Mac OS X: What Are All Those Processes?

Mac OS X: What Are All Those Processes?

A short list of background processes and daemons

By Gordon Davisson

Copyright (c) 2005, Westwind Computing inc.

Mac OS X (like any unixish OS) always has a number of things going on in the background -- processes that take care of business behind the scenes. Normally, you won't even notice them, unless you use something like Activity Monitor (ProcessViewer under 10.2 or before) or the ps or top commands to look at the process list. If you do notice them, you may wonder what on earth they're all there for. This list is here to answer that question.

Note: this list is far from complete. If you see processes on your Mac that aren't on this list, it doesn't mean there's something wrong or that you've been hacked; just that I'm not as dilligent as I could be in maintaining the list.

System Processes (mostly owned by root):

Process Its function
AppleFileServer The personal file sharing (AFP over IP) server. It should only be present if file sharing is enabled (in the System Preferences' Sharing pane).
autodiskmount Responsible for mounting removable disks and media.
automount Automatically mounts and unmounts network (NFS and AFP) file systems as they are accessed / left idle.
configd Maintains dynamic configuration information about the computer and its environment (mainly the network). Use scutil to interact with configd.
coreservicesd ??support for CFM applications??. ####
CrashReporter Logs information about program crashes. It can be configured (via editing /etc/hostconfig in OS X 10.0, and the Console utility's preferences on OS X 10.1) to log crashes in ~/Library/Logs.
cron Runs various scheduled programs and scripts, mostly to perform perodic maintenance on the computer. Note: in Mac OS X, this is set to run system maintenance late at night; if the computer is turned off every night, the maintenance may never get done. Either leave the computer on overnight occasionally, or use something like Brian R. Hill's program MacJanitor or Cocktail to perform maintenance manually. In Mac OS X 10.4 it was mostly replaced by launchd, but is kept around for compatibility.
DirectoryService This process acts as a central clearinghouse for "Directory" information -- mainly users/groups/authentication, and service location (e.g. file servers, printers, etc). It gathers information from a variety of plugins (NetInfo, LDAP, Active Directory, NIS, Bonjour/Rendesvous/, AppleTalk, SMB) and hands it out to whatever program requested it.
DesktopDB Keeps track of information on currently known applications and their document types. Used by the Finder to associate documents with the appropriate application.
distnoted Provides distributed notifications services.
dynamic_pager Assists the kernel with managing swap files for virtual memory.
ftpd Handles incoming FTP (File Transfer Protocol) connections. This process is created dynamically by xinetd (or inetd in earlier versions of OS X), so it should only appear when someone is actually connected to your computer.
httpd This is Apache, the web server that ships with OS X. It should only be present if web sharing is enabled (in the System Preferences' Sharing pane). It is normal for there to be several of these running, one owned by root, the rest by www.
init (10.0-10.3 only)
The master of the computer from the BSD/unix point of view. This is responsible for creating (via the /etc/rc* scripts and StartupItems) and looking after many of the other background processes. In Mac OS X 10.4 it was replaced by launchd.
inetd (10.0-10.3 only)
Responsible for starting and looking after some internet services (mainly FTP and telnet) provided by this computer. As of version 10.2 this was functionally replaced by xinetd (which was then replaced by launchd), but was kept around through Mac OS X 10.3 for compatibility.
ipconfigd (10.0-10.1.1 only)
Automatically configures the network. Now merged into configd (since OS X 10.1.2, if I'm reading right).
KernelEventAgent Handles notifications about file system status (e.g. "A server you are using is no longer available. Do you want to continue trying to contact it?" and "Your startup disk is almost full. You need to make more space available on your startup disk by deleting files.")
kextd Responsible for loading and unloading kernel extensions (e.g. device drivers) as they are needed.
launchd (v10.4 and later)
This process replaces init and mach_init, and takes over most of the functions of cron and xinetd.
lookupd Handles looking up information from network information services such as NetInfo and DNS, and acts as a bridge to allow unix/BSD/posix programs to get information from DirectoryService.
mach_init (10.0-10.3 only)
The Mach kernel's bootstrap port server. This is the first process created during bootup, and creates the BSD init process (which then creates everything else). In Mac OS X 10.3, it's also used to create several daemons that used to be created via StartupItems. In Mac OS X 10.4, it's replaced by launchd.
mDNSResponder The multicast DNS (a component of Bonjour/Rendezvous) responder; this advertises network services (such as AFP file sharing) provided by this computer, as well as the computer's self-chosen ".local" name.
Note: this runs under the pseudo-user "nobody" (presumably for security reasons).
mdimportserver (10.4 only)
The metadata import server -- handles importing (i.e. scanning) metadata from new/changed files into Searchlight's metadata database.
BTW, this process appears to be created by launchd, but I don't see any mention of it anywhere in launchd's various config files.
mds (10.4 only)
The metadata (i.e. indexed file content) server. Searchlight central.
netinfod Serves out NetInfo data. There will be one of these processes for each NetInfo domain served from the computer (normally just one, for the local domain). ProcessViewer/Activity Monitor won't tell you which daemon process serves which NetInfo domain, but the ps command will.
nfsiod Services asynchronous requests to an NFS server. It is normal for there to be several of these.
nibindd Finds, creates, and destroys NetInfo servers (i.e. netinfod). This process will only exist if you have something beyond the standard local NetInfo domain set up.
notifyd Passes event notifications between processes.
ntpd Synchronizes the Mac's clock with network time servers.
pitond The Retrospect backup client (only present if you've installed Retrospect Client).
pmTool This is actually a user process that happens to run as root. Activity Monitor uses it to collect information on running processes.
portmap Dynamically assigns RPC (network Remote Procedure Call) services (such as NetInfo and NFS) to TCP/UDP ports.
slpd The Service Location Protocol (SLP) responder; this advertises network services (such as AFP file sharing) provided by this computer. SLP has been functionally replaced by Bonjour/Rendezvous, but is kept active for compatibility with older computers on the network.
slpdLoad This process frequently shows up as a Zombie in ProcessViewer's listing (with semirandom owner, parent, and statistics) under early versions of OS X. Don't worry, it's harmless, just a little confused.
(More technically: a zombie process is one that has finished (i.e. died), but whose parent process has not received notification of its death. In order to keep process information around until the parent process is notified, the zombie's entry is left in the process table even though the process itself is gone. A bit morbid, perhaps, but since it doesn't consume resources, it's not really a problem.)
sshd The secure shell server -- listens for and handles incoming SSH (encrypted remote login) connections. It was added in version 10.0.1 and should only be present if "Allow remote login" is enabled (in the System Preferences' Sharing pane).
Note: In 10.3, sshd no longer runs continuously to listen for incoming ssh connections. Instead, xinetd (v10.3) or launchd (v10.4) does the listening, and only starts sshd when it's actually needed.
syslogd Logs and/or dispatches system status and error messages.
telnetd Handles incoming telnet (remote login) connections. It's enabled by the "Allow remote login" option in the System Preferences' Sharing pane of Mac OS X 10.0; in later versions it's disbled, and SSH is used instead (although telnetd can be reenabled manually by editing the /etc/inetd.conf file). This process is created dynamically by inetd, so it should only appear when someone is actually telnetted into your computer.
update Responsible for keeping disks synchronized with the file system cache, to keep data loss to a minimum in case of a crash.
xinetd Responsible for starting and looking after some internet services (mainly ssh, FTP and telnet) provided by this computer. This is essentially an extended version of inetd. In Mac OS X 10.4 it was mostly replaced by launchd, but is kept around for compatibility.
crashreporterd ???
cupsd ???
SecurityServer ???
Other servers...

User processes (generally owned by the current user):

Process Its function
ATSServer The Apple Type Solution Server; responsible for managing the available fonts and making them available to applications.
Dock Maintains and displays the Dock.
DocklingServer Keeps docklings' status and displays up to date.
Finder The Finder.
hdid Handles mounted disk image (.img and .dmg) files.
LaunchCFMApp Applications in the old-style Macintosh format (Code Fragment Manager format, aka CFM, aka PEF) will show up in Process Viewer under this name. LaunchCFMApp is actually a wrapper program provided for compatibility with this old application format; Process Viewer just can't see through the wrapper to the actual application inside.
(Note: the distinction between the old (CFM) and new (mach-o) formats is not the same as the distinction betweem the old (Carbon) and new (Cocoa) application environments. Many of the Carbon apps you're likely to run into on OS X are in mach-o format.)
loginwindow This is only partly a user process -- it starts before anyone logs into the computer, and is responsible for displaying the login screen (or not, if autologin is set), validating login attempts, and setting up the user environment (launching the Finder, Dock, any login apps, etc) at login. It also acts as a process monitor for user processes, restarts the Finder or Dock if they crash, and implements the Force Quit Applications window. Finally, it handles the logout, restart, and shutdown procedures.
pbs The pasteboard server; analogous to the clipboard under Mac OS 9.
pmTool a background process that Activity Monitor uses to collect information on running processes.
Note that this process runs as root (despite being part of a user-level program).
SecurityAgent ?????
SystemUIServer (OS X 10.1 and later)
Maintains the Menu Items in the right end of the menu bar.
TruBlueEnvironment
or "(null)"
The Classic (OS 9 compatibility) environment. This single process includes OS 9 and all running classic applications. The name derives from an early Apple code-name for the Classic environment: "the Blue Box".
For some reason, Activity Monitor (under Mac OS X v10.3) has trouble reading this process's name, and tends to display it as "(null)".
WindowServer (aka Window Manager) Responsible for managing the computer's display and mediating between the various Applications and other processes that want to display information on it. It also does the grunt work of launching new user applications, so most user processes are actually its children in the process hierarchy.

Server processes (only -- or at least mostly -- present under OS X Server):

Process Its function
hwmond Monitors hardware status (Xserve only).
Note: if an Xserve doesn't respond to Server Monitor, it's often because hwmond isn't running. Adding it to /etc/watchdog.conf may be all that's needed.
MacintoshManagem The Macintosh Manager server.
MailService The Apple Mail server (replaced by postfix in v10.3).
named The DNS server (aka BIND).
nmbd The Windows Name server; part of Samba.
perl The perl script interpreter. Why, you might ask, is this listed as a server process? Because the QuickTime Streaming server admin agent is acually a perl script, so it shows up as "perl" in the process listing. Process Viewer doesn't give you any real indication what perl is doing, but if you go to the command line and do "ps -ax", it'll show the process' command as "perl /usr/local/sbin/streamingadminserver.pl".
PrintServer ???.
PrintServiceMoni ???.
QuickTimeStreami The QuickTime Streaming server. It's normal for there to be several of these.
sambadmind Administration daemon that starts and configures Windows services (i.e. smbd and nmbd).
Note that if Windows services are activated under Mac OS X non-Server (we're not supposed to call it "Mac OS X Client"), this process doesn't exist -- it's only there to let serveradmind manage Samba.
serveradmind The master server administration daemon. The Server Admin application acts as a front end to let you talk to serveradmind.
smbd The Windows File server; part of Samba.
watchdog Watchdog keeps track of some other server processes, and restarts them if they crash (see /etc/watchdog.conf). If the Restart on system freeze feature is turned on, this is also responsible for reassuring the PMU that the system hasn't frozen (yet).
webperfcache These processes manage the web server's cache.

See also Amit Singh's list of Mac OS X hacking tools. Also, his info on the boot process is cool. This is also relevant, as is this.