Errant Kernel File In System Settings Login Items - Seek to resolve & DELETE.

In the last few macOS releases, Apple started giving users more control on what was loading on their Mac. This is part of their privacy improvements. It can be annoying at times as you'll receive several prompts when installing new software. Zoom for example requires asking about accessing the camera, microphone, Bluetooth, Screen Recording, and Accessibility.

Apple also prompts for any applications attempting to install a kernel or system extension which is a low-level bit of code that runs at the same security level as the operating system kernel. Software running at this ring zero level have unfettered access to everything and can bypass the operating system, read any portion of memory, overwrite any portion of memory, etc. Because a bug in such a bit of code could crash the entire operating system or a flaw could allow the operating system to be hijacked. Apple has blocked access to kernel extensions in newer macOS versions.

Ironically, this is why Windows users experienced those terrible BSOD - Blue Screens of Death. In earlier versions of Windows the graphics drivers were running at the kernel level and it was very common for a bug to crash the operating system. Microsoft has since moved graphics drivers to user space instead of kernel space and that has resulted in far fewer BSOD crashes. Most older security suites (anti-virus, firewall, etc.) used kernel extensions because Microsoft & Apple didn't provide them security features so they made their own. Apple has started kicking developers out of the kernel and offering them sandboxed limited access and adding in security related features they can use instead of trying to bypass the operating system and causing problems.

System extensions are still allowed but unlike kernel extensions they are sandboxed so they don't have full access. But still require your approval to install. In enterprise corporate environments we install a lot of security tools and there are ways to hide the prompts and answer them on behalf of the users. We don't want users to grow accustomed to allowing prompts. We want them to be suspicious and call the Help Desk if they see prompts. Therefore, we hide the prompts on our tools and whitelist the things we know about.

Immediately after a macOS upgrade new prompts may appear for existing already installed software. Such was the case with Ventura notifying about Login Items and Allow in the Background items.

The kextload entry appears to be some left over installation from long ago. You may have seen prompts relating to Proton Mail Bridge requesting access to several things. You then removed Proton Mail Bridge. But in looking at the Login Items screen, you noticed the kextload entry which was probably there a long time ago. It's only appearing because Apple added the Allow in the Background graphical interface to display those items. The items were always there but you had to use the Terminal to view them and mostly developers took care of these items. Knowing how developers are terrible at writing installation and removal code. It's likely you uninstalled something that left some remnants that point to the kextload because whatever kextload was loading was removed but there is still an entry pointing to it. Hence, the 'kextload' is listed without the subsequent instructions to load whatever kernel extension it did previously. Since Apple is blocking kernel extensions it never loaded.

Hopefully, that makes some sense. When you uninstalled something previously, perhaps a very long time ago, something was left behind that is only now showing itself due to Ventura making it appear in the Login Items screen. Previously, you wouldn't have seen it.

I analyzed that Proton Mail Bridge App and it's not doing anything that comes close to loading things in the background. It's a simple drag and drop to Applications type App. There's no extensions or anything else weird about it. The kextload entry is something else entirely.

Again, no worries, you can just ignore it and leave it disabled it won't do any harm what-so-ever.

I'll see if I can find out what might be causing that entry to appear and how to remove it but it's not well documented by Apple and Ventura is so new not many people have run across an errant Allow in the Background entry they can't remove. Most of them are in those LaunchAgents / LaunchDaemon and this is something different related to kernel extensions. The command kextload is technically depreciated, meaning it's still there but is expect to be removed and developers should be using kmutil instead. So another clue as to the age of whatever it was that created this entry.

I'll reply if I find something, but I am not so sure I will find a fix to remove that entry.

Okay that's useful. It tells me it's not a kernel nor system extension.

Now take a look at what you have in these paths:

/Library/LaunchDaemons/

~/Library/LaunchDaemons/

/Library/LaunchAgents/

~/Library/LaunchAgents/

This is where most of the Background items will have an XML Plist file with instructions on how to load the item are located. Just need the list of files for each. Looking for anything that might hint at the KextLoad entry. I don't think it's Proton Mail Bridge, I just downloaded the bridge and analyzed it and it's not doing anything close to what we are seeing.

I would hazard a guess that this kextload entry is a left-over piece of junk that is rendered harmless because you are no longer loading it. But at this point we are looking to find the files responsible for that entry to appear so we can remove them and cleanup that kextload errant entry. It was likely a kernel extension for old software that you might have had way back prior to Monterey or Ventura and it's only surfaced to your attention because Ventura is alerting you to it.

So don't get worried about it because, one, you've disabled it, and two it probably wasn't working to begin with. We just have some references to whatever it was floating around.

Open Terminal and run the following command:

kextstat | grep -v com.apple; systemextensionsctl list

Copy / Paste the results in reply. It will list any kernel extensions followed by system extensions.

Kextload is not a kernel extension it is an Apple command that loads extensions. It is also an older utility that has been depreciated in favor of the kmutil command. Regardless, it shows an unknown, I wished to see if it was listed in the output of those two commands which may shed some light on the actual extension in question.

It provides some detail about the kernel extension name, its current status, and with that we can better determine where it may reside in the flow of directories that manage kernel extensions. If you have any system extensions those will be listed as well.

The GUI won't show you everything while the command line shows much more detail.

Open Disk Utility with the flash drive plugged in. Here is one I have that is FAT32 which is cross-platform compatible with Mac, Windows and Linux. Be sure to click the view menu and select Show All Devices. Identify the flash drive on the left sidebar and expand if necessary to highlight the volume on the drive. In the info on the right you see it says MS-DOS (FAT32). You might also see FAT16 or ExFAT. Since they are FAT (File Allocation Table) they are all DOS / Windows compatible. The Mac can read / write FAT drives with no difficulty. Mac formats are HFS / HFS+ / JHFS+ or APFS.

If the disk shows NTFS then you should keep the Paragon NTFS software.

By a process of elimination we can move on.

Let's see what's in:

/Library/Extensions

~/Library/Extensions

/Library/StagedDriverExtensions

/Library/StagedExtensions

~/Library/Staging

At this point you might be able to simply ignore that kextload entry as you have turned it off and it's not doing anything anyways. It seems whatever it was it was removed either by you or macOS during an upgrade and there's a leftover pointer somewhere referencing it.

I'll need to figure out where else to look as nothing is jumping out at me.

Have a good evening, I'll poke around in the morning and do some research.