Yesterday I posted https://krypted.com/mac-security/script-to-list-extensions-running-on-a-mac/ to scriptify some research on App Extensions and System Extensions. I mentioned that it’s also possible to loop through /Applications or /Applications/Utilities and look for any .systemextension bundles (which includes network extensions as those are .networkextension.systemextension – and ultimately they’re all kinda’ auxiliary kext’s ‘even though’cause kexts are bad – but I digress). So here’s a script that loops through the file hierarchy supplied by $1 and then checks any found against systemextensionsctl to make sure they’re running:
https://github.com/krypted/extensionslist/blob/main/systemextensions.sh
In action, here are a couple of outputs of what it can look like. Per developer documentation (and with a little experience writing them), the two locations that Apple allows developers to drop a third party .systemextension are /Applications/ and /Applications/Utilities so it’s good to scan both. Unlike the script from yesterday, this does lot look for app extensions, which are mostly innocuous but can include CredentalProviders, Safari Extensions, and Share Sheets.