Hidden Launchd Process

launchd

I have a process on my computer which keeps logging to the system.

May  2 19:50:06 laptop com.apple.xpc.launchd[1] (com.coconut-flavour.coconutBattery-Helper[23430]): Could not find and/or execute program specified by service: 155: Refusing to execute/trust quarantined program/file: com.coconut-flavour.coconutBattery-Helper

I cannot figure out where the process is located.

What I have tried:

sudo launchctl list | grep com.coc

sudo find / -iname com.coconut-flavour.coconutBattery-Helper

I have also tried sampling and finding the process in the launchd service in activity monitor.

It does not seem to exist. Anyone know what could be going on?

Best Answer

Forgive my absence and untimely response. Okay, let's take this to the next level.

Let's attempt to locate either coconutBattery or Sparkle, a dependent, apparently. Do you find a 'coconutBattery.app' in /Applications, or any similar app?

sudo find /Applications -iname "*coconut*" -print    
sudo find /Applications -iname "*sparkle*" -print

Is there a relevant package receipt in the package utility?

sudo pkgutil --pkgs | grep -i coconut
sudo pkgutil --pkgs | grep -i sparkle

A brute method to find plists, preference files:

sudo grep -l -i "coconut" -r /System/Library/
sudo grep -l -i "sparkle" -r /System/Library/
sudo grep -l -i "coconut" -r /Library/
sudo grep -l -i "sparkle" -r /Library/

sudo grep -l -i "sparkle" -r /private/var/
sudo grep -l -i "sparkle" -r /private/etc/
sudo grep -l -i "coconut" -r /private/var/
sudo grep -l -i "coconut" -r /private/etc/

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Interesting situation.

First, let us determine in what user-context the service is running: login user, or root. I suspect that the service might be running in the login user context, which would explain why you will not find it by running 'launchctl list' as root ( via sudo ). A quick check:

launchctl list | grep -i "com.coco"

Avoid prepending 'sudo' to the launchctl command.

Also, the process id is reported in the syslog messages -- found within the block brackets [ ].

com.coconut-flavour.coconutBattery-Helper[23430]

The PID is 23430, in that example. I suggest using a ps like this:

ps -wwwAxo pid,ppid,state,%mem,%cpu,command | grep -i coco

Or grep the PID you discover from the syslog like this:

ps -wwwAxo pid,ppid,state,%mem,%cpu,command | grep 23430

If my hunch is correct, and it is under your login user's context that the service runs, then locate the offending plist in something like:

/Users/[your login user's short name]/Library/LaunchAgents

A quick-and-dirty method:

grep -r -i "coco" ~/Library/LaunchAgents/

This should identify the offending sneak. If not, please let me know and we will then take the hunt to the next level.

Related Solutions

Launchd starting a new process

Have you tried adding a an ExitTimeOut key? From man launchd.plist:

ExitTimeOut <integer>
The amount of time launchd waits before sending a SIGKILL signal. The default value
is 20 seconds. The value zero is interpreted as infinity.

MacOS – Find process associated with launchd

First, is this being opened by the system launchd (process ID 1, running as root), or a user launchd (running as a user)? If it's the system launchd, you're looking for a LaunchDaemon; if it's a user launchd, you're looking for a LaunchAgent.

Assuming it's the system launchd, you can look for the relevant LaunchDaemon like this:

grep 5901 {,/System}/Library/LaunchDaemons/*

(note: if port 5901 were listed in /etc/services, you'd also have to look for it by name as well as number. But it isn't, so you don't have to worry about that.)

It's also possible that it's a LaunchDaemon that was loaded from some other place; tracking that down would be messy, so start with the easy check first.

Best Answer

Related Solutions

Launchd starting a new process

MacOS – Find process associated with launchd

Related Question