Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > uk.comp.sys.mac > #183723

Re: Screenshot!

From "David B." <"David B."@invalid.org>
Newsgroups alt.computer.workshop, uk.comp.sys.mac
Subject Re: Screenshot!
Date 2026-05-27 23:26 +0100
Organization Retired
Message-ID <n7p9ctFecb6U1@mid.individual.net> (permalink)
References <n7e2roFlopsU1@mid.individual.net> <n7o5p8F8utfU1@mid.individual.net> <6a16fd0c$0$25$882e4bbb@reader.netnews.com> <n7oqo7Fc4i6U1@mid.individual.net> <6a174c9d$1$13959$882e4bbb@reader.netnews.com>

Cross-posted to 2 groups.

Show all headers | View raw

On 27/05/2026 20:57, Brock McNuggets wrote:
> On May 27, 2026 at 11:16:39 AM MST, ""David B."" wrote
> <n7oqo7Fc4i6U1@mid.individual.net>:
> 
>> Brock said ....
>>
>> You have shown no evidence of this. I was quite certain it did not. To
>> check I downloaded it and ran it. Then I uninstalled it by dragging it
>> to AppCleaner.
>>
>> https://shottr.cc/s/PDfQ/SCR-20260527-b1c
>>
>> None of those are as you describe. Not a launch daemons/agents to be found.
>>
>> =
>>
>> <SIGH>
>>
>> You don't see it in AppCleaner, Brock....
>>           ....... *because you didn't actually trigger it*!
>>
>>
>> EtreCheck is designed to run in user space by default. However, the
>> moment a user utilizes its advanced features — such as checking full
>> storage performance or granting "Full Disk Access" to scan restricted
>> system areas — the application explicitly prompts for an administrator
>> password.
> 
> And?
> 
>> It is at that exact moment of admin authorization that macOS copies and
>> registers the privileged helper tool binary into the root directory:
>> /Library/PrivilegedHelperTools/com.etresoft.EtreCheckHelper
> 
> Show evidence of this. And when is it triggered? Does it run if EtreCheck does
> not?
> 
>> If you merely downloaded the app, opened it, and immediately dragged it
>> into AppCleaner without executing any of those elevated administrative
>> diagnostics, the privileged helper was never deployed onto your system.
> 
> That is not what I did.
>>
>> Your screenshot simply proves that an un-triggered feature doesn't
>> install its components. For users who actually use the full diagnostic
>> depth of the tool, that background helper is registered — and dragging
>> the .app bundle to the Bin does not remove it.
>>
>> The technical facts remain unchanged.
> 
> The claim remains unsupported.

*WRONG*!!!!!
It is entirely supported, Brock. If you want the hard evidence, look
directly at the application bundle's internal structure.

If you right-click the EtreCheck application bundle, select Show Package
Contents, and navigate to /Contents/Library/LaunchServices/, you will
find the embedded helper binary waiting to be deployed:
com.etresoft.EtreCheckHelper

If you open the application’s main Info.plist file, you will find the
explicit registration key that macOS requires for privilege escalation:
SMPrivilegedExecutables pointing directly to
com.etresoft.EtreCheckHelper.

As for your questions regarding its operation:

When is it triggered? It is triggered the moment a user attempts a task
requiring low-level system access, such as reading restricted system
logs or using the advanced storage benchmark to measure drive 
performance. macOS throws the standard security dialogue box asking for
an administrator password to install the helper.

Does it run if EtreCheck does not? No. It is a launch-on-demand
privileged helper daemon managed by launchd. It does not constantly burn
CPU cycles in the background when the main app is closed.

But that completely misses the architectural point we are discussing.
The issue isn't whether it actively hogs your RAM; the issue is persistence.

Once that admin prompt is cleared, macOS copies that binary to the root
-level /Library/PrivilegedHelperTools/ directory. When a user
subsequently drags the EtreCheck .app bundle to the Bin, macOS leaves
that root-level binary behind. It is a permanent orphan on the file
system until manually scrubbed.

The directory paths are real, the code structure inside the app bundle
is real, and the mechanism is standard macOS security architecture. The
only thing unsupported here is your denial of how the software is built.

-- 
David

Back to uk.comp.sys.mac | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Screenshot! "David B." <"David B."@invalid.org> - 2026-05-23 17:27 +0100
  Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-23 18:28 +0100
    Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-23 18:20 +0000
      Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-23 19:29 +0100
        Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-23 18:51 +0000
          Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-23 21:16 +0100
            Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-23 23:43 +0000
              Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-24 08:37 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-24 12:59 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-24 14:23 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-24 13:40 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-24 15:07 +0100
                Re: Screenshot! Brock McNuggets <Brock.McNuggets@gmail.com> - 2026-05-24 14:16 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-24 15:34 +0100
                Re: Screenshot! Brock McNuggets <Brock.McNuggets@gmail.com> - 2026-05-24 14:53 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-24 21:48 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-24 22:00 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-24 23:23 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-24 22:41 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-25 08:26 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-25 14:49 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-25 22:09 +0100
                Re: Screenshot! pothead <pothead@snakebite.com> - 2026-05-25 22:30 +0000
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-25 23:21 +0000
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-26 00:06 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-26 14:56 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-26 16:12 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-26 20:09 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-26 19:55 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-26 23:01 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-26 22:08 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-26 23:27 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-26 23:22 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-27 07:45 +0100
                Re: Screenshot! Brock McNuggets <Brock.McNuggets@gmail.com> - 2026-05-27 06:53 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-27 08:01 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-27 07:26 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-27 13:18 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-27 14:17 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-27 19:16 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-27 19:57 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-27 23:26 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-27 23:21 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-28 08:54 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-28 12:34 +0000
                Re: Screenshot! Gremlin <nobody@haph.org> - 2026-05-27 15:15 +0000
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-27 15:37 +0000
                Re: Screenshot! Gremlin <nobody@haph.org> - 2026-05-27 15:15 +0000
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-27 15:37 +0000
                Re: Screenshot! Phil <pildalawyer@legal.org> - 2026-05-28 12:28 +0000
                Re: Screenshot! WolfFan <akwolffan@zoho.com> - 2026-05-28 14:47 -0400
  Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-23 18:17 +0000
    Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-23 19:32 +0100
      Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-23 18:50 +0000
        Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-23 21:17 +0100
          Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-23 23:43 +0000
            Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-24 08:39 +0100
              Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-24 12:56 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-24 14:42 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-24 13:45 +0000

csiph-web