6 Replies Latest reply: Nov 26, 2009 10:28 AM by etresoft
JiminSF Level 1 Level 1 (0 points)
Yesterday I rebooted my system and immediately after logging in to a non-admin account, I was prompted for admin credentials by the loginwindow app to make a change to system preferences. I am very suspicious because I had not yet launched any apps at all. I had installed a couple of apps before the last reboot (Flash and Adium), but it does not appear that either was adding anything to the system preferences, let alone anything that would change them after the reboot, does anyone have any ideas what would cause this other than a hack? I'm new to OS X and the message about loginwindow changing my preferences was totally uninformative about what the actual change was and I can't seem to find any info about how to track this down this anywhere.

iMac 27 i7, Mac OS X (10.6.2), 16GB/2TB Model
  • etresoft Level 7 Level 7 (26,425 points)
    You haven't been hacked. Some programs prefer to install support files or login items in a user's account instead of in a system area. I think Adium does this. The only way to do this is to install the files when the application runs.
  • JiminSF Level 1 Level 1 (0 points)
    Thanks for the help & attention! Adium did not appear to be running at the time though, and the account was the same one that I had been logged into when I installed it in the first place. (And I think I may actually been asked for admin login credentials at install time.) Also, Adium is not set up as a login item on the machine. Is there some way to tell what system preferences were altered? And why would the requesting app show up as loginwindow rather than Adium if Adium were making the changes? Would it have created a one time login item that then removed itself or something?
  • etresoft Level 7 Level 7 (26,425 points)
    My explanation was mostly a guess. You can get more details if you run Console.app and look at the log files.
  • JiminSF Level 1 Level 1 (0 points)
    Yeah, I looked at them and found the following:

    Nov 25 17:14:05 X-iMac com.apple.SecurityServer25: UID 503 authenticated as user XXX (UID 501) for right 'system.preferences'
    Nov 25 17:14:05 X-iMac com.apple.SecurityServer25: Succeeded authorizing right 'system.preferences' by client '/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Resources/ SCHelper' for authorization created by '/System/Library/CoreServices/loginwindow.app'

    Unfortunately it doesn't tell me what preference change was actually being made or why - is there a an audit trail or log for what changes SCHelper is making somewhere?
  • JiminSF Level 1 Level 1 (0 points)
    Other thoughts - I also disconnected a USB drive just before this. Could that cause this? I also, strangely, had an odd experience during boot that I think was just before this (though it could also have been afterward) in which my Bluetooth Magic Mouse and Keyboard were not detected when first booting. It took a minute during load for the system to find them, one after the other, before boot proceeded. Would either of these involve login items or loginwindow scripts that would involve the loginwindow app changing system preferences?
  • etresoft Level 7 Level 7 (26,425 points)
    No. It's fine. You haven't been hacked by anyone other than perhaps Adobe.