{ "id": "98bc0165-cdc8-4483-98b6-f1d7a30597ca", "created_at": "2026-04-06T01:30:20.451968Z", "updated_at": "2026-04-10T03:35:21.422549Z", "deleted_at": null, "sha1_hash": "d3b53d2877c376bfb52abf461583f1e784c0faf9", "title": "launchd keywords for plists", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 111566, "plain_text": "launchd keywords for plists\r\nBy Dennis German\r\nArchived: 2026-04-06 01:21:08 UTC\r\nThere does not appear to be a RestartSec (delay restart in seconds) as in linux systemctl.\r\nLabel string required key uniquely identifies the job Program string first argument of execvp . Default:\r\nProgramArguments[0] .\r\nRequired in the absence of ProgramArguments . ProgramArguments array_of_strings second argument of\r\nexecvp .\r\nRequired in the absence of Program . Read execvp(3) carefully EnableGlobbing bool use the glob(3)\r\nmechanism to update the program arguments before invocation. Disabled bool see\r\n/private/var/db/launchd/com.apple.xpc.launchd/disabled.plist deprecated: a hint to launchctl(1) that it\r\nshould not submit this job to launchd when loading a job or jobs.\r\nDoes NOT reflect the current state of the job on the running system.\r\nQuery launchd for the presence of the job using the launchctl(1) list or use the ServiceManagement\r\nframework's SMJobCopyDictionary() method.\r\nConveys a default value, which maybe changed with -w of launchctl load and unload subcommands which do\r\nnot modify the configuration file,\r\nOnly use this key if the provided on-demand and KeepAlive criteria are insufficient to describe the conditions\r\nunder which job needs to run. The cost to have a job loaded in launchd is negligible, so there is no harm in loading\r\na job which only runs once or rarely.\r\nUserName string   GroupName string If UserName is set and GroupName is not, the the group will be set to\r\nthe default group of the user. inetdCompatibility dictionary expect to run as if it were launched from inetd.\r\nWait bool corresponds to the \"wait\" or \"nowait\" option of inetd.\r\ntrue : the listening socket is passed via the standard in/out/error file descriptors.\r\nfalse : accept(2) is called on behalf of the job, and the result is passed via the standard in/out/error descriptors.\r\nLimitLoadToHardware LimitLoadFromHardware LimitLoadToHosts array of strings applies to the hosts\r\nlisted with this key. set kern.hostname in sysctl.conf(5) LimitLoadFromHosts array of strings applies to hosts\r\nNOT listed with this key. set kern.hostname in sysctl.conf(5) LimitLoadToSessionType string Applies to\r\nsessions of the type specified (example\r\n\u003ckey\u003eLimitLoadToSessionType\u003c/key\u003e\r\n\u003carray\u003e\r\n\u003cstring\u003eAqua\u003c/string\u003e \u003cstring\u003eBackground\u003c/string\u003e\r\n \u003cstring\u003eLoginWindow\u0026lt;/string\u003e\r\n\u003c/array\u003e\r\nhttps://www.real-world-systems.com/docs/launchdPlist.1.html\r\nPage 1 of 6\n\nUsed with -S to launchctl. EnableTransactions bool Uses vproc_transaction_begin and n_end to track\r\ntransactions that need to be reconciled before the process can safely terminate.\r\nIf there are outstanding transactions launchd should avoid sending kill OnDemand bool was used in Mac OS X\r\n10.4 to control whether a job was kept alive or not. The default was true. been deprecated and replaced in 10.5\r\nKeepAlive . KeepAlive bool or\r\n  dictionary of stuff true :   unconditionally keep the job alive. implies RunAtLoad\r\nfalse : only demand will start the job.\r\nDefault : false\r\nDictionary of conditions to control if the job is keep alive(restarted), Multiple keys are ORed. If launchd finds no\r\nreason to restart the job, it falls back on demand based invocation.\r\nJobs that exit quickly and frequently when configured to be kept alive will be throttled to converve system\r\nresources.\r\n\"Service only ran for 0 seconds. Pushing respawn out by 10 seconds.\"\r\nSuccessfulExit bool\r\ntrue :  job will be restarted if program exits with a status of zero.\r\n     i.e. job succeded last time, run it again, if failed don't start it again\r\nfalse : job will be restarted … status not zero.\r\n     i.e. job failed; run it again maybe inputs or conditions have changed\r\nand it will work this time.\r\n      job was sucessful(finally(?)) don't start it again.\r\nImplies RunAtLoad since the job needs to run at least once to can get\r\nan exit status.\r\nPathState dictionary of bool\r\nkeep alive if: keys are file-system paths.\r\ntrue:  job will be kept alive as long as the path exists.\r\nfalse: job will be kept alive if the path does NOT exist.\r\nUsed so jobs may create semaphores in the file-system.\r\nOtherJobEnabled dictionary of\r\nbools\r\nkeys are the label of another job.\r\ntrue:  job is kept alive as long as the other job is enabled.\r\nfalse: job is kept alive as long as the other job is disabled.\r\nNot to be used instead of IPC.\r\nCrashed\r\nJob will be restarted if exited due to sigILL , sigSEGV *…\r\n+CAUTION+\r\nNetworkState bool\r\ntrue:  will be kept alive as long as the network is up,\r\ni.e. at least one non-loopback interface being up and having IPv4 or\r\nIPv6 addresses .\r\nfalse: will be kept alive as long as the network is down.\r\nhttps://www.real-world-systems.com/docs/launchdPlist.1.html\r\nPage 2 of 6\n\nRunAtLoad bool job is launched once at the time the job is loaded. default false. RootDirectory string a\r\ndirectory to chroot(2) to before running WorkingDirectory string chdir(2) to before running .\r\nEnvironmentVariables\r\n dictionary of strings additional environmental variables set before running . UserEnvironmentVariables\r\n dictionary of strings additional environmental variables set before running . Umask decimalInteger hugh?\r\ned passed to umask(2) before running . TimeOut seconds idle time out. default will be supplied by launchd for\r\nuse by the job at check in time. (deprecated) ExitTimeOut seconds Time after sending sigTERM before sending\r\nsigKILL allowing for cleanup.\r\nDefault: 20 seconds, zero is (poorly) interpreted don't issue sigKILL . ThrottleInterval seconds minimun\r\nbefore respawn. Default: 10 seconds.\r\nProcesses that last less than seconds generate message:\r\nService only ran for n seconds. Pushing respawn out by n seconds. Notice: newsyslog,\r\nlocationmenu, These sholud have a smaller ThrottleInterval in their plist DGG\r\nThe principle behind this is that jobs should linger around in memory in case they are needed in the near future,\r\nreduceng the latency of responses, encourages developers to amortize the cost of program invocation.\r\nInitGroups bool whether initgroups(3) should be called before running . Default: true . UserName must be\r\nset. WatchPaths array of strings start if any one of the listed paths are modified.\r\nmac os as of 11/20/20\r\n/System/Library/LaunchDaemon\r\n/Library/Extensions kernelmanagerd\r\n/AppleInternal/Library/Extensions kernelmanagerd\r\n/etc/postfix/aliases newaliases\r\n/Library/Preferences/com.apple.symptoms.plist symptomsd\r\n/etc/nfs.conf nfsconf\r\n/System/Library/LaunchAgents\r\n/Applications/ helpd\r\n/Applications/Utilities/ helpd\r\n/Library/Apple/Library/Bundles/TCC_Compatibility.bundle/Contents/Resources/AllowApplicationsList tccd\r\n/System/Library/Sandbox/TCC_Compatibility.bundle/Contents/Resources/AllowApplicationsList tccd\r\n/Library/Application Support/com.apple.TCC/MDMOverrides tccd\r\n/private/etc/com.apple.screensharing.agent.launchd screensharing.agent\r\n~/Library/Application Support/Steam/Steam.AppBundle/Steam ~/Library/LaunchAgents/valvesoftware.steamc\r\nQueueDirectories array of strings like WatchPaths watchs for modifications, if the path is a directory and\r\nnot empty. StartOnMount bool start when a filesystem is mounted. StartInterval seconds start every\r\nseconds .\r\nIf the system was asleep, when the job should have run, it will be started once the next time the system wakes .\r\nStartCalendarInterval dictionary of integers or array of dictionary of integers The semantics are\r\nsimilar to crontab(5). If the system was asleep when the job should have run, it will be started once, the next\r\ntime the system wakes. \u003ckey\u003eMinute\u003c/key\u003e\u003cinteger\u003emm\u003c/integer\u003e … Hour hh Day dd Month mm Weekday w 0\r\nand 7 are Sunday. Missing arguments are wildcard (i.e. every).\r\nhttps://www.real-world-systems.com/docs/launchdPlist.1.html\r\nPage 3 of 6\n\nStandardInPath string StandardOutPath string StandardErrorPath string Example:\r\n\u003ckey\u003eStandardErrorPath\u003c/key\u003e\u003cstring\u003e/var/log/label.err\u003c/string\u003e Debug bool log mask temporarily set\r\nto LOG_DEBUG WaitForDebugger bool instructs kernel to have the job wait for a debugger to attach before job\r\nis started. SoftResourceLimits Resource limits.\r\nCPU seconds maximum cpu time\r\nFileSize bytes largest size file created.\r\nNumberOfFiles integer maximum number of open files .\r\nSetting this in a system wide daemon sets sysctl kern.maxfiles ( SoftResourceLimits ) or\r\nkern.maxfilesperproc (HardResourceLimits ) in addition.\r\nNumberOfProcesses integer maximum simultaneous processes for this user id. Setting in a system wide\r\ndaemon will set sysctl kern.maxproc (SoftResourceLimits) or kern.maxprocperuid\r\n(HardResourceLimits) in addition\r\nMemoryLock bytes maximum lock into memory using mlock (2)\r\nData bytes maximum size of the data segment, defines how far a program may extend its break with\r\nsbrk (2)\r\nResidentSetSize bytes maximum a process's resident set size may grow. This imposes a limit on the\r\namount of physical memory to be given to a process; if memory is tight, the system will prefer to take\r\nmemory from processes that are exceeding their declared resident set size.\r\nStack bytes maximum of stack segment ; this defines how far a program's stack segment may be\r\nextended. Stack extension is performed automatically by the system.\r\n \u003ckey\u003eSoftResourceLimits\u003c/key\u003e \u003cdict\u003e \u003ckey\u003eNumberOfFiles\u003c/key\u003e \u003cinteger\u003e58\u003c/integer\u003e \u003c/dict\u003e\r\nHardResourceLimits\r\n\u003cdict\u003e \u003ckey\u003e key … integer … ProcessType string Intended purpose of the job for applying resource\r\nlimits.\r\nDefault: light(sic) resource limits to the job, throttling its CPU usage and I/O bandwidth.\r\nStandard equivalent to no ProcessType being set.\r\nBackground does work not directly requested by the user. The resource limits applied are intended to\r\nprevent them from disrupting the user experience. \u003c!-- slow down --\u003e\r\nAdaptive move between the Background and Interactive classifications based on activity over XPC\r\nconnections. See xpc_transaction_begin\r\nInteractive Critical to maintaining a responsive user experience, run with the same resource limitations\r\nas apps, i.e. none.\r\nUse if an app's ability to be responsive depends on it, and cannot be made Adaptive .\r\nLegacyTimers bool Default: timers created by launchd jobs are coalesced, batching the firing of timers with\r\nsimilar deadlines.\r\nIf true , timers will not be coalesced with others AbandonProcessGroup bool true: do NOT kill processes with\r\nthe same process group if this job dies.\r\nDefault: when a job dies, launchd kills any remaining processes with the same process group ID as the job. Nice\r\nhttps://www.real-world-systems.com/docs/launchdPlist.1.html\r\nPage 4 of 6\n\ninteger Nice 10 LowPriorityIO bool\nLowPriorityIO LaunchOnlyOnce bool Job can only be run once, i.e.\nthe job cannot be safely respawned without a reboot. MachServices dictionary of bools or a dictionary of\ndictionaries to be registered with the Mach bootstrap sub-system.\nKeys are the names of services to be advertised. The value must be .\nMachServices com.apple.libquitd com.apple.spinreporterd com.apple.spindump MachServiceLookupPolicies\nResetAtClose\nIf false , the port is recycled, thus leaving clients to remain oblivious to the demand nature of job.\nIf true , clients receive port death notifications when the job lets go of the receive right. Not all clients are\nable to handle this behavior.\nThe port will be recreated atomically with respect to bootstrap_look_up() calls, so that clients can trust that\nafter receiving a port death notification, the new port will have already been recreated.\ndefault: false .\nHideUntilCheckIn bool Reserve the name in the namespace, but cause bootstrap_look_up() to fail until\nthe job has checked in with launchd.\nFinally, for the job itself, the values will be replaced with Mach ports at the time of check-in with launchd.\nSockets dictionary of dictionaries... OR dictionary of array of dictionaries... demand sockets that\ncan be used to let launchd know when to run the job.\nThe job must check-in to get a copy of the file descriptors using APIs outlined in launch .\nThe keys of the top level Sockets dictionary can be anything. for the application developer to use to differentiate\nwhich descriptors correspond to which application level protocols (e.g. http vs. ftp vs. DNS...). At check-in time,\nthe value of each key will be an array of descriptors.\nDaemon/Agent writers should consider all descriptors of a given key to be to be effectively equivalent, even\nthough each file descriptor likely represents a different networking protocol which conforms to the criteria\nspecified in the job configuration file.\ninputs to call getaddrinfo :\nSockType string default stream other valid values: dgram and seqpacket .\nSockPassive bool whether listen(2) or connect(2) should be called on the created file descriptor.\nDefault: true (\"to listen\").\nSockNodeName string node to connect(2) or bind(2) to.\nSockServiceName string service on the node to connect(2) or bind(2) to.\nSockFamily string request that \"IPv4\" or \"IPv6\" socket(s) be created.\nhttps://www.real-world-systems.com/docs/launchdPlist.1.html\nPage 5 of 6\n\nSockProtocol string protocol to be passed to socket(2). TCP\r\nSockPathName string set to Unix , specifies the path to connect(2) or bind(2) to.\r\nSecureSocketWithKey string variant of SockPathName.\r\nInstead of binding to a known path, a securely generated socket is created and the path is assigned to the\r\nenvironment variable that is inherited by all jobs spawned by launchd.\r\nSockPathMode DECIMALinteger mode of the socket.\r\nBonjour bool or string or array of strings request the service be registered with\r\nmDNSResponder(8).\r\nIf the value is bool, the service name is inferred from SockServiceName .\r\nMulticastGroup string request that the datagram socket join a multicast group.\r\nIf hostname, getaddrinfo(3) will be used to join the correct multicast address for a given socket family.\r\nIf an explicit IPv4 or IPv6 address is given, SockFamily family must be set\r\nSource: https://www.real-world-systems.com/docs/launchdPlist.1.html\r\nhttps://www.real-world-systems.com/docs/launchdPlist.1.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.real-world-systems.com/docs/launchdPlist.1.html" ], "report_names": [ "launchdPlist.1.html" ], "threat_actors": [ { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439020, "ts_updated_at": 1775792121, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d3b53d2877c376bfb52abf461583f1e784c0faf9.pdf", "text": "https://archive.orkl.eu/d3b53d2877c376bfb52abf461583f1e784c0faf9.txt", "img": "https://archive.orkl.eu/d3b53d2877c376bfb52abf461583f1e784c0faf9.jpg" } }