can't find script that runs at login???

Sumleilmus

macrumors member
Original poster
Nov 6, 2011
67
2
/
When I boot my MacBook Pro, I can see in the menu bar the name of a slow script running at login. However, when I look in System Preferences>Users>MyUser>login items, I see no such script or app. I have used Spotlight, EasyFind, and
Code:
$ find / "name_of_script"
.

None of these finds the script. How can I find the script and get rid of it, or find other code such as launchctl daemons (I really don't understand these, but I know they exist, if I called them by the right name) that could be causing this to happen?

I find nothing useful at /System/Library/LaunchDaemons or at /Library/LaunchDaemons

I'm especially puzzled by why I can't find the script or app whose name I can clearly see?

 
Last edited:

Weaselboy

Moderator
Staff member
Jan 23, 2005
30,312
10,048
California
Try looking in all these folders for launch items.

~/Library/LaunchAgents
/Library/LaunchAgents
/Library/LaunchDaemons
/Library/StartupItems

That ~ is your users folder. If you are not sure how to get there, just triple click the line below to select, then right click and in the Services menu select Reveal in Finder and that will open Finder to that folder.

Code:
~/Library/LaunchAgents
 

Partron22

macrumors 68030
Apr 13, 2011
2,565
756
Yes
Try looking in all these folders for launch items.

~/Library/LaunchAgents
/Library/LaunchAgents
/Library/LaunchDaemons
/Library/StartupItems
...
You'll likely want to look at the invisible files, those that start with a '.', too.
I use this little Applescript for that:
Code:
set buttonpressed to button returned of (display dialog "Show Hidden Files?" buttons {"Yes", "No"})
try
    if the buttonpressed is "No" then do shell script "defaults write com.apple.finder AppleShowAllFiles OFF"
    if the buttonpressed is "Yes" then do shell script "defaults write com.apple.finder AppleShowAllFiles ON"
    do shell script "killall Finder"
end try
 

Sumleilmus

macrumors member
Original poster
Nov 6, 2011
67
2
/
Weaselboy: nothing in any of those places

JohnDS: nothing in Console. I'm not sure about using a malware hunting tool. The script in question is one that I wrote long ago and saved as an app. It appears that it is still running at startup, or trying to run.

Partron22: thanks for the script, but I have Finder Services that do the same thing, probably based on the same or similar scripts. Using the GUI to look for hidden files in those locations only showed me some .DS files at the root of any given directory.
 
Last edited:

mag01

macrumors regular
Apr 10, 2011
148
41
Do any of these show any output?
Code:
sudo defaults read com.apple.loginwindow LoginHook
Code:
ls -la /Library/Security/SecurityAgentPlugins
Code:
defaults read loginwindow AutoLaunchedApplicationDictionary
defaults read /Library/Preferences/loginwindow AutoLaunchedApplicationDictionary
Code:
defaults read com.apple.loginitems
or
Code:
osascript -e 'tell application "System Events" to get the name of every login item'
Also you may try this nice app to view all such items in a consolidated manner: https://objective-see.com/products/knockknock.html
 
Last edited:
  • Like
Reactions: richard2

Sumleilmus

macrumors member
Original poster
Nov 6, 2011
67
2
/
Do any of these show any output?
Code:
sudo defaults read com.apple.loginwindow LoginHook
Code:
The domain/default pair of (com.apple.loginwindow, LoginHook) does not exist
Code:
ls -la /Library/Security/SecurityAgentPlugins
Code:
total 0
drwxr-xr-x  2 root  wheel   68 Nov 17 01:33 .
drwxr-xr-x  4 root  wheel  136 Feb 15 08:59 ..
Code:
defaults read loginwindow AutoLaunchedApplicationDictionary
Code:
The domain/default pair of (/Users/ruser/Library/Preferences/loginwindow, AutoLaunchedApplicationDictionary) does not exist
Code:
defaults read /Library/Preferences/loginwindow AutoLaunchedApplicationDictionary
Code:
2016-04-08 09:05:41.209 defaults[795:10205] 

The domain/default pair of (/Users/ruser/Library/Preferences/loginwindow, AutoLaunchedApplicationDictionary) does not exist
Code:
defaults read com.apple.loginitems
This shows a lot of output, the defaults for the login items listed in System Preferences>Users & Groups>Registered User>Login Items. One of them is an Apple Script (.app) that does a thing similar to the one that runs at login that I can't find. I have looked carefully at that script, and it has a different name. Could it be running at login and displaying another name owing to some corruption in its tiny dessicated heart?


Code:
osascript -e 'tell application "System Events" to get the name of every login item'
Code:
osascript: OpenScripting.framework - scripting addition "/Library/ScriptingAdditions/LCC Scroll Enhancer Loader.osax" cannot be used with the current OS because it has no OSAXHandlers entry in its Info.plist.
smcFanControl, Growl, SMARTReporter, Dropbox, Google Drive, OneDrive, AdobeResourceSynchronizer, DiskWarriorDaemonStarter, CCC User Agent, Unmt_Swink92W_n_WeDi_heard_n_RecoHDW
Also you may try this nice app to view all such items in a consolidated manner: https://objective-see.com/products/knockknock.html
If this just does what I just did, what would be the advantage?

Thank you very much for your suggestions.
 

mag01

macrumors regular
Apr 10, 2011
148
41
The Unmt_Swink92W_n_WeDi_heard_n_RecoHDW entry in your last output is suspicious. Also its name is similar (though not identical) to what's on that screenshot in your OP.
It should be also visible in the output of "defaults read com.apple.loginitems" for which you mentioned one suspicious item (which is probably the same thing).

If you try
Code:
osascript -e 'tell application "System Events" to get the properties of login item "Unmt_Swink92W_n_WeDi_heard_n_RecoHDW"'
it should show where is it launched from, if it's set as hidden (not visible in the regular view of login items in system preferences - if that's the case then it's even more suspicious) etc. Then try to examine what it is.

To delete it, you can use something like:
Code:
osascript -e 'tell application "System Events" to delete login item "Unmt_Swink92W_n_WeDi_heard_n_RecoHDW"'
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.