Q: mach_kernel document appeared

Did you move it from the root folder by mistake.

If so you can hide it again.

If you moved the original and didn't create a copy simply drag and drop back on your Macintosh HD.

Once you add it there, you can then run a Terminal command and hide the file.

This is definitely not the work of any kind of malware, but something very strange is going on.

It is normal for there to be an invisible file called mach_kernel at the root level of your hard drive, alongside the Applications and System folders. You cannot normally see it, but it should be there. There are a couple questions that spring to mind: do you still have a mach_kernel file there, and how did the item in your Documents folder get there?

To answer the first question, open the Terminal (found in the Utilities folder inside the Applications folder) and enter the following command:

ls -al /m*

The results should look something like this:

Hyperion:~ thomas$ ls -al /m*
-rw-r--r--@ 1 root  wheel  8244640 Jul 29 19:34 /mach_kernel

If you see that, you still have that file in its proper place. There's no immediate problem beyond figuring out how the one in your Documents folder got there. If you instead see something like this:

Hyperion:~ thomas$ ls -al /m*
ls: /m*: No such file or directory

...that means that the file has somehow been moved into the Documents folder, which could cause serious problems. If this is the case, you need to run the following command in the Terminal (preferably, copy and paste it):

sudo mv ~/Documents/mach_kernel /mach_kernel

Do not run that command if you already have a mach_kernel file at the root of your hard drive, according to the test above! Also do not be surprised when you are asked for your user password, and when nothing shows up when you type it. That is normal. This also means that you must be logged into an administrator account... if the user account in question is not an admin, which will result in the above command giving an error message, then post back for further instructions.

Once you're sure you've got the proper mach_kernel file where it's supposed to be, we can worry about the question of what happened.

Apparently one of the previous Apple OS updates caused this in some users. A following supplemental update fixed this. HOWEVER if you saw the file and moved it to your documents it would create a copy by Default.

So you should have the orignal in place anyway. It can't hurt to check.

in Terminal show hidden files.

To enable hidden files/folders in finder windows:

1. Open Finder
2. Open the Utilities folder
3. Open a terminal window
4. Copy and paste the following line in:defaults write com.apple.Finder AppleShowAllFiles YES
5. Press return
6. Now hold ‘alt’ on the keyboard and right click on the Finder icon
7. Click on Relaunch

Check to see the hidden file mach_kernel

if there all is good. Hide all the files again by repreating the command steps above but changing the YES to NO.

Relaunch Finder

Then get that pesky copy in your documents and delete.

The file was not in your Documents folder, and you just wrecked your operating system.

If you don't already have a current backup, back up all data, then reinstall the OS. You don't need to erase the startup volume, and you won't need your backup unless something goes wrong. If your Mac was upgraded from an older version of OS X, you’ll need the Apple ID and password you used to upgrade.

There are ways to back up a computer that isn't fully functional. Ask if you need guidance.

If you installed the Java runtime distributed by Apple and still need it, you'll have to reinstall it.

exact same thing down to the date.

going to try Thomas A Reed's suggestion tomorrow

I have three macbook pro's and admin around 30 macs at work and can confirm that on all macs with OSX 10.8.5 this document mach_kernel appeared suddenly.

I would recommend everyone NOT to delete this file, until you know for sure what this is. Might be a file that was hidden before and by some mistake got the wrong flags when implemented in the latest update.

Here some more useful information on this issue, just leave that file alone:

https://discussions.apple.com/thread/4965707?start=0&tstart=0

The answer you seek is posted earlier in the thread (by sabatica) please follow it.

As a follow-up, I found that after I installed the latest 10.8.5 supplemental update, I also had a visible mach_kernel file. It was NOT in my Documents folder, but at the root level of the hard drive where it should be (where the Applications and System folders are). There may be a flaw in that update that is causing this file to become visible for some people.

If this is what folks posting here are seeing, note that you should not change that file in any way! It simply needs to be hidden again. From an admin user account, enter the following command in the Terminal:

sudo chflags hidden /mach_kernel

Doing so will require your account password, and when you type it, note that it is normal for nothing to appear on the screen. This is a security feature of the sudo command. This command will simply re-set the "hidden" flag on the file to its original state.

I suspect that those who think that it is in the Documents folder are mistaken, and are seeing it at the root level of the hard drive and not in the Documents folder. Thus, the "sudo mv" command I posted earlier for moving the file back to where it belongs will not be necessary.

Yep, the file is where you say it is, but just not hidden, and if you nano it there is stuff in the file. Checked the man pages and that's a clean command. (I once read a forum in which everyone bashed one removed user who had issued a terminal command to wipe the hard drive...so I don't trust anyone unless it's been cross-checked.) That works. Thanks so much!

i had the same mach_kernel file show up on my hard drive today and i followed your steps, saw the file on the hard drive, hid the hidden items again and then put the mach_kernel file in my trash. i haven't deleted it yet, restarted or anything, but i followed your steps again before doing so to make sure that file showed in the hidden files and now i don't see it there. i tried moving it the one from the trash back to the hard drive and it says "The item "mach_kernel" can't be moved because "Machintosh HD" can't be modified. ...with the options of 'authenticate' or 'cancel'. HELP!!! not sure what to do now. nothing weird is going on yet, but like i said i haven't restarted my computer yet or anything else. i hope i haven't messed anything up. i'm afraid to test it though, before getting some advise from here.

I can second that this file showed after the 10.8.5 supplemental update. Thanks to your post I was able to hide the file again. Thank you.

Click on the Authenticate button. You'll be asked to enter your admin account password so the mach_kernel file can be moved back to the root of the drive. Use the Terminal command after that to hide it. Then open Disk Utility and run Repair Permissions on the startup drive as the kernel will likely need to have its permissions fixed.