User profile for user: vxiansheng
vxiansheng Author
User level: Level 1
19 points

What is pairedDevices.xml in Login Items?

I started snooping around after reading some web pages on security and potentially dangerous software and processes. That journey led me to an article that mentioned examining

System -> Users & Groups -> Login Items


where I found two items:

pairedDevices.xml

apple-


Could anyone tell me what these are? I'm wondering what the yellow triangles mean in the far right column of the dialog. I'm wondering if these are malicious items.


I filtered my Console output by "pairedDevices" and got a few lines of log data, but I'm not sure how to interpret it.


Also, what is the "apple-" entry?


Thanks in advance,




iMac 27″, macOS 12.7

Posted on Jun 9, 2024 8:04 AM

Reply
10 replies
User profile for user: etresoft
etresoft
User level: Level 8
47,436 points

Jun 10, 2024 4:34 PM in response to vxiansheng

vxiansheng wrote:

I started snooping around after reading some web pages on security and potentially dangerous software and processes.

Bad idea. Those web pages are lying to you.

That journey led me to an article that mentioned examining
System -> Users & Groups -> Login Items

where I found two items:
pairedDevices.xml
apple-

Could anyone tell me what these are?

Nope. That particular part of the "Login Items" page lists those item (apps, files, folders, servers, etc.) that you have indicated that you want opened when you login in. This is a really old functionality in macOS.


The idea is these items are things that you specifically added, on purpose, so they are always open when you login. Sometimes really old 3rd party apps can try to add items to this list using AppleScript. They really shouldn't do this, but it isn't malicious.

I'm wondering what the yellow triangles mean in the far right column of the dialog. I'm wondering if these are malicious items.

They aren't malicious. Maybe try clicking on the triangles. My guess is that these files don't exist. You can safely delete them.

I filtered my Console output by "pairedDevices" and got a few lines of log data, but I'm not sure how to interpret it.

Never look at Console output. Apple officially considers this "log noise". Sometimes people read those web pages, believe them, dig into this console output, and convince themselves that the North Koreans have hacked them.


I'm not exaggerating.


Reply
User profile for user: BDAqua
BDAqua
User level: Level 10
240,647 points

Jun 9, 2024 10:40 AM in response to vxiansheng

Has MDM been used? Was this Mac used in a Biz or School environment?


Configurations

configuration is an XML profile or json formatted file following a certain structure and consists of payloads that load settings and authorization information onto Apple devices. Configurations automate the configuration of settings, accounts, restrictions, and credentials. These files can be created by an MDM solution or Apple Configurator for Mac, or they can be created manually. Before organizations send a configuration to an Apple device, they must enroll the device in the MDM solution using an enrollment profile.


Yellow triangle means an issue conecting?

Reply
User profile for user: vxiansheng
vxiansheng Author
User level: Level 1
19 points

Jun 9, 2024 10:54 AM in response to BDAqua

If MDM means "metadata manager" then all I can offer is that I see that "top" displays "mds" and "mdworker" processes.


This Mac has only been used at home. However, I have used it "for work" such as logging in to company sites, joining videoconferences that were set up using corporate accounts and things like that.


But I have not really installed any 3rd party applications other than a few such as Proton VPN, EtreCheck, balenaEtcher, Adobe Reader, GIMP, LibreOffice, GNU emacs (not sure if I've omitted any). So I'm not sure how these might be related to the two entries in my "Login items."


I should say, I'm not sure which application would have written the "pairedDevices.xml" file. I'm really trying to determine if I have malware. I don't really see any suspicious processes running. And, my system performance seems much better since I uninstalled Google Chrome.


About the yellow triangle. I restarted my Mac. Now when I go to Users & Groups -> Login Items, and then hover the mouse over the yellow triangle, I see this text bubble:

"This item couldn't be found."



Reply
User profile for user: vxiansheng
vxiansheng Author
User level: Level 1
19 points

Jun 9, 2024 11:19 AM in response to BDAqua

The only work-related use of my iPhone was to install the Authenticator app. I also have Duo Mobile installed as it's required by my university alum email account. I could uninstall Authenticator as there is not even an account configured on it, and it hasn't been used in over a year.


I did forget to mention (apologies) that I disabled Siri earlier this morning. And I currently do not see any "mds" or "mdworker" processes or threads.


Over the past month I noticed (when I wake up early enough and it's quiet in the house) that my disk was going crazy almost "non-stop." And Apple Mail would take upwards of 25 minutes before I could even view the body of any email message.


Today I started searching and encountered some articles which mentions syspolicyd as a typical culprit. That led me to other articles that finally led me to disable Siri. I also uninstalled everything Google (really I had only Chrome) and all its nefarious agents such as software update.


So, right now my system performance is quite good. I will check on Apple Mail (to see if somehow its performance problems were related to Siri, perhaps doing some indexing). I will shut it down and re-launch. But a more complete test will be when there are the typical flood of new emails on Monday morning.



Reply

What is pairedDevices.xml in Login Items?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up