Tiny Deathstars of Foulness

In Mac OS X, diskarbitrationd is the process that handles mounting disks when they are inserted into the computer (eg – firewire, USB, etc).  Diskarbitrationd runs in the background, is always on by default and is started by launchd.  New disks inserted into the computer are automatically mounted, which you might not want to happen (for example, if you are forensically imaging a system, investigating malware on a device, attempting to fix corruption, simply trying to keep users that don’t know how to manually mount a disk from accessing one, etc). There are  number of ways to stop diskarbitrationd.  One of the easiest (and least intrusive since it doesn’t require a restart) is using launchctl.  To disable disk arbitration, first run the following command to obtain a list of currently running launchd-initiated processes:
launchctl list
That’s going to output a few too many so let’s constrain our search to those that include the string diskarbitrationd:
launchctl list | grep diskarbitrationd
You’ll now see a PID and the name of the process.  Notice it has an alphanumeric string in front of it, appearing similar to 0x10abe0.diskarbitrationd. Next, go ahead and stop it, again using launchctl but this time with the stop option:
launchctl stop 0x10abe0.diskarbitrationd
Once stopped, let’s verify that diskarbitration is no longer running:
ps aux
Once you have completed your tasks and want to re-enable disk arbitration, you can restart it using the start option in launchctl:
launchctl start 0x10abe0.diskarbitrationd
Finally, this process is not persistent across reboots.  If you will be rebooting the system you are mounting the disk onto you might want to unload diskarbitrationd and then move the plist from /System/Library/LaunchDaemons/  For example, to move it to the desktop, use the following command:
mv /System/Library/LaunchDaemons/ ~/Desktop/

June 28th, 2009

Posted In: Mac OS X, Mac Security

Tags: , , , ,

  • tobyvoss

    to prevent diskarbitrationd auto-mounting i found the following tool most helpful:

    also, i think in snowleopard (10.6), one needs to use “sudo launchctl unload” for the daemon to be gone and stay gone.