I found an app called "Open" in the list of login items - can anyone identify what it is?

OK, I had the same — an unidentified "open" item — so I did a bit of poking around. If you use Adobe software, this may be the answer:

These "Allow in the Background" items are stored in two places on your machine: /Library/LaunchAgents (for system stuff) and ~/Library/LaunchAgents (for per-user stuff).

The items themselves, the files in those two folders are plists: text files that give macOS a name for the item, and the location of the thing to actually execute. Bit like shortcuts or aliases. You can use Quicklook to see their contents easily, so you can step through each item in Finder, and see what that item actually does.

Most of them will have a path to a an app in your Applications folder, but (at least here), I found an item called com.adobe.ccxprocess.plist that calls on /usr/bin/open (albeit with a path to an Adobe app provided as a parameter).

Bit naughty/careless of Adobe in this case.

I copied that file to my desktop for safety, deleted it from the LaunchAgents folder, and a few minutes later that "open" item disappeared from the Allow...Background list.

Don't try removing the open file from /usr/bin - it's a system executable, used by lots of other things. And it's not the problem here. The issue is that something on your machine (and it's quite possibly something benign) is using the "open" executable/command to launch something else.

The chances are that this is something innocent. If you do want to track it down, you'll need to go through the items in your LaunchAgents folder to find which one is using "open" to launch something else. You can step through the items in that folder and use QuickLook (space bar) to preview the files; in them you'll see a bunch of XML stuff describing the type of launch agent, and one tag will give the executable name. Find the one that mentions "open blahblahblah" and that'll be the one to move/disable.

If in doubt, though, I'd ignore this issue: make sure your machine is fully updated so it's as secure as possible, and go about your day

schackbo wrote:

Thanks for the quick response. Interesting information. I appreciate it. I'll look into this further because I am curious as to which app would be responsible. Thanks again for pointing me in the right direction.

Unfortunately, Apple's new user interface in Ventura for this information is significantly lacking. There is another parameter on that "open" command that would be much more informative. But that information is not provided.

I can tell you that it is very unusual for malware to use this particular construct. Otherwise, it is not unusual, or wrong in any sense for an app to use the "open" command in this way. This is simply Apple picking and choosing from a number of very useful and informative pieces of information and giving you the only part that is useless.

Open is the command line utility to open things in the GUI from the command line.

What app you've installed that is calling it in a background process is not easy to determine. You installed some app to do something for you, and it is doing some part of it in the background, so does it really matter what is calling that utility?

This may appear to an Over Kill approach but worth consideration ?

Download the Application Etrecheck directly from the Developer.

This is a Diagnostic Tool that makes no changes to the computer.

➡️ It makes a coherent and readable inventory of both the Hardware and Software used on the computer 

The application is free or paid from added features. 

The Report will Not Reveal Any Personal Information. 

Post back the Full Report - copy and paste - >>>> using the Additional Text Icon ( 3rd Icon to last ) <<<<

Above is optional

We can have a look at the report for possible issues and may have possible suggestions to resolve the issues

Through process of elimination, I think the "open" entry you are looking for is that Family Tree Builder app.

EtreCheck works differently than Ventura's "Login Items" list. When EtreCheck sees an "open" entry, or anything similar in behaviour, it goes out and looks for the item that "open" is opening. It checks that file for a digital signature. If it finds one, then it will accept that and mark the launchd file as signed with a big smiley face, and move on to the next one. I guess Ventura isn't that clever. 😄

But anyway, since there is this difference in behaviour, I looked through some other recent EtreCheck reports that people have sent me so that I could see if any of your signed Symantec, Zoom, Microsoft, etc. apps are actually using the "open" mechanism. It doesn't look like they are.

So that leaves the Family Tree Builder app, which is a real odd duck. That plist configuration file does appear to be using "open", and a particularly unusual variant of it too. I double-checked EtreCheck's handling of this variant and EtreCheck seems to be doing it correctly. So I think you really have deleted the Family Tree Builder app. I can guess why. It is a Windows app. And I don't mean it is a Windows app ported to the Mac. It is literally a Windows app running under the WINE cross-platform Window app runner. Boy, that's bush league.

You can use EtreCheck's "clean up" feature in the Security page to remove the orphan launchd plist configuration file for Family Tree Builder and that will eliminate the problem.

I may have to change EtreCheck's handling of these things. I'm working on an update to better support people who are trying to track down mysterious pop-ups and dialogs from Ventura. Normally EtreCheck parses the "open" command and just treats it as running the underlying executable and essentially forgets that "open" was used. But that isn't going to work now because that's the only information you have. So when you search EtreCheck for "open", I need to be able to find any item that uses it.

<sigh>

When the Other Contributor and also Developer of the Etrecheck Application weights in on this Report, I tend to retreat from offering additional insights on the report.

They know much more than I, as to how the Application functions and reading the findings.

The more important thing is, there was a method to identify what maybe the source of this computer issue

Hi, I am having the same issue, I located the "open" file in "usr/bin" directory. I tried to delete it but there is no (move to bin) option. I have also tried to delete it using the command line rm -rf but I get (rm: open: Operation not permitted). I can not move the file, only copy it to another location which I do not think will help as this will not remove it from the list of login items. Apple tried to simplify MacOS Ventura but did a really bad job removing some sensible things like the -/+ options.

Hi, I am having the same issue, I located the "open" file in "usr/bin" directory. I tried to delete it but there is no (move to bin) option. I have also tried to delete it using the command line rm -rf but I get (rm: open: Operation not permitted). I can not move the file, only copy it to another location which I do not think will help as this will not remove it from the list of login items. Apple tried to simplify MacOS Ventura but did a really bad job removing some sensible things like the -/+ options.

You stated

"I copied that file to my desktop for safety, deleted it from the LaunchAgents folder, and a few minutes later that "open" item disappeared from the Allow...Background list. "

I checked the launchAgents folder and do not have the Adobe software. How can I see which software does this file belong to??

In Ventura, you can see a list of the login items via Settings > General > Login Items. Click that latter panel and it will show that list. You can select and remove [-] the Login Items. This panel also newly adds the list of applications allowed to run in the background. You can toggle these on or off, but they are not removable.

Also if an information ⓘ icon appears, it will open a Finder window with the item selected. You may then press the spacebar to see if Quick Look can expose that item's contents.