OS X Yosemite: How to Find Non-Apple Extensions Lingering in Your Mac

_______________________

Don't worry, I don't know enough yet to make this how-to very complex. I'll be showing a very simple UNIX command, and then we're done.

First, you may be wondering: “What is a kernel extension?” This is code that extends the capability of the base kernel of an operating system. The kernel typically manages I/O requests, and in OS X, the file ends in “.kext.” In the past, kernel extensions that conflicted with the kernel code could cause a kernel panic—a fatal halt in the OS requiring a reboot.

I started thinking about that when the new MacBook showed up. I wondered what the differences would be between the kernel extensions on the MacBook and the Mac Pro. Back in 2014, when the Mac Pro arrived, I loaded it with a Time Machine archive from the previous iMac. In hindsight, I wish I hadn't done that. Instead, I should have started fresh from a factory installed version of Mavericks, which is what it shipped with, and then reloaded all my software and licences. I'll definitely do that with OS X 10.11.

In the course of my research, I learned:

  • Kernel extensions are generally stored in /System/Library/Extensions
  • Starting with Yosemite, kernel extensions must be code signed by the developer with Apple authorization or OS X won't load them.

Next, I discovered a nifty command line utility called kextstat that can be used to show which kernel extensions have been actually loaded by OS X at bootup. (No matter where they reside in the OS X file system.) Apple has its own kernel extensions, and the file name starts with “com.apple…” Third party extensions will start with, for example, “com.logitech…”

Getting a List and Making it Nice

In a terminal window, the following command will show you all the kernel extensions that are active. (The terminal app is found in /Applications/Utilities.)

kextstat -l

There will be lot from Apple, and those are all okay. If you want to see non-Apple extensions, you can pipe the list to the “grep -v” command. The -v option says, “show everything but those items that contain the string that follows.” For example:

kextstat -l | grep -v com.apple

If you want to write that list out to a text file for examination, enter, for example,

kextstat -l | grep -v com.apple > NonAppleKext.txt

Unless you specify a full path, that text file will go into the root of your home directory. In my case, (a simplified version of) the result showed only four non-Apple extensions.

com.intego.kext.VirusBarrierKPI (10.6.22) <5 4 1>
com.intego.kext.VirusBarrier.AppBarrierKPI (10.6.22) <5 4 1>
com.intego.iokit.VirusBarrierX6Service (10.6.22) <5 4 3 1>
com.logitech.manager.kernel.driver (3.30) <136 64 38 31 5 4 3>

I am still learning how to interpret the output of kextstat. It looks like the first number in parens is the version number, and that could well be a clue about whether one needs an update if there wasn't an automatic update process in place.

Without going into more detail, what I learned is that of all the extensions in my system, the only non-Apple ones that got loaded were the ones that I definitely want.

  1. The extensions needed for Intego Virus Barrier
  2. The extension needed for Logitech mice, keyboards, trackballs, etc. (I use a Logitech mouse.)

Summary

Without going to too much effort, the kextstat command can be used to show you which non-Apple kernel extensions to the OS have been loaded. If you see something that looks suspicious or out of date, even though it was signed and is active, you may want to investigate whether it's really required and contact the developer for guidance. 

Fun stuff!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

WIN an iPhone 16 Pro!