Was this computer booted as "root" / how is this log possible?
Hi guys, I'm trying to interpret a brief boot log from "system.log". This is the entire log for that day / session. The scenario is my Macbook pro had a password-protected admin/login account. However, it appears someone in possession of my laptop managed to boot it up even though they did not have my password. The log looks like it only shows 16 seconds or so of activity and I don't see anything about a user account. And it doesn't look like any of the usual Apple programs were loaded - it's so brief. Any idea how this log can be possible ? Thank you!
Mar 29 15:41:55 localhost bootlog[0]: BOOT_TIME 1434483715 0 | |
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.AccountPolicyHelper" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.authd" sharing output destination "/var/log/asl" with ASL Module "com.apple.asl".
Output parameters from ASL Module "com.apple.asl" override any specified in ASL Module "com.apple.authd".
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.authd" sharing output destination "/var/log/system.log" with ASL Module "com.apple.asl".
Output parameters from ASL Module "com.apple.asl" override any specified in ASL Module "com.apple.authd".
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.authd" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.awdd" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.callhistory.asl.conf" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.cloudd" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.clouddocs" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.commerce.asl" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.CoreDuetAdmissionControl" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.eventmonitor" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.family.asl" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.ical" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.icloud.FindMyDevice" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.install" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.iokit.power" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.mail" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.MessageTracer" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.networking.symptoms" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:26 --- last message repeated 1 time --- |
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.performance" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.sandbox.telemetry" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.secinitd" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice: |
ASL Module "com.apple.securityd" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:26 --- last message repeated 6 times --- | |
Mar 29 15:42:23 localhost kernel[0]: Longterm timer threshold: 1000 ms | |
Mar 29 15:42:23 localhost kernel[0]: Darwin Kernel Version 14.3.0: Mon Mar 23 11:59:05 PDT 2015; root:xnu-2782.20.48~5/RELEASE_X86_64 | |
Mar 29 15:42:23 localhost kernel[0]: vm_page_bootstrap: 879991 free pages and 94857 wired pages | |
Mar 29 15:42:23 localhost kernel[0]: kext submap [0xffffff7f80a00000 - 0xffffff8000000000], kernel text [0xffffff8000200000 - 0xffffff8000a00000] | |
Mar 29 15:42:23 localhost kernel[0]: zone leak detection enabled | |
Mar 29 15:42:23 localhost kernel[0]: "vm_compressor_mode" is 4 | |
Mar 29 15:42:23 localhost kernel[0]: multiq scheduler config: deep-drain 0, urgent first 1, depth limit 4, band limit 127, sanity check 0 | |
Mar 29 15:42:23 localhost kernel[0]: standard timeslicing quantum is 10000 us | |
Mar 29 15:42:23 localhost kernel[0]: standard background quantum is 2500 us | |
Mar 29 15:42:23 localhost kernel[0]: mig_table_max_displ = 13 | |
Mar 29 15:42:23 localhost kernel[0]: AppleACPICPU: ProcessorId=0 LocalApicId=0 Enabled | |
Mar 29 15:42:23 localhost kernel[0]: AppleACPICPU: ProcessorId=1 LocalApicId=1 Enabled | |
Mar 29 15:42:23 localhost kernel[0]: calling mpo_policy_init for TMSafetyNet | |
Mar 29 15:42:23 localhost kernel[0]: Security policy loaded: Safety net for Time Machine (TMSafetyNet) | |
Mar 29 15:42:23 localhost kernel[0]: calling mpo_policy_init for AMFI | |
Mar 29 15:42:23 localhost kernel[0]: Security policy loaded: Apple Mobile File Integrity (AMFI) | |
Mar 29 15:42:23 localhost kernel[0]: calling mpo_policy_init for Sandbox | |
Mar 29 15:42:23 localhost kernel[0]: Security policy loaded: Seatbelt sandbox policy (Sandbox) | |
Mar 29 15:42:23 localhost kernel[0]: calling mpo_policy_init for Quarantine | |
Mar 29 15:42:23 localhost kernel[0]: Security policy loaded: Quarantine policy (Quarantine) | |
Mar 29 15:42:23 localhost kernel[0]: Copyright (c) 1982, 1986, 1989, 1991, 1993 | |
Mar 29 15:42:23 localhost kernel[0]: The Regents of the University of California. All rights reserved. | |
Mar 29 15:42:23 localhost kernel[0]: MAC Framework successfully initialized | |
Mar 29 15:42:23 localhost kernel[0]: using 16384 buffer headers and 10240 cluster IO buffer headers | |
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.oracle.java.Helper-Tool): Unknown key for string: SHAuthorizationRight | |
Mar 29 15:42:23 localhost kernel[0]: AppleKeyStore starting (BUILT: Mar 23 2015 11:37:46) | |
Mar 29 15:42:23 localhost kernel[0]: IOAPIC: Version 0x11 Vectors 64:87 | |
Mar 29 15:42:23 localhost kernel[0]: ACPI: sleep states S3 S4 S5 | |
Mar 29 15:42:23 localhost kernel[0]: pci (build 11:38:56 Mar 23 2015), flags 0xe3000, pfm64 (36 cpu) 0xf80000000, 0x80000000 | |
Mar 29 15:42:23 localhost kernel[0]: AppleIntelCPUPowerManagement: (built 11:31:44 Mar 23 2015) initialization complete | |
Mar 29 15:42:23 localhost kernel[0]: [ PCI configuration begin ] | |
Mar 29 15:42:23 localhost kernel[0]: console relocated to 0xf80010000 | |
Mar 29 15:42:23 localhost kernel[0]: [ PCI configuration end, bridges 6, devices 18 ] | |
Mar 29 15:42:23 localhost kernel[0]: NVEthernet::start - Built Mar 23 2015 11:36:34 | |
Mar 29 15:42:23 localhost kernel[0]: FireWire (OHCI) Lucent ID 5901 built-in now active, GUID 00264afffe0761ee; max speed s800. | |
Mar 29 15:42:23 localhost kernel[0]: USBMSC Identifier (non-unique): 000000009833 0x5ac 0x8403 0x9833, 2 | |
Mar 29 15:42:23 localhost kernel[0]: mcache: 2 CPU(s), 64 bytes CPU cache line size | |
Mar 29 15:42:23 localhost kernel[0]: mbinit: done [64 MB total pool size, (42/21) split] | |
Mar 29 15:42:23 localhost kernel[0]: rooting via boot-uuid from /chosen: BF2ADF5C-00BA-91F4-89BD-C35F9436ED0C | |
Mar 29 15:42:23 localhost kernel[0]: Waiting on <dict ID="0"><key>IOProviderClass</key><string ID="1">IOResources</string><key>IOResourceMatch</key><string ID="2">boot-uuid-media</string></dict> | |
Mar 29 15:42:23 localhost kernel[0]: com.apple.AppleFSCompressionTypeZlib kmod start | |
Mar 29 15:42:23 localhost kernel[0]: com.apple.AppleFSCompressionTypeDataless kmod start | |
Mar 29 15:42:23 localhost kernel[0]: com.apple.AppleFSCompressionTypeZlib load succeeded | |
Mar 29 15:42:23 localhost kernel[0]: com.apple.AppleFSCompressionTypeDataless load succeeded | |
Mar 29 15:42:23 localhost kernel[0]: AppleIntelCPUPowerManagementClient: ready | |
Mar 29 15:42:23 localhost kernel[0]: BTCOEXIST off | |
Mar 29 15:42:23 localhost kernel[0]: BRCM tunables: | |
Mar 29 15:42:23 localhost kernel[0]: pullmode[1] txringsize[ 256] txsendqsize[1024] reapmin[ 32] reapcount[ 128] | |
Mar 29 15:42:23 localhost kernel[0]: Got boot device = IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/SATA@B/AppleMCP79AHCI/PR T0@0/IOAHCIDevice@0/AppleAHCIDiskDriver/IOAHCIBlockStorageDevice/IOBlockStorageD river/FUJITSU MJA2250BH FFS G1 Media/IOGUIDPartitionScheme/Customer@2 | |
Mar 29 15:42:23 localhost kernel[0]: BSD root: disk0s2, major 1, minor 2 | |
Mar 29 15:42:23 localhost kernel[0]: hfs: mounted Macintosh HD on device root_device | |
Mar 29 15:42:23 localhost kernel[0]: VM Swap Subsystem is ON | |
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (org.macosforge.xquartz.privileged_startx): The TimeOut key is no longer respected. It never did anything anyway. | |
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.alf): The HideUntilCheckIn property is an architectural performance issue. Please transition away from it. | |
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.audio.coreaudiod): Unknown key for array: seatbelt-profiles | |
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.auditd): The TimeOut key is no longer respected. It never did anything anyway. | |
Mar 29 15:42:22 localhost hidd[93]: void __IOHIDPlugInLoadBundles(): Loaded 0 HID plugins | |
Mar 29 15:42:22 localhost watchdogd[54]: [watchdog_daemon] @( | wd_watchdog_open) - IOIteratorNext failed (kr=0) |
Mar 29 15:42:22 localhost watchdogd[54]: [watchdog_daemon] @( | wd_daemon_init) - could not initialize the hardware watchdog |
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.autofsd): This service is defined to be constantly running and is inherently inefficient. | |
Mar 29 15:42:22 localhost watchdogd[54]: [watchdog_daemon] @( | main) - cannot initialize the watchdog service |
Mar 29 15:42:22 localhost hidd[93]: IOHIDService compatibility thread running at priority 63 and schedule 2. | |
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.backupd-status): The HideUntilCheckIn property is an architectural performance issue. Please transition away from it. | |
Mar 29 15:42:22 localhost iconservicesagent[61]: iconservicesagent launched. | |
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.backupd.status.xpc): The HideUntilCheckIn property is an architectural performance issue. Please transition away from it. | |
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.bsd.dirhelper): The TimeOut key is no longer respected. It never did anything anyway. | |
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.cmio.AVCAssistant): ThrottleInterval set to zero. You're not that important. Ignoring. | |
Mar 29 15:42:22 localhost watchdogd[99]: [watchdog_daemon] @( | wd_watchdog_open) - IOIteratorNext failed (kr=0) |
Mar 29 15:42:23 localhost watchdogd[99]: [watchdog_daemon] @( | wd_daemon_init) - could not initialize the hardware watchdog |
Mar 29 15:42:23 localhost watchdogd[99]: [watchdog_daemon] @( | main) - cannot initialize the watchdog service |
Mar 29 15:42:22 localhost com.apple.SecurityServer[76]: Session 100000 created | |
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.cmio.IIDCVideoAssistant): ThrottleInterval set to zero. You're not that important. Ignoring. | |
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.cmio.VDCAssistant): ThrottleInterval set to zero. You're not that important. Ignoring. | |
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.configd): This service is defined to be constantly running and is inherently inefficient. | |
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.CoreRAID): The HideUntilCheckIn property is an architectural performance issue. Please transition away from it. | |
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.CoreRAID): The ServiceIPC key is no longer respected. Please remove it. | |
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.installd): This key does not do anything: OnDemand | |
Mar 29 15:42:23 localhost com.apple.xpc.launchd[1] (com.apple.watchdogd): Service only ran for 1 seconds. Pushing respawn out by 9 seconds. | |
Mar 29 15:42:23 localhost kernel[0]: IO80211Controller::dataLinkLayerAttachComplete(): adding AppleEFINVRAM notification | |
Mar 29 15:42:23 localhost kernel[0]: IO80211Interface::efiNVRAMPublished(): | |
Mar 29 15:42:23 localhost kernel[0]: bpfAttach len 64 dlt 12 | |
Mar 29 15:42:22 localhost wirelessproxd[70]: updateScanner - central is not powered on: 0 | |
Mar 29 15:42:23 localhost iconservicesagent[61]: Starting service with cache path: /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/com.apple.iconservices | |
Mar 29 15:42:25 localhost com.apple.xpc.launchd[1] (com.avast.daemon): This service is defined to be constantly running and is inherently inefficient. | |
Mar 29 15:42:25 localhost syslog[147]: ChmodBPF: Forcing creation and setting permissions for /dev/bpf* | |
Mar 29 15:42:25 localhost powerd[50]: Activity changes from 0xffff to 0x0. Assertions:1 HidState:0 | |
Mar 29 15:42:25 localhost com.apple.SecurityServer[76]: Entering service | |
Mar 29 15:42:26 localhost kernel[0]: IOGraphics flags 0x43 | |
Mar 29 15:42:26 localhost kernel[0]: IOBluetoothUSBDFU::probe | |
Mar 29 15:42:26 localhost kernel[0]: IOBluetoothUSBDFU::probe ProductID - 0x8213 FirmwareVersion - 0x0208 | |
Mar 29 15:42:26 localhost kernel[0]: **** [IOBluetoothHostControllerUSBTransport][start] -- completed -- result = TRUE -- 0x5000 **** | |
Mar 29 15:42:26 localhost kernel[0]: **** [BroadcomBluetoothHostControllerUSBTransport][start] -- Completed (matched on Device) -- 0x5000 **** | |
Mar 29 15:42:26 localhost kernel[0]: NVDAStartup: Official | |
Mar 29 15:42:26 localhost kernel[0]: NVDANV50HAL loaded and registered | |
Mar 29 15:42:26 localhost kernel[0]: [IOBluetoothHCIController][staticBluetoothTransportShowsUp] -- Received Bluetooth Controller register service notification -- 0x5000 | |
Mar 29 15:42:26 localhost kernel[0]: [IOBluetoothHCIController][start] -- completed | |
Mar 29 15:42:26 localhost kernel[0]: [IOBluetoothHCIController::setConfigState] calling registerService | |
Mar 29 15:42:26 localhost kernel[0]: **** [IOBluetoothHCIController][ProcessBluetoothTransportShowsUpActionWL] -- Connected to the transport successfully -- 0xfb00 -- 0x1800 -- 0x5000 **** | |
Mar 29 15:42:26 localhost opendirectoryd[69]: BUG in libdispatch: 14D136 - 2004 - 0x5 | |
Mar 29 15:42:26 localhost distnoted[97]: # distnote server daemon absolute time: 32.520141728 civil time: Tue | Mar 29 15:42:26 2015 pid: 97 uid: 241 root: yes |
Mar 29 15:42:26 localhost hidd[93]: ____IOHIDSessionScheduleAsync_block_invoke: thread_id=0x105e76000 | |
Mar 29 15:42:26 localhost hidd[93]: HID Session async scheduling initiated. | |
Mar 29 15:42:26 localhost hidd[93]: HID Session async root queue running at priority 63 and schedule 2. | |
Mar 29 15:42:26 localhost hidd[93]: HID Session async scheduling complete. | |
Mar 29 15:42:26 localhost hidd[93]: Successfully opened the IOHIDSession | |
Mar 29 15:42:26 localhost thermald[46]: Waiting for OSTT support notification | |
Mar 29 15:42:26 localhost com.apple.usbmuxd[75]: usbmuxd-344.6 on Mar 16 2015 at 23:31:17, running 64 bit | |
Mar 29 15:42:26 localhost kernel[0]: Waiting for DSMOS... | |
Mar 29 15:42:26 localhost kernel[0]: Previous shutdown cause: 5 | |
Mar 29 15:42:26 localhost kernel[0]: DSMOS has arrived | |
Mar 29 15:42:26 localhost loginwindow[89]: Login Window Application Started | |
Mar 29 15:42:26 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system): Service "com.apple.ManagedClient.startup" tried to hijack endpoint "com.apple.ManagedClient.agent" from owner: com.apple.ManagedClient | |
Mar 29 15:42:26 localhost digest-service[176]: label: default | |
Mar 29 15:42:26 localhost digest-service[176]: dbname: od:/Local/Default | |
Mar 29 15:42:26 localhost digest-service[176]: mkey_file: /var/db/krb5kdc/m-key | |
Mar 29 15:42:26 localhost digest-service[176]: acl_file: /var/db/krb5kdc/kadmind.acl | |
Mar 29 15:42:26 localhost UserEventAgent[41]: Captive: CNPluginHandler en1: Inactive | |
Mar 29 15:42:26 localhost UserEventAgent[41]: Failed to copy info dictionary for bundle /System/Library/UserEventPlugins/alfUIplugin.plugin | |
Mar 29 15:42:26 localhost com.avast.daemon[144]: Starting daemon. | |
Mar 29 15:42:26 localhost systemkeychain[158]: done file: /var/run/systemkeychaincheck.done | |
Mar 29 15:42:26 localhost com.apple.xpc.launchd[1] (com.apple.appkit.xpc.sandboxedServiceRunner): The JoinExistingSession key is only available to Application services. | |
Mar 29 15:42:26 localhost com.apple.xpc.launchd[1] (com.apple.lakitu): The JoinExistingSession key is only available to Application services. | |
Mar 29 15:42:26 localhost com.apple.xpc.launchd[1] (com.apple.accounts.dom): The _DirtyJetsamMemoryLimit key is not available on this platform. | |
Mar 29 15:42:26 localhost com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): The _DirtyJetsamMemoryLimit key is not available on this platform. | |
Mar 29 15:42:26 localhost iconservicesd[60]: iconservicesd launched. | |
Mar 29 15:42:26 localhost iconservicesd[60]: Cache path: /Library/Caches/com.apple.iconservices.store | |
Mar 29 15:42:26 localhost configd[49]: preference: no sharing preferences | |
Mar 29 15:42:27 localhost kernel[0]: 00000000 00000020 NVEthernet::setLinkStatus - not Active | |
Mar 29 15:42:27 localhost configd[49]: [bootp_transmit.c:213] bootp_transmit(): bpf_write(en0) failed: Network is down (50) | |
Mar 29 15:42:27 localhost configd[49]: DHCP en0: INIT transmit failed | |
Mar 29 15:42:27 localhost kernel[0]: 00000000 00000020 NVEthernet::setLinkStatus - not Active | |
Mar 29 15:42:27 localhost secinitd[174]: UID[0]: cache loaded: /System/Library/Caches/com.apple.app-sandbox-cache.plist |