By Gordon Davisson
Copyright (c) 2005, Westwind Computing inc.
Mac OS X (like any unixish OS) always has a number of things going on in the background -- processes that take care of business behind the scenes. Normally, you won't even notice them, unless you use something like Activity Monitor (ProcessViewer under 10.2 or before) or the ps or top commands to look at the process list. If you do notice them, you may wonder what on earth they're all there for. This list is here to answer that question.
Note: this list is far from complete. If you see processes on your Mac that
aren't on this list, it doesn't mean there's something wrong or that you've been
hacked; just that I'm not as dilligent as I could be in maintaining the list.
See also Amit Singh's list of
Mac OS X hacking tools. Also, his
info on the boot process is cool.
This is also relevant,
as is this.
System Processes (mostly owned by root):
Process
Its function
AppleFileServer
The personal file sharing (AFP over IP) server. It should only be present
if file sharing is enabled (in the System Preferences' Sharing pane).
autodiskmount
Responsible for mounting removable disks and media.
automount
Automatically mounts and unmounts network (NFS and AFP) file systems as they
are accessed / left idle.
configd
Maintains dynamic configuration information about the computer and its environment
(mainly the network).
coreservicesd
??support for CFM applications??. ####
CrashReporter
Logs information about program crashes. It can be configured (via editing
/etc/hostconfig in OS X 10.0, and the Console utility's preferences on OS X 10.1)
to log crashes in ~/Library/Logs.
cron
Runs various scheduled programs and scripts, mostly to perform perodic
maintenance on the computer. Note: in Mac OS X, this is set to run
system maintenance late at night; if the computer is turned off every
night, the maintenance may never get done. Either leave the computer
on overnight occasionally, or use something like Brian R. Hill's program
MacJanitor
DirectoryService
This process acts as a central clearinghouse for "Directory" information --
mainly users/groups/authentication, and service location (e.g. file servers,
printers, etc). It gathers information from a variety of plugins (NetInfo,
LDAP, Active Directory, NIS, Bonjour/Rendesvous/, AppleTalk, SMB) and hands
it out to whatever program requested it.
DesktopDB
Keeps track of information on currently known applications and their document types.
Used by the Finder to associate documents with the appropriate application.
distnoted
Provides distributed notifications services.
dynamic_pager
Assists the kernel with managing swap files for virtual memory.
ftpd
Handles incoming FTP (File Transfer Protocol) connections. This
process is created dynamically by xinetd (or
inetd in earlier versions of OS X), so it should
only appear when someone is actually connected to your computer.
httpd
This is Apache, the web server that ships with OS X. It should only be present
if web sharing is enabled (in the System Preferences' Sharing pane). It is
normal for there to be several of these running, one owned by root, the rest
by www.
init
(10.0-10.3 only)
The master of the computer from the BSD/unix point of view. This is responsible
for creating (via the /etc/rc* scripts and StartupItems) and looking after many
of the other background processes. In Mac OS X 10.4 it was replaced by
launchd.
inetd
(10.0-10.3 only)
Responsible for starting and looking after some internet services (mainly FTP
and telnet) provided by this computer. As of version 10.2 this was functionally
replaced by xinetd (which was then replaced by
launchd), but was kept around through Mac OS X 10.3 for
compatibility.
ipconfigd
(10.0-10.1.1 only)
Automatically configures the network. Now merged into configd
(since OS X 10.1.2, if I'm reading
right).
KernelEventAgent
Handles notifications about file system status (e.g. "A server you
are using is no longer available. Do you want to continue trying
to contact it?" and "Your startup disk is almost full. You need to
make more space available on your startup disk by deleting files.")
kextd
Responsible for loading and unloading kernel extensions (e.g. device drivers)
as they are needed.
launchd
(v10.4 and later)
This process replaces init and
mach_init, and takes over most of the functions of
cron and xinetd.
lookupd
Handles looking up information from network information services such as
NetInfo and DNS, and acts as a bridge to allow unix/BSD/posix programs to
get information from DirectoryService.
mach_init
(10.0-10.3 only)
The Mach kernel's bootstrap port server. This is the first process created
during bootup, and creates the BSD init process (which then creates everything
else). In Mac OS X 10.3, it's also used to create several daemons that
used to be created via StartupItems. In Mac OS X 10.4, it's replaced by
launchd.
mDNSResponder
The multicast DNS (a component of
Bonjour/Rendezvous)
responder; this advertises network services (such as AFP file sharing)
provided by this computer, as well as the computer's self-chosen ".local"
name.
Note: this runs under the pseudo-user "nobody" (presumably for security
reasons).
mdimportserver
(10.4 only)
The metadata import server -- handles importing (i.e. scanning) metadata
from new/changed files into Searchlight's metadata database.
BTW, this process appears to be created by launchd,
but I don't see any mention of it anywhere in launchd's various config
files.
mds
(10.4 only)
The metadata (i.e. indexed file content) server. Searchlight central.
netinfod
Serves out NetInfo data. There will be one of these processes for each NetInfo
domain served from the computer (normally just one, for the local domain).
ProcessViewer/Activity Monitor won't tell you which daemon process serves which
NetInfo domain, but the ps command will.
nfsiod
Services asynchronous requests to an NFS server. It is normal for
there to be several of these.
nibindd
Finds, creates, and destroys NetInfo servers (i.e.
netinfod). This process will only exist
if you have something beyond the standard local NetInfo domain set
up.
notifyd
Passes event notifications between processes.
ntpd
Synchronizes the Mac's clock with network time servers.
pitond
The Retrospect backup client (only present if you've installed
Retrospect Client).
pmTool
This is actually a user process that happens
to run as root. Activity Monitor uses it to collect information
on running processes.
portmap
Dynamically assigns RPC (network Remote Procedure Call) services
(such as NetInfo and NFS) to TCP/UDP ports.
slpd
The Service Location Protocol (SLP) responder; this advertises
network services (such as AFP file sharing) provided by this
computer. SLP has been functionally replaced by
Bonjour/Rendezvous,
but is kept active for compatibility with older computers on the
network.
slpdLoad
This process frequently shows up as a Zombie in ProcessViewer's
listing (with semirandom owner, parent, and statistics) under
early versions of OS X. Don't worry, it's harmless, just a
little confused.
(More technically: a zombie process is one that has finished (i.e.
died), but whose parent process has not received notification of
its death. In order to keep process information around until the
parent process is notified, the zombie's entry is left in the
process table even though the process itself is gone. A bit
morbid, perhaps, but since it doesn't consume resources, it's not
really a problem.)
sshd
The secure shell server -- listens for and handles incoming SSH (encrypted
remote login) connections. It was added in version 10.0.1 and should only be
present if "Allow remote login" is enabled (in the System Preferences' Sharing
pane).
Note: In 10.3, sshd no longer runs continuously to listen for incoming ssh
connections. Instead, xinetd (v10.3) or
launchd (v10.4) does the listening, and only starts
sshd when it's actually needed.
syslogd
Logs and/or dispatches system status and error messages.
telnetd
Handles incoming telnet (remote login) connections. It's enabled by the
"Allow remote login" option in the System Preferences' Sharing pane of Mac OS X
10.0; in later versions it's disbled, and SSH is used instead (although telnetd
can be reenabled manually by editing the /etc/inetd.conf file). This process is
created dynamically by inetd, so it should only appear when someone is actually
telnetted into your computer.
update
Responsible for keeping disks synchronized with the file system cache, to keep
data loss to a minimum in case of a crash.
xinetd
Responsible for starting and looking after some internet services (mainly
ssh, FTP and telnet) provided by this computer. This is essentially an
extended version of inetd. In Mac OS X 10.4 it was
mostly replaced by launchd, but is kept around for
compatibility.
crashreporterd
???
cupsd
???
SecurityServer
???
Other servers...
User processes (generally owned by the current user):
Process
Its function
ATSServer
The Apple Type Solution Server; responsible for managing the available fonts and
making them available to applications.
Dock
Maintains and displays the Dock.
DocklingServer
Keeps docklings' status and displays up to date.
Finder
The Finder.
hdid
Handles mounted disk image (.img and .dmg) files.
LaunchCFMApp
Applications in the old-style Macintosh format (Code Fragment Manager format,
aka CFM, aka PEF) will show up in Process Viewer under this name. LaunchCFMApp
is actually a wrapper program provided for compatibility with this old
application format; Process Viewer just can't see through the wrapper to the
actual application inside.
(Note: the distinction between the old (CFM) and new (mach-o) formats is not the
same as the distinction betweem the old (Carbon) and new (Cocoa) application
environments. Many of the Carbon apps you're likely to run into on OS X are
in mach-o format.)
loginwindow
This is only partly a user process -- it starts before anyone logs into the computer,
and is responsible for displaying the login screen (or not, if autologin is set),
validating login attempts, and setting up the user environment (launching the
Finder, Dock, any login apps, etc) at login. It also acts as a process monitor
for user processes, restarts the Finder or Dock if they crash, and implements
the Force Quit Applications window. Finally, it handles the logout, restart, and
shutdown procedures.
pbs
The pasteboard server; analogous to the clipboard under Mac OS 9.
pmTool
a background process that Activity Monitor uses to collect information
on running processes.
Note that this process runs as root (despite being part of a user-level
program).
SecurityAgent
?????
SystemUIServer
(OS X 10.1 and later)
Maintains the Menu Items in the right end of the menu bar.
TruBlueEnvironment
or "(null)"The Classic (OS 9 compatibility) environment. This single process includes
OS 9 and all running classic applications. The name derives from an early
Apple code-name for the Classic environment: "the Blue Box".
For some reason, Activity Monitor (under Mac OS X v10.3) has trouble reading
this process's name, and tends to display it as "(null)".
WindowServer (aka Window Manager)
Responsible for managing the computer's display and mediating between the
various Applications and other processes that want to display information
on it. It also does the grunt work of launching new user applications, so
most user processes are actually its children in the process hierarchy.
Server processes (only -- or at least mostly -- present under OS X Server):
Process
Its function
hwmond
Monitors hardware status (Xserve only).
Note: if an Xserve doesn't respond to Server Monitor, it's often because
hwmond isn't running.
Adding
it to /etc/watchdog.conf may be all that's needed.
MacintoshManagem
The Macintosh Manager server.
MailService
The Apple Mail server (replaced by postfix in v10.3).
named
The DNS server (aka BIND).
nmbd
The Windows Name server; part of Samba.
perl
The perl script interpreter. Why, you might ask, is this listed as a server
process? Because the QuickTime Streaming server admin agent is acually a perl
script, so it shows up as "perl" in the process listing. Process Viewer doesn't
give you any real indication what perl is doing, but if you go to the command
line and do "ps -ax", it'll show the process' command as
"perl /usr/local/sbin/streamingadminserver.pl".
PrintServer
???.
PrintServiceMoni
???.
QuickTimeStreami
The QuickTime Streaming server. It's normal for there to be several of these.
sambadmind
Administration daemon that starts and configures Windows services (i.e.
smbd and nmbd).
Note that if Windows services are activated under Mac OS X non-Server
(we're not supposed to call it "Mac OS X Client"), this process doesn't
exist -- it's only there to let serveradmind
manage Samba.
serveradmind
The master server administration daemon. The Server Admin application acts
as a front end to let you talk to serveradmind.
smbd
The Windows File server; part of Samba.
watchdog
Watchdog keeps track of some other server processes, and restarts them if
they crash (see /etc/watchdog.conf). If the Restart on system freeze
feature is turned on, this is also responsible for reassuring the PMU that
the system hasn't frozen (yet).
webperfcache
These processes manage the web server's cache.