Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > uk.comp.sys.mac > #183730

Re: Screenshot!

From "David B." <"David B."@invalid.org>
Newsgroups alt.computer.workshop, uk.comp.sys.mac
Subject Re: Screenshot!
Date 2026-05-28 08:54 +0100
Organization Retired
Message-ID <n7qam6Fj6cuU1@mid.individual.net> (permalink)
References <n7e2roFlopsU1@mid.individual.net> <n7oqo7Fc4i6U1@mid.individual.net> <6a174c9d$1$13959$882e4bbb@reader.netnews.com> <n7p9ctFecb6U1@mid.individual.net> <6a177c94$2$20$882e4bbb@reader.netnews.com>

Cross-posted to 2 groups.

Show all headers | View raw

On 28/05/2026 00:21, Brock McNuggets wrote:
> On May 27, 2026 at 3:26:37 PM MST, ""David B."" wrote
> <n7p9ctFecb6U1@mid.individual.net>:
> 
>> On 27/05/2026 20:57, Brock McNuggets wrote:
>>> On May 27, 2026 at 11:16:39 AM MST, ""David B."" wrote
>>> <n7oqo7Fc4i6U1@mid.individual.net>:
>>>
>>>> Brock said ....
>>>>
>>>> You have shown no evidence of this. I was quite certain it did not. To
>>>> check I downloaded it and ran it. Then I uninstalled it by dragging it
>>>> to AppCleaner.
>>>>
>>>> https://shottr.cc/s/PDfQ/SCR-20260527-b1c
>>>>
>>>> None of those are as you describe. Not a launch daemons/agents to be found.
>>>>
>>>> =
>>>>
>>>> <SIGH>
>>>>
>>>> You don't see it in AppCleaner, Brock....
>>>>            ....... *because you didn't actually trigger it*!
>>>>
>>>>
>>>> EtreCheck is designed to run in user space by default. However, the
>>>> moment a user utilizes its advanced features — such as checking full
>>>> storage performance or granting "Full Disk Access" to scan restricted
>>>> system areas — the application explicitly prompts for an administrator
>>>> password.
>>>
>>> And?
>>>
>>>> It is at that exact moment of admin authorization that macOS copies and
>>>> registers the privileged helper tool binary into the root directory:
>>>> /Library/PrivilegedHelperTools/com.etresoft.EtreCheckHelper
>>>
>>> Show evidence of this. And when is it triggered? Does it run if EtreCheck does
>>> not?
>>>
>>>> If you merely downloaded the app, opened it, and immediately dragged it
>>>> into AppCleaner without executing any of those elevated administrative
>>>> diagnostics, the privileged helper was never deployed onto your system.
>>>
>>> That is not what I did.
>>>>
>>>> Your screenshot simply proves that an un-triggered feature doesn't
>>>> install its components. For users who actually use the full diagnostic
>>>> depth of the tool, that background helper is registered — and dragging
>>>> the .app bundle to the Bin does not remove it.
>>>>
>>>> The technical facts remain unchanged.
>>>
>>> The claim remains unsupported.
>>
>> *WRONG*!!!!!
>> It is entirely supported, Brock. If you want the hard evidence, look
>> directly at the application bundle's internal structure.
>>
>> If you right-click the EtreCheck application bundle, select Show Package
>> Contents, and navigate to /Contents/Library/LaunchServices/, you will
>> find the embedded helper binary waiting to be deployed:
>> com.etresoft.EtreCheckHelper
>>
>> If you open the application’s main Info.plist file, you will find the
>> explicit registration key that macOS requires for privilege escalation:
>> SMPrivilegedExecutables pointing directly to
>> com.etresoft.EtreCheckHelper.
>>
>> As for your questions regarding its operation:
>>
>> When is it triggered? It is triggered the moment a user attempts a task
>> requiring low-level system access, such as reading restricted system
>> logs or using the advanced storage benchmark to measure drive
>> performance. macOS throws the standard security dialogue box asking for
>> an administrator password to install the helper.
>>
>> Does it run if EtreCheck does not? No. It is a launch-on-demand
>> privileged helper daemon managed by launchd. It does not constantly burn
>> CPU cycles in the background when the main app is closed.
>>
>> But that completely misses the architectural point we are discussing.
>> The issue isn't whether it actively hogs your RAM; the issue is persistence.
>>
>> Once that admin prompt is cleared, macOS copies that binary to the root
>> -level /Library/PrivilegedHelperTools/ directory.
> 
> Please back this claim. And then READ what I have written to you and try to
> understand it.

I back the claim by citing Apple's own official developer specifications 
for the macOS security framework.

The mechanism we are discussing is called SMJobBless (part of the 
Service Management framework). Under Apple’s secure architecture, when 
an application bundle uses this API to install a privileged helper tool:

The operating system validates the tool's code signature against the 
parent app's signature.

The launchd system daemon explicitly copies the helper tool binary into 
the root-level system directory: /Library/PrivilegedHelperTools/

A corresponding configuration property list is created inside: 
/Library/LaunchDaemons/

This is entirely handled by the system, not the application itself. 
Because these files are written to the root-level system directories 
under administrative ownership, they are entirely decoupled from the 
user's local application folder.

When a user drags an .app bundle from /Applications to the Bin, macOS 
executes a simple file-system deletion of that specific directory 
bundle. It does not trace root-level system directories to clean up 
associated daemons or privileged helpers. Apple explicitly prevents 
standard application bundle deletion from modifying root-level system 
directories for security reasons.

If you want independent confirmation of this platform-wide behaviour, 
you can look at any standard macOS administration guide regarding the 
Service Management framework, or look at how other premium utilities 
handle uninstallation. The permanence of these files is exactly why 
developers who use SMJobBless must explicitly code a custom "Uninstall" 
routine to invoke an authenticated helper script to clean up 
/Library/PrivilegedHelperTools/.

The claim is backed by the core architectural rules of the operating 
system you are using.

--
I hope this helps
David

Back to uk.comp.sys.mac | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Screenshot! "David B." <"David B."@invalid.org> - 2026-05-23 17:27 +0100
  Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-23 18:28 +0100
    Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-23 18:20 +0000
      Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-23 19:29 +0100
        Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-23 18:51 +0000
          Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-23 21:16 +0100
            Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-23 23:43 +0000
              Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-24 08:37 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-24 12:59 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-24 14:23 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-24 13:40 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-24 15:07 +0100
                Re: Screenshot! Brock McNuggets <Brock.McNuggets@gmail.com> - 2026-05-24 14:16 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-24 15:34 +0100
                Re: Screenshot! Brock McNuggets <Brock.McNuggets@gmail.com> - 2026-05-24 14:53 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-24 21:48 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-24 22:00 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-24 23:23 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-24 22:41 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-25 08:26 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-25 14:49 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-25 22:09 +0100
                Re: Screenshot! pothead <pothead@snakebite.com> - 2026-05-25 22:30 +0000
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-25 23:21 +0000
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-26 00:06 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-26 14:56 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-26 16:12 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-26 20:09 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-26 19:55 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-26 23:01 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-26 22:08 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-26 23:27 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-26 23:22 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-27 07:45 +0100
                Re: Screenshot! Brock McNuggets <Brock.McNuggets@gmail.com> - 2026-05-27 06:53 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-27 08:01 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-27 07:26 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-27 13:18 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-27 14:17 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-27 19:16 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-27 19:57 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-27 23:26 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-27 23:21 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-28 08:54 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-28 12:34 +0000
                Re: Screenshot! Gremlin <nobody@haph.org> - 2026-05-27 15:15 +0000
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-27 15:37 +0000
                Re: Screenshot! Gremlin <nobody@haph.org> - 2026-05-27 15:15 +0000
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-27 15:37 +0000
                Re: Screenshot! Phil <pildalawyer@legal.org> - 2026-05-28 12:28 +0000
                Re: Screenshot! WolfFan <akwolffan@zoho.com> - 2026-05-28 14:47 -0400
  Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-23 18:17 +0000
    Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-23 19:32 +0100
      Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-23 18:50 +0000
        Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-23 21:17 +0100
          Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-23 23:43 +0000
            Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-24 08:39 +0100
              Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-24 12:56 +0000
                Re: Screenshot! "David B." <"David B."@invalid.org> - 2026-05-24 14:42 +0100
                Re: Screenshot! Brock McNuggets <brock.mcnuggets@gmail.com> - 2026-05-24 13:45 +0000

csiph-web