MacOS – How to remove all traces of a kext

kernelkernel-extensionsmacosmojave

I am trying to fully remove a kernel extension which I installed by mistake, and I can't figure out how to remove it from the Disabled Software list. It appears in System Profiler and also in System Preferences security pane.

I have grepped /L/E and /S/L/E and /Library/StagedExtensions and the only result I find is in /System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist

kextutil can't find it:

# kextutil -b cn.com.bwstor.filesystems.enfs
Can't find extension with identifier cn.com.bwstor.filesystems.enfs

Apparently it's in the prelinked kernel:

$ grep -rni bwstor /System/Library/PrelinkedKernels/
Binary file /System/Library/PrelinkedKernels//prelinkedkernel matches
Binary file /System/Library/PrelinkedKernels//immutablekernel matches

So I try to rebuild like this:

# kextcache -system-prelinked-kernel
KernelCache ID: 589C15EF68C8CF9D1C456F8C5E809F74
#
# kextcache -prelinked-kernel
kxld[com.apple.kext.AMDRadeonX6000HWLibs]: The following symbols are unresolved for this kext:
kxld[com.apple.kext.AMDRadeonX6000HWLibs]:  AtiPowerPlayInterface::createPowerPlayServiceFor(PowerPlayCallbacks*)
Link failed (error code 5).
Prelink failed for com.apple.kext.AMDRadeonX6000HWLibs; omitting from prelinked kernel.
KernelCache ID: B8572AE0865E63FD3CE5E2A9014CEA6A

That error seems unrelated, but I get more details anyway:

# kextutil -b com.apple.kext.AMDRadeonX6000HWLibs
Disabling KextAudit: SIP is off
(kernel) kxld[com.apple.kext.AMDRadeonX6000HWLibs]: The following symbols are unresolved for this kext:
(kernel) kxld[com.apple.kext.AMDRadeonX6000HWLibs]:     __ZN21AtiPowerPlayInterface25createPowerPlayServiceForEP18PowerPlayCallbacks
(kernel) Can't load kext com.apple.kext.AMDRadeonX6000HWLibs - link failed.
(kernel) Failed to load executable for kext com.apple.kext.AMDRadeonX6000HWLibs.
(kernel) Kext com.apple.kext.AMDRadeonX6000HWLibs failed to load (0xdc008016).
(kernel) Failed to load kext com.apple.kext.AMDRadeonX6000HWLibs (error 0xdc008016).
Failed to load /System/Library/Extensions/AMDRadeonX6000HWServices.kext/Contents/PlugIns/AMDRadeonX6000HWLibs.kext - (libkern/kext) link error.
Check library declarations for your kext with kextlibs(8).
#
# kextlibs -undef-symbols /System/Library/Extensions/AMDRadeonX6000HWServices.kext/Contents/PlugIns/AMDRadeonX6000HWLibs.kext/
For all architectures:
    com.apple.iokit.IOPCIFamily = 2.9
    com.apple.kext.AMDRadeonX4000HWLibs = 1.0
    com.apple.kext.AMDRadeonX4030HWLibs = 1.0
    com.apple.kext.AMDRadeonX4050HWLibs = 1.0
    com.apple.kext.AMDRadeonX4070HWLibs = 1.0
    com.apple.kext.AMDRadeonX4100HWLibs = 1.0
    com.apple.kext.AMDRadeonX4200HWLibs = 1.0
    com.apple.kext.AMDRadeonX4300HWLibs = 1.0
    com.apple.kext.AMDRadeonX4400HWLibs = 1.0
    com.apple.kext.AMDRadeonX5000HWLibs = 1.0
    com.apple.kext.AMDRadeonX5100HWLibs = 1.0
    com.apple.kext.AMDRadeonX5400HWLibs = 1.0
    com.apple.kext.AMDRadeonX5700HWLibs = 1.0
    com.apple.kpi.iokit = 18.2
    com.apple.kpi.libkern = 18.2
    com.apple.kpi.mach = 18.2

For x86_64:
    Multiple symbols found among 1 libraries:
    com.apple.kext.AMDRadeonX5000HWLibs

I'm puzzled as to why rebuilding the kernel cache doesn't fix this. I'm running Mojave 10.14.3 on a MacPro6,1. I have SIP disabled and I'm using @goalque's patch to use an external Radeon Vega64 GPU.

Best Answer

The latter half of my question turned out to be a red herring. I ran the same grep on another system which has never had this driver installed and it also appears in the prelinked kernel there.

Anyway, the list of Disabled Software is stored in a SQLite database located at /private/var/db/SystemPolicyConfiguration/KextPolicy. This file is protected by SIP, so modifying it requires either disabling SIP or booting Recovery mode. In this case I deleted the entries with this command, and it takes effect immediately.

# sqlite3 /private/var/db/SystemPolicyConfiguration/KextPolicy

To see all the entries of approved and unapproved kexts:

SELECT * FROM kext_policy;

To delete:

DELETE FROM kext_policy WHERE team_id = 'JS776ETM39';

Related Solutions

MacOS – Unexpected error when installing OS update in OS X

The Console.app found in the Application -> Utilities folder (or Other folder in Launchpad) gives you access to the logs for the machine.

Under /var/log, the file named install.log (and any variants named install.log.x.bz2) will give you the information about the last install.

Note the files named install.log.x.bz2 are older versions of the same file created duting a process called rolled over when the file size of the current install.log file reaches 1000K

You need to search your install.log for the string "OSXUpd10.8.2Supp.pkg" which will give you an idea of what happened during your install.

Update: From your log file, it would appear that your have a Kernel Extension that is causing this issue. Either it has a permissions problem, or is somehow causing this annoying issue.

can you paste this line into Terminal, and post the results?

kextstat -kl | awk ' !/apple/ { print $6 $7 } '

Update 2: This would appear to be at least a trial and error solution. There are multiple threads on the Apple Support forums, from installing 10.8.2 to installing Xcode. Each one has different people each having issues with different kernel extensions that when removed resolved their issues.

I'm afraid I don't have any way to determine which of your kernel extensions is the cause; someone else may be able to shed more light. I would however expect the Virtual Box and Parallels extensions to be fine, not the least since I have them both also, but that this issue would be more widespread if they were the issue.

Finally: the manual for kextcache advises that using the touch command on /System/Library/Extensions/ forces the kext cache to be rebuilt. You could use this as a method to determine which kext is causing the issue by uninstaling each in turn, performing the cache update and checking the logs to see if the cache was updated successfully.

MacOS – MacBook updated to OS X Yosemite version 10.10 and experiencing problems with hard drive & iPhoto

Unsigned kexts are no longer allowed to run by default in Yosemite.

Solutions include...

upgrade to one of the [paid] NTFS apps that still work - Tuxera or Paragon
Requires you to fully uninstall NTFS-3G first
disable the Mac's kext policy - easiest way might be to install TRIM Enabler, which will do it for you [though I don't know if it would install with no SSD present, never tested]
or the long way - [this is untested, method from cindori, the makers of TRIM Enabler - it might only be for that app]
Boot your Mac in Recovery Mode by holding ⌘ Cmd R during boot
Open the Terminal from the menu bar
Run these commands, replacing YourDisk with the name of your Mac disk
- rm -rf /Volumes/YourDisk/System/Library/Extensions/IOAHCIFamily.kext
- cp -r /System/Library/Extensions/IOAHCIFamily.kext /Volumes/YourDisk/System/Library/Extensions/IOAHCIFamily.kext
- touch /Volumes/YourDisk/System/Library/Extensions
- kextcache -u /Volumes/YourDisk
Wait until it finishes (can take up to 1 min)

Best Answer

Related Solutions

MacOS – Unexpected error when installing OS update in OS X

MacOS – MacBook updated to OS X Yosemite version 10.10 and experiencing problems with hard drive & iPhoto

Related Question