kextfind - macOS

Overview

The kextfind command in macOS is a utility designed to search for kernel extensions (kexts) based on specific attributes, property values, and dependencies. It allows administrators and users to identify and manage kernel extensions installed on their system. kextfind is particularly useful for troubleshooting, auditing, and ensuring system compliance with security policies.

Syntax

The basic syntax of kextfind is as follows:

kextfind [-case-insensitive] [-not [-and] -or] [-print] Query...
  • -case-insensitive: Perform case insensitive matching.
  • -not: Negates the next expression.
  • -and: Combines expressions with a logical AND; this is the default operation.
  • -or: Combines expressions with a logical OR.
  • -print: Print the matching kext’s pathname; this is the default action.

The Query part consists of expressions that describe the attributes, properties, or dependencies to search for.

Options/Flags

  • -case-insensitive: Allows the search to be conducted without case sensitivity, useful when the exact casing of kext identifiers or other attributes is unknown.
  • -not: This flag reverses the match condition that follows it, useful for excluding specific kexts from the results.
  • -and: Explicit logical AND to combine query conditions, though it is the default and usually does not need to be specified.
  • -or: Allows combining multiple conditions where any condition being true will include the kext in the output.
  • -print: Explicitly directs kextfind to output the path of each kext that meets the query criteria. This is the default action if no output action is specified.

Examples

  1. Find all kexts whose bundle identifiers contain ‘com.apple’: 
    kextfind -case-insensitive -substring -key CFBundleIdentifier -string com.apple
  2. List all kexts that depend on a specific kext, e.g., ‘com.apple.iokit.IOGraphicsFamily’: 
    kextfind -dependency com.apple.iokit.IOGraphicsFamily

Common Issues

  • Performance: kextfind can be slow when searching through a large number of kexts or when using complex queries.
    • Tip: Limit the scope of the search or use more specific search criteria.
  • Case Sensitivity: Users may face issues related to case sensitivity in attributes.
    • Solution: Use the -case-insensitive option to avoid such issues.

Integration

kextfind can be combined with other shell commands for monitoring or maintenance scripts. For example:

  • Create a report of all third-party (non-Apple) kexts: 
    kextfind -not -substring -key CFBundleIdentifier -string com.apple >> third_party_kexts.txt
  • kextstat: Displays the status of loaded kernel extensions.
  • kextload: Loads a specified kernel extension.
  • kextunload: Unloads a specified kernel extension.

For further reading about kernel extensions, you can refer to the Kernel Extension Programming Topics on Apple’s official documentation website.