOP the kernel extension "com.bresink.driver.BRESINKx86Monitoring" do,
   sudo kextunload -b com.bresink.driver.BRESINKx86Monitoring
   
   - To prevent it from starting again on re-boot, move it OUT of StartupItems to your desktop.
   sudo mv /Library/StartupItems/BRESINKx86Monitoring ~/Desktop/
   
   and or move it OUT of /System/Library/Extensions/ to your desktop.
   Diablotin and or Lingon (see below) will disable them to.
   
   - See also: ls -asl /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ~/DownLoads
   
   

   ---

2. If your Mac will ONLY work in safe mode,
   you may have a bad kernel extension or the permissions are set wrong.
   
   
   • Make sure they are all OWNED by root and the GROUP is set to wheel.
     
     - Especially items NOT made by Apple like the BUG in the
     Lexar JumpDrive Secure II Plus USB Flash Drive installation software!!!
     
     Example fix below:
     sudo chown -R root /System/Library/Extensions/LexarFilterScheme.kext
     sudo chgrp -R wheel /System/Library/Extensions/LexarFilterScheme.kext
     
     See Bubba too...
     

     ---

   • To rebuild the kernel extensions, do:
     

   sudo rm /System/Library/Extensions.mkext
   sudo kextcache -k /System/Library/Extensions
   sudo reboot
   

   
   or try sudo touch /System/Library/Extensions, which Snow LEOpard likes more.
   - All will be rebuilt on next boot.
   
   See also:
   kextfind .
   

   ---

3. Learn to use and understand launchctl,
   to manage your Agents and Daemons in locations below (and above)!
   

   ~/Library/LaunchAgents         Per-user agents provided by the user.
   
   /Library/LaunchAgents          Per-user agents provided by the administrator.
   /Library/LaunchDaemons         System wide daemons provided by the administrator.
   /System/Library/LaunchAgents   Mac OS X Per-user agents.
   /System/Library/LaunchDaemons  Mac OS X System wide daemons.
   

   sudo launchctl help
sudo launchctl list |more
   
   So to see just a active service, we would do,
   sudo launchctl bslist |grep "A "
   (you will see a lot of services, not to worry)
   
   The three states a service can be in, they are:
   - active "A"
   - inactive "I"
   - on-demand "D"
   
   EXAMPLE:
   com.apple.SafariBookmarksSyncer.plist
   - Is in your ~/Library/LaunchAgents/ folder and used by Apple's MobileMe service to sync bookmarks between multiple computers, even if this feature is NOT used!!!
   
   * The *NEW* version of Lingon (see below) may help you get started.
   

   ---

   
   
4. Running system_profiler will show you the info much better then
   /etc/hostconfig (below).
   Running /usr/sbin/system_profiler SPHardwareDataType
   will give you a nice brief overview of the system.
   
   /usr/sbin/system_profiler SPStartupItemDataType, will list some startup items.
   /usr/sbin/system_profiler SPSoftwareDataType will list your OS version.
   /usr/sbin/system_profiler -listDataTypes for a complete list of what you can querry.
   
   The above is also avail via the GUI, open "/Applications/Utilities/System Profiler.app".
   
   NOTE: Good old Panther (10.3) /usr/sbin/AppleSystemProfiler -usage does it this way.
   

   ---

   
   
5. By default, you may be starting a few demons.
   PLEASE review your hostconfig file, more /etc/hostconfig .
   
   
6. To MANAGE a running service like AppleShare'ing (AFPSERVER=-YES-) do,
   sudo /sbin/SystemStarter stop AppleShare
   
   
7. You should know what services have the ABILTY to be started (apache etc.), via:
   sudo grep -r -e YES -e AUTOMATIC /System/Library/StartupItems
   
   
8. Now look for programs accessing the os via:
   sudo fs_usage -f filesys | grep -v iTerm | grep -v Finder | grep -v grep
   (add more to filter out known good services.)
   
   or to see just what iTunes is doing do:
   sudo fs_usage -f filesys | grep iTunes
   

1. Start by knowing what is in your:
   ls -asl /Library/StartupItems/
ls -asl /System/Library/StartupItems/
   
   
2. ls -asl /Library/LaunchDaemons/
   - Little Snitch etc are in here.
   
   
3. ls -asl /System/Library/LaunchDaemons/
   - You will see a LOT of items here. Trust me, use Lingon to see if and when they are started.
   

1. loginwindow searches this file (if exists) each time a user logs in.
   more ~/.MacOSX/environment.plist
   
2. - The below item is the SAME one located via the user accounts GUI preference pane.
   This is the MOST IMPORTANT LOCATION for USER stuff !!!!!:
   open ~/Library/Preferences/loginwindow.plist
   
   if binary convert to ASCII by doing,
   /usr/bin/plutil -convert xml1 ~/Library/Preferences/loginwindow.plist
   
   This is how the ClamXav Sentry is started:
   /usr/bin/grep ClamXavSentry ~/Library/Preferences/loginwindow.plist
   and again, if you can not read it, convert it to ASCII via,
   /usr/bin/plutil -convert xml1 ~/Library/Preferences/loginwindow.plist
   
   
3. The current "proper" way to start stuff is the:
   ls -asl ~/Library/LaunchAgents/
   folder.
   

1. ALWAYS start your mac in VERBOSE MODE,
   so you can see what it is doing behind the splash screen.
   sudo /usr/sbin/nvram boot-args="-v"
   
   
2. REDUCE the amount of stuff you need to analyze by doing a SAFE BOOT.
   Hold down the SHIFT key after the boot tone, or mod your nvRAM by
   sudo /usr/sbin/nvram boot-args="-x"
   then reboot.
   Now login via the user name of >console trick.
   
   

   ---

3. When was the last time you investigated what was in your TMPDIR, /private/var/folders/ folders ?
   Especially the "-Caches-" directory ... Many things "hide" here you know...
   cd $TMPDIR/../../ to find out more.
   
   Or better yet, use lynx for poke around a lot faster !
   
   /opt/local/bin/lynx $TMPDIR

   ---

4. Is cron doing something you do not know about ?
   rOOt: sudo crontab -l -u root
   Yourself: sudo crontab -l -u $USER
   ... now do this for ALL your user accounts!
   
   

- Ports Collection		How to install and use the Mac Ports Collection.

- Lynx				Via the Mac Ports Collection.		May be the MOST important tool of all !
- WaterRoof			http://www.hanynet.com/
- Little Snitch			http://www.obdev.at/
- Diablotin			http://s.sudre.free.fr/
- Leopard Cache Cleaner		http://www.northernsoftworks.com/	Has BOTH a Virus and rOOt Kit checker!
- Transmit			http://www.panic.com/			Best darn file transfer program out their !

All three below are from Peter Borg. 				http://homepage.mac.com/pgw3/		Now avail at Source Forge.
- Lingon			http://sourceforge.net/projects/lingon/files/
- Smultron			http://sourceforge.net/projects/smultron/files/
- Hallon			http://sourceforge.net/projects/hallon/files/

- iTerm				http://iterm.sourceforge.net/
- RCDefaultApp			http://www.rubicode.com/Software/	Fix broken mime types.
- AppCleaner			http://www.freemacsoft.net/		Better then AppZapper, free too.
- AppZapper			http://www.appzapper.com/
- Preferential Treatment	http://www.jonn8.com/			
- tcpFlow			Via the Mac Ports Collection.
- nMap				Via the Mac Ports Collection.
- TinkerTool System   		http://www.bresink.de/			Kick ass NFS tools too !!!
- Geek Tool			http://projects.tynsoe.org/
- Mac Pilot			http://www.koingosw.com/		Nice WiFi AirRadar tool.
- Cocktail      	      	http://www.maintain.se/			Cocktail, nice maintence tool like LCC.
- OnyX                		http://www.titanium.free.fr/		OnyX, nice maintence tool like LCC.
- Pacifist            	 	http://www.charlessoft.com/		
- Visage              		http://keakaj.com/
- Postfix Enabler     		http://www.cutedgesystems.com/
- HenWen			http://seiryu.home.comcast.net/
- nTop				Via the Mac Ports Collection.
- Carbon Copy Cloner		http://www.bombich.com/
- AppleJack			http://applejack.sourceforge.net/
- Printer Setup Repair		http://www.fixamacsoftware.com/		Fix Cups and free up a few gigs of space too.
- MPEG Streamclip		http://www.squared5.com/		Will need MPEG-2 codec from Apple.
- minicom			Via the Mac Ports Collection.		Terminal supports /dev/cu.Bluetooth-Modem and the KeySpan USB Adapter.
- Monolingual			http://monolingual.sourceforge.net/	Delocalizer like Leopard Cache Cleaner above.
- Gutenprint			http://gimp-print.sourceforge.net/
- Flip4Mac			http://www.telestream.net/		Play Windows .WMV Media files using QuickTime
- NTFS				http://www.paragon-software.com/	Read and Write NTFS partitions.
- OpenOffice			http://www.openoffice.org/		Better then MS Office, and FREE too !

- RipIt				http://ripitapp.com/			Need I say more ?
- Touch Copy			http://www.wideanglesoftware.com/	Best BackUp and RECOVER program for you iPhone or iPod.
- File Juicer			http://echoone.com/filejuicer/		Extract images from, PDF, PPT and flash cards.
- Better Zip			http://macitbetter.com/			Password protect zips, and a LOT more !

• Check for pending files here too, ls /Library/Updates/
  
• For detailed information see, Mac OS X Internals: A Systems Approach, by Amit Singh.
  
• And to get even more confused, see the Apple developer website.

  ---

• The very nice FREE app called "iStat Server", has a hidden precess that "phones home" every time we boot.
  - And yes, is started via /Library/LaunchDaemons/com.bjango.istatserver.plist
  - So lets do, strings "/Library/Application Support/iStat Server/iStatServer" |grep Updater, and see what we find...
  

  sudo /usr/libexec/StartupItemContext /usr/bin/open -a /Library/Application\ Support/iStat\ Server/iStat\ Server\ Updater.app/Contents/Resources/UpdateChecker.app
  
  /usr/bin/open -a /Library/Application\ Support/iStat\ Server/iStat\ Server\ Updater.app/Contents/Resources/UpdateChecker.app
  

  - Some may call this "UpdateChecker.app" Spyware....
  
  Lets investigate "UpdateChecker" some more...
  - Do a strings, and see what we can find...
  

  connectionWithRegisteredName:host
  http://bjango.com/istat/version.php
  /Library/Application Support/iStat Server/iStat Server Updater.app
  

  Bottom line ? Yup, its Spyware...