Zombie System Extensions

I had a weird case today when an endpoint system extension remained running even after I deleted the .app bundle.


If I tried killing the process with "sudo kill -9 <pid>", the extension respawned.


If I tried "sudo launchctl remove <name>", I was told I didn't have privilege.


Searching my hard drive I found a copy of the system extension in /Macintosh HD/Library/System Extensions/...


I rebooted into recovery mode, deleted the extension bundle, and restarted. Everything initially looked fine. The process did not come back.


But then when I tried to re-build, re-package, re-install, and re-launch the application, the operating system complained that it could not find the system extension even though it was there in the .app bundle.


The operating system seems to (A) create a cache/copy of the system extension bundle, and (my guess) (B) maintains a link to that cache location somewhere and tries to launch that cached system extension bundle.


[my hacked solution was to rename the extension, including creating a new bundle ID and associated provisioning profile]



Has anyone encountered a system extension that woud not die? Did you figure out how to kill it and clear out any caches of it?


Thanks,

Accepted Reply

As mentioned above, use systemextensionsctl to uninstall it. See man systemextensionsctl for all the info


First, list it to see that it's running

systemextensionsctl list


Then uninstall by copying the team ID and bundle ID and running this command, with those values replacing the placeholders below.

systemextensionsctl uninstall TEAMID BUNDLEID

  • ATTENTION! You have to be in recovery mode to successfully run this command. to switch to recovery mode follow this steps step one => open terminal and shutdown -r now 2) hold the button => command + r button 3) enter your password and open terminal from above tabs 4) csrutil disable 5) open terminal and shutdown -r now dont press any button 6) follow the steps in accepted answer 7) start from the step 1 and enable csrutl again 8) check it systemextensionsctl list

Add a Comment

Replies

To clarify, did you run systemextensionsctl after disabling SIP to remove it?

As mentioned above, use systemextensionsctl to uninstall it. See man systemextensionsctl for all the info


First, list it to see that it's running

systemextensionsctl list


Then uninstall by copying the team ID and bundle ID and running this command, with those values replacing the placeholders below.

systemextensionsctl uninstall TEAMID BUNDLEID

  • ATTENTION! You have to be in recovery mode to successfully run this command. to switch to recovery mode follow this steps step one => open terminal and shutdown -r now 2) hold the button => command + r button 3) enter your password and open terminal from above tabs 4) csrutil disable 5) open terminal and shutdown -r now dont press any button 6) follow the steps in accepted answer 7) start from the step 1 and enable csrutl again 8) check it systemextensionsctl list

Add a Comment

I have SIP enabled.


I did all the initial endpoint development with SIP disabled and was launching a command-line version of the program via launchctl. Since re-enabling SIP I have been having to unlearn old habits/workflows and learning new ones.


I had not seen the systemextensionsctl command before. I had mistakenly tried launchctl (which does show the extension running, but couldn't control the extension with the command).


Whew, I am glad systemextensionsctl is there. I just wish I knew about it yesterday. :-)


Thanks

Thanks!


systemextensionsctl is exactly what I needed.


I had been using launchctl which has worked fine when I was launching programs out of LaunchDaemons, but I hadn't known about systemextensionsctl.

I forgot to mention, I usually then do a reboot of my VM to finish removing the extension.

Thanks on this (again)!


I didn't realize I needed to disable SIP again to run the systemextensionsctl command. But now (I think) I have everything fixed, and I cleaned out the 386 extensions registered there! 😯

To clarify, you do want to keep SIP enabled. I was only referring to a current limitation of the systemextensionsctl command. It can only be used to uninstall if you have disabled SIP. Apparently Apple plans to fix that at some point.

Surely this cant be the only answer! - If you have a zombie extension running on a laptop and you can't get to that laptop to disable SIP ( you have to remove it remotely or via a script - is there no way of uninstalling this currently ?

I don't know if that's the only answer, but it's what I've found by reading the forums and experimentation. If you, or anyone, finds some definitive documention, please post a link here. I'd love to read it and let our support team know when we release our product into the wild.

That's the only answer. Don't leave zombie system extensions.


Unfortunately, 3rd party developers have an atrocious track record when it comes to uninstallers. Sometimes they don't include uninstallers at all. Other times, they provide uninstallation instructions that are blatant lies. And, in the end, users think they can uninstall software by dragging apps to the trash.


If you ship a system extension, it must be inside the app and your only uninstallation method must be for the user to drag the app to the trash. No options. Hopefully you won't leave a bunch of launch daemons and agents spinning their wheels on the user's machine for all eternity.