Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Errant Kernel File In System Settings Login Items - Seek to resolve & DELETE.

Hello.


(I apologise for the elongated post, but the details seem necessary.)


To-day, 14 December 2022, I attempted to create a FREE protonmail account.  Creating the account was easy, which I ONLY DID as predicated on my ignorant assumption (did not even see the fine print) that I could download & employ protonmail “Bridge” to enable the account to download to (Apple) Mail version 16.0. 


But when I attempted to do that protonmail informed me that “Bridge” was only available to “paying” customers.  But I was rather "in" up to my waist at that point: Subsequent to downloading protonmail “Bridge” to the Applications folder (which I have since deleted) & what amounted to a failed attempt to get protonmail working for me seamlessly — macOS gave me “notifications” (which I have no screenshots of, nor memory of what the notification/s stated). That was when I decided that protonmail was useless to my purposes.  The "what & why’s" of that rationale are irrelevant to this post.


THE PROBLEM THAT REMAINED AFTER ALL THIS WAS CONSUMMATED is that I now have in System Settings a login item that was not previously there!  It was that ostensible kernel file that created additional “notification” that there was an “unexcutable” file attempting to do something (I do not truly know what) relative (I presume) to/for protonmail.


The kextload file is in Macintosh HD/sbin/kextload, which I hope the attached .png files well enough elaborate. “sbin” is an invisible folder & the “kextload” file cannot be deleted by any process I know. 


Insomuch as it was NOT there prior to to-day & by all appearances was related to the — albeit mistaken — install & attempt to utilise protonmail “Bridge” I should like to remove the file from my MBP.


IF ANY PERSON HAS SOLUTION TO THIS CONUNDRUM — & notably if the solution involves the Terminal App please, I beg you, provide very detail instructions.


Any reply will be appreciated, but a solution is sought.  Thank you, humbly.

—Robert Boren.






MacBook Pro

Posted on Dec 14, 2022 2:04 PM

Reply
Question marked as Best answer

Open Disk Utility with the flash drive plugged in. Here is one I have that is FAT32 which is cross-platform compatible with Mac, Windows and Linux. Be sure to click the view menu and select Show All Devices. Identify the flash drive on the left sidebar and expand if necessary to highlight the volume on the drive. In the info on the right you see it says MS-DOS (FAT32). You might also see FAT16 or ExFAT. Since they are FAT (File Allocation Table) they are all DOS / Windows compatible. The Mac can read / write FAT drives with no difficulty. Mac formats are HFS / HFS+ / JHFS+ or APFS.


If the disk shows NTFS then you should keep the Paragon NTFS software.



Posted on Dec 20, 2022 1:48 PM

Similar questions

2 replies
Question marked as Helpful

Dec 18, 2022 12:55 PM in response to RobertJBoren

In the last few macOS releases, Apple started giving users more control on what was loading on their Mac. This is part of their privacy improvements. It can be annoying at times as you'll receive several prompts when installing new software. Zoom for example requires asking about accessing the camera, microphone, Bluetooth, Screen Recording, and Accessibility.


Apple also prompts for any applications attempting to install a kernel or system extension which is a low-level bit of code that runs at the same security level as the operating system kernel. Software running at this ring zero level have unfettered access to everything and can bypass the operating system, read any portion of memory, overwrite any portion of memory, etc. Because a bug in such a bit of code could crash the entire operating system or a flaw could allow the operating system to be hijacked. Apple has blocked access to kernel extensions in newer macOS versions.


Ironically, this is why Windows users experienced those terrible BSOD - Blue Screens of Death. In earlier versions of Windows the graphics drivers were running at the kernel level and it was very common for a bug to crash the operating system. Microsoft has since moved graphics drivers to user space instead of kernel space and that has resulted in far fewer BSOD crashes. Most older security suites (anti-virus, firewall, etc.) used kernel extensions because Microsoft & Apple didn't provide them security features so they made their own. Apple has started kicking developers out of the kernel and offering them sandboxed limited access and adding in security related features they can use instead of trying to bypass the operating system and causing problems.


System extensions are still allowed but unlike kernel extensions they are sandboxed so they don't have full access. But still require your approval to install. In enterprise corporate environments we install a lot of security tools and there are ways to hide the prompts and answer them on behalf of the users. We don't want users to grow accustomed to allowing prompts. We want them to be suspicious and call the Help Desk if they see prompts. Therefore, we hide the prompts on our tools and whitelist the things we know about.


Immediately after a macOS upgrade new prompts may appear for existing already installed software. Such was the case with Ventura notifying about Login Items and Allow in the Background items.


The kextload entry appears to be some left over installation from long ago. You may have seen prompts relating to Proton Mail Bridge requesting access to several things. You then removed Proton Mail Bridge. But in looking at the Login Items screen, you noticed the kextload entry which was probably there a long time ago. It's only appearing because Apple added the Allow in the Background graphical interface to display those items. The items were always there but you had to use the Terminal to view them and mostly developers took care of these items. Knowing how developers are terrible at writing installation and removal code. It's likely you uninstalled something that left some remnants that point to the kextload because whatever kextload was loading was removed but there is still an entry pointing to it. Hence, the 'kextload' is listed without the subsequent instructions to load whatever kernel extension it did previously. Since Apple is blocking kernel extensions it never loaded.


Hopefully, that makes some sense. When you uninstalled something previously, perhaps a very long time ago, something was left behind that is only now showing itself due to Ventura making it appear in the Login Items screen. Previously, you wouldn't have seen it.


I analyzed that Proton Mail Bridge App and it's not doing anything that comes close to loading things in the background. It's a simple drag and drop to Applications type App. There's no extensions or anything else weird about it. The kextload entry is something else entirely.


Again, no worries, you can just ignore it and leave it disabled it won't do any harm what-so-ever.


I'll see if I can find out what might be causing that entry to appear and how to remove it but it's not well documented by Apple and Ventura is so new not many people have run across an errant Allow in the Background entry they can't remove. Most of them are in those LaunchAgents / LaunchDaemon and this is something different related to kernel extensions. The command kextload is technically depreciated, meaning it's still there but is expect to be removed and developers should be using kmutil instead. So another clue as to the age of whatever it was that created this entry.


I'll reply if I find something, but I am not so sure I will find a fix to remove that entry.

29 replies

Dec 17, 2022 5:40 PM in response to James Brickley

Hello, Mr. Brickley.


Thank you for the reply & sorry for my "delay".


Before I execute that process please, if you will, explain what is the objective of the Terminal command you have submitted — beyond what patently stated: That running the command will "list kernel extensions & system extensions"? Why do I need/want that list? Is that to define what kernel extension I can safely eliminate?


For as I indicated (in my elongated question initially): I am attempting to eliminate a (singular) kernel extension, which I believe was (if spuriously) installed by protonmail's "Bridge" download — being the "kextload" kernel extension, which was illustrated by the image files included. [ As was installed only after protonmail's "Bridge" was placed into the Applications folder on my MBP, which flagged unprecedented "Notifications", &c. ]


I mean no impoliteness, but I do not understand what utility will be achieved by having Terminal itemise the kernel & system extensions — when the objective is to eliminate the particular kernel extension defined. That is why I initially asked for detailed instructions. Could you please explain why would execute the process you indicated &, particularly: Will that process give me ability to eliminate the "kextload" kernel extension?


Thank you.


Dec 17, 2022 6:21 PM in response to RobertJBoren

Kextload is not a kernel extension it is an Apple command that loads extensions. It is also an older utility that has been depreciated in favor of the kmutil command. Regardless, it shows an unknown, I wished to see if it was listed in the output of those two commands which may shed some light on the actual extension in question.


It provides some detail about the kernel extension name, its current status, and with that we can better determine where it may reside in the flow of directories that manage kernel extensions. If you have any system extensions those will be listed as well.


The GUI won't show you everything while the command line shows much more detail.








Dec 17, 2022 7:12 PM in response to James Brickley

Thank you very much! That answer helped me understand what/why I am doing . . .

However, it returned, I think not enough, perhaps.

I copied the command exactly as you had written it above & Terminal showed this, which I copied of the entire screen:


Last login: Sat Dec 17 20:10:54 on console

The default interactive shell is now zsh.

To update your account to use zsh, please run `chsh -s /bin/zsh`.

For more details, please visit https://support.apple.com/kb/HT208050.

Roberts-MacBook-Pro-2:~ RobertJohnBoren$ kextstat | grep -v com.apple; systemextensionsctl list

Executing: /usr/bin/kmutil showloaded

No variant specified, falling back to release

Index Refs Address            Size       Wired      Name (Version) UUID <Linked Against>

  203    0 0xffffff7f97224000 0x3cff5    0x3cff5    com.paragon-software.filesystems.ntfs (23.0.15) 4D94E3D2-333E-3ED7-A03C-D82A3A7DFE2D <9 7 6 1>

0 extension(s)

Roberts-MacBook-Pro-2:~ RobertJohnBoren$ 








Dec 17, 2022 8:31 PM in response to RobertJBoren

Okay that's useful. It tells me it's not a kernel nor system extension.


Now take a look at what you have in these paths:


/Library/LaunchDaemons/

~/Library/LaunchDaemons/


/Library/LaunchAgents/

~/Library/LaunchAgents/


This is where most of the Background items will have an XML Plist file with instructions on how to load the item are located. Just need the list of files for each. Looking for anything that might hint at the KextLoad entry. I don't think it's Proton Mail Bridge, I just downloaded the bridge and analyzed it and it's not doing anything close to what we are seeing.


I would hazard a guess that this kextload entry is a left-over piece of junk that is rendered harmless because you are no longer loading it. But at this point we are looking to find the files responsible for that entry to appear so we can remove them and cleanup that kextload errant entry. It was likely a kernel extension for old software that you might have had way back prior to Monterey or Ventura and it's only surfaced to your attention because Ventura is alerting you to it.


So don't get worried about it because, one, you've disabled it, and two it probably wasn't working to begin with. We just have some references to whatever it was floating around.

Dec 17, 2022 8:35 PM in response to James Brickley

I'm doing my best. It seems, perhaps, images of the locations is most informative.

Ps. In my unfamiliarity with these processes I do not understand the distinction between either of the two lines of text indicating folder locations appertaining to the use of a tilde & without the tilde. Notwithstanding I went to the "Libraries" indicated by the image files uploaded.


Thank you for remaining with this Mr. Brickley.


/Library/LaunchDaemons/
~/Library/LaunchDaemons/

/Library/LaunchAgents/
~/Library/LaunchAgents/






Dec 17, 2022 8:50 PM in response to etresoft

Well, perhaps, thank you. I submit that if you do not understand what I am trying to do disadvising it may be out of place.


However, I am not (any longer) ignorantly, nor incautiously, attempting to delete that file. It appeared in "Start-up Items" quite unusually & directly following the nonsense with protonmail. As I noted above, it triggered unprecedented "Notifications" & system errors, which I came here to resolve. I mistook the file as an aberrant "insertion" that I ignorantly thought protonmail deposited. I understand that is not what had occurred.


As per Mr. Brickley's advices: "Kextload is not a kernel extension it is an Apple command that loads extensions." — & as per his last response [Dec 17, 2022 11:31 PM] it seems to have been generated due to some anomaly that I am trying to get to the bottom of & resolve.


Thank you for endeavouring to prevent me from doing some, perhaps, irreparable damage to my MBP.

Dec 17, 2022 9:04 PM in response to RobertJBoren

At this point you might be able to simply ignore that kextload entry as you have turned it off and it's not doing anything anyways. It seems whatever it was it was removed either by you or macOS during an upgrade and there's a leftover pointer somewhere referencing it.


I'll need to figure out where else to look as nothing is jumping out at me.

Have a good evening, I'll poke around in the morning and do some research.

Dec 17, 2022 9:19 PM in response to James Brickley

James Brickley wrote:

At this point you might be able to simply ignore that kextload entry as you have turned it off and it's not doing anything anyways. It seems whatever it was it was removed either by you or macOS during an upgrade and there's a leftover pointer somewhere referencing it.

I'll need to figure out where else to look as nothing is jumping out at me.
Have a good evening, I'll poke around in the morning and do some research.


I will ignore it, yes; especially as I have it turned off. If protonmail "provoked" macOS to cause kextload to manifest & load extensions, perhaps, what was "removed" (as you surmise) was the "Bridge" app that I downloaded from protonmail. Subsequent to the aberrant "Notifications" & the appearance of kextload in Login Items I deleted that app immediately, — if, also, because the "Bridge" app was inapplicable to what version of free (at no $ cost) protonmail I had begun to use. I deleted the e-mail account at protonmail I had presumed to utilise, as well. I have no connexion with protonmail any further.


PLEASE NOTE: I have downloaded no macOS upgrade since that episode with protonmail.


Thank you very much, again, Mr. Brickley. I am grateful for your involvement & any further input you may superadd to what you have helped with to-date. Good evening to you.


Dec 18, 2022 7:08 AM in response to RobertJBoren

RobertJBoren wrote:

Thank you for endeavouring to prevent me from doing some, perhaps, irreparable damage to my MBP.

You can't do any irreparable damage. The operating system itself is on a sealed, read-only volume. Your biggest risk is breaking your installation of Paragon NTFS.


The new Login Items user interface in macOS Ventura is proving to be worse than I had imagined.

Dec 18, 2022 10:14 AM in response to etresoft

etresoft wrote:
You can't do any irreparable damage. The operating system itself is on a sealed, read-only volume. Your biggest risk is breaking your installation of Paragon NTFS.

Thank you for your comments, etresoft.

I have long forgotten what Paragon NTFS was for, though I vaguely remember installing it at some point for a, heretofore, unremembered reason. Their website: https://www.paragon-software.com/us/home/ntfs-mac/ states: ". . . If you work on a Mac computer and need to read or write files from HDD, SSD or a flash drive formatted under Windows, you need Microsoft NTFS for Mac by Paragon Software. Write, edit, copy, move and delete files on Microsoft NTFS volumes from your Mac! Fast, seamless, easy to use. Mount, unmount, verify, format or set any of your Microsoft NTFS volumes as a startup drive." I do not seem ever to do this. My MBP interacts with no other computers or Microsoft drives; just personal macOS formatted peripherals.


Admittedly, I am an ostensible Luddite: Though I have installed the latest macOS Ventura 13.1 & will continue to update the machine — I use it, however, as simply as possible; as were I back on macOS El Capitan, or even Lion, — & rather wish I were . . .


The new Login Items user interface in macOS Ventura is proving to be worse than I had imagined.


I am afraid I do not understand what you mean by that comment.


Thank you for responding, however. Good day to you.


Dec 18, 2022 11:44 AM in response to RobertJBoren

RobertJBoren wrote:

I have long forgotten what Paragon NTFS was for, though I vaguely remember installing it at some point for a, heretofore, unremembered reason. Their website: https://www.paragon-software.com/us/home/ntfs-mac/ states: ". . . If you work on a Mac computer and need to read or write files from HDD, SSD or a flash drive formatted under Windows, you need Microsoft NTFS for Mac by Paragon Software. Write, edit, copy, move and delete files on Microsoft NTFS volumes from your Mac! Fast, seamless, easy to use. Mount, unmount, verify, format or set any of your Microsoft NTFS volumes as a startup drive." I do not seem ever to do this. My MBP interacts with no other computers or Microsoft drives; just personal macOS formatted peripherals.

Then you should probably uninstall it to avoid problems later on. See https://kb.paragon-software.com/article/4500


In the future, I recommend carefully reviewing any software before installing it. Make sure it works on your computer. Make sure you know how to uninstall it. Make sure you know who to contact if something goes wrong.


So far, you've simply been lucky. Paragon still uses a kernel extension. They have an uninstaller. They have a good product with good support. All those things are becoming increasingly rare. Next time, you'll likely be reinstalling the entire operating system.

The new Login Items user interface in macOS Ventura is proving to be worse than I had imagined.

I am afraid I do not understand what you mean by that comment.

It's a long story.

Errant Kernel File In System Settings Login Items - Seek to resolve & DELETE.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.