Once upon a time we could hide a process from users:
lsappinfo setinfo -app BackgroundRootkitOfDoom ApplicationType=UIElement 1
I’m not sure when that got removed but it’s probably for the best. There were was to hide everything, like users and groups (UID below 500 or insert an _ in front of the username), objects on the file system, etc. Then people abused what admins used for various workflows and much of that has since been removed.
The lsappinfo binary is still pretty useful, though. The simplest incantation would be to just list what’s running:
lsappinfo list
The output has the bundleID and the bundle, the executable, pid and some other metadata.
111) "Safari Web Content (Cached)" ASN:0x0-0x10d10d0:
bundleID="com.apple.WebKit.WebContent"
bundle path="/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc"
executable path="/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent"
pid = 55200 !cgsConnection !signalled type="UIElement" flavor=3 Version="17613.2.7.1.8" fileType="XPC!" creator="????" Arch=ARM64 sandboxed
We can also see a list of what’s visible to a user
lsappinfo visibleprocesslist
The output shows what an end user can see that’s running (e.g. via the Dock or a force quit screen):
There's a lot we can do with the ASN as Howard Oakley wrote up at https://eclecticlight.co/2020/03/04/learn-almost-everything-about-an-app-with-lsappinfo/. We can see a lot of information about a process, including some attributes traditional unix facilities can't interpret. We can go past looking at information about a process and invoke them as well. We could invoke an app and tell it not to come to the foreground with attributes applied to the the launch verb (e.g. nofront): Developers can also trace information as things happen on the system (like a tail for ASNs): This allows developers to trace the symbols as they move through our processes. For example, as something that's moving through XPC alters an attribute of that service, or when a process forks and invokes another process and what the metadata is for it. These factor into how we handle message queues and can provide a fair amount of insight as to how things are architected.ASN:0x0-0x105b05a-"Terminal": ASN:0x0-0x7f07f0-"Safari": ASN:0x0-0x7d97d9-"Mail": ASN:0x0-0x10e10e0-"Preview": ASN:0x0-0x7e07e0-"Slack": ASN:0x0-0x811811-"Xcode": ASN:0x0-0x12012-"Finder": ASN:0x0-0xbf0bf-"Google_Chrome": ASN:0x0-0x90d90d-"Keynote": ASN:0x0-0x77a77a-"Messages": ASN:0x0-0x1013012-"zoom.us": ASN:0x0-0xa5ca5c-"Discord": ASN:0x0-0x79c79c-"Microsoft_Outlook": ASN:0x0-0x101d01c-"Microsoft_Word": ASN:0x0-0xecbecb-"FlashPrint": ASN:0x0-0xf26f26-"ShurePlus_MOTIV": ASN:0x0-0x76c76c-"Notes": ASN:0x0-0x8f18f1-"Simulator": ASN:0x0-0xa51a51-"Microsoft_Teams":
lsappinfo launch nofront=true async=true /Applications/MyApp.app/lsappinfo listen +all foreverNotification: kLSNotifyApplicationDeath time=+2.1922s dataRef={ "CFBundleShortVersionString"="17613", "LSAuditToken"=$F5010000F501000014000000F5010000140000005BD10000B1860100D0381800, "CFBundleExecutablePathINode"=1152921500312337441, "DTSDKName"="macosx12.4.internal", "CFBundleExecutablePath"="/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent", "CFBundleDevelopmentRegion"="English", "DTPlatformName"="macosx", "LSPersistenceSuppressRelaunchAtLogin"=true, "_STAttributionDisplayName"="Website", "NSDisableKeyboardLayoutAdjustedShortcuts"=true, "pid"=53595, "CFBundleNameLowerCase"="com.apple.webkit.webcontent", "CFBundleExecutable"="com.apple.WebKit.WebContent", "CFBundleName"="com.apple.WebKit.WebContent", "LSExitStatus"=0, "LSBundlePathDeviceID"=16777234, "NSMainNibFile"="WebContentProcess", "BundleIdentifierLowerCase"="com.apple.webkit.webcontent", "LSExecutableFilenameLowerCaseKey"="com.apple.webkit.webcontent", "NSColorPreferLocalNotifications"=1, "NSPrincipalClass"="NSApplication", "LSFileQuarantineEnabled"=true, "NSSupportsAppNap"=true, "DTSDKBuild"="21F74", "LSApplicationHasRegistered"=true, "XPCService"={ "_HighBitsASLR"=true, "_MultipleInstances"=true, "_ProcessType"="App", "RunLoopType"="NSRunLoop", "JoinExistingSession"=true, "ServiceType"="Application" }, "DTPlatformVersion"="12.4", "ChangeCount"=551, "CFBundleGetInfoString"="17613.2.7.1.8, Copyright 2003-2022 Apple Inc.", "CFBundleFollowParentLocalization"=true, "LSASN"=ASN:0x0-0x1026025:, "LSBundlePath"="/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc", "DTXcodeBuild"="13E6049a", "LSBundlePathINode"=1152921500312337436, "LSApplicationInSandboxKey"=true, "ApplicationType"="UIElement", "CFBundleIdentifier"="com.apple.WebKit.WebContent", "LSArchitecture"="arm64", "LSExecutableSDKVersion"="12.4", "BuildMachineOSBuild"="20A241133", "CFBundleSignature"="????", "LSDisplayName"="Safari Web Content", "CFBundleInfoDictionaryVersion"="6.0", "DTCompiler"="com.apple.compilers.llvm.clang.1_0", "CFBundleExecutablePathDeviceID"=16777234, "CFBundleVersion"="17613.2.7.1.8", "CFBundleSupportedPlatforms"=( "MacOSX"), "LSBundlePathLastComponentLowerCaseKey"="com.apple.webkit.webcontent.xpc", "LSMinimumSystemVersion"="12.4", "LSDYLDPlatformKey"=1, "NSSupportsAutomaticGraphicsSwitching"=true, "DTPlatformBuild"="21F74", "Flavor"=3, "DTXcode"="1330", "LSApplicationSandboxedInformationItemsKey"=( "NSSupportsAppNap", "CFBundleInfoDictionaryVersion", "DTPlatformVersion", "CFBundleName", "DTSDKName", "NSSupportsAutomaticGraphicsSwitching", "CFBundleFollowParentLocalization", "NSPrincipalClass", "_STAttributionDisplayName", "DTSDKBuild", "CFBundleShortVersionString", "CFBundleSupportedPlatforms", "BuildMachineOSBuild", "DTPlatformBuild", "CFBundlePackageType", "DTXcodeBuild", "CFBundleDevelopmentRegion", "NSDisableKeyboardLayoutAdjustedShortcuts", "CFBundleVersion", "CFBundleGetInfoString", "LSFileQuarantineEnabled", "NSColorPreferLocalNotifications", "NSMainNibFile", "CFBundleIdentifier", "LSBundlePathSandboxExtensionKey", "DTXcode", "LSApplicationInSandboxKey", "CFBundleExecutable", "LSMinimumSystemVersion", "XPCService", "CFBundleSignature", "DTPlatformName", "DTCompiler"), "CFBundlePackageType"="XPC!" } affectedASN=ASN:0x0-0x1026025: context=0x0 sessionID=186b1 notificationID=0x600001cf0000
