Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit

workspace now contains:
a library
a tool (that builds/links against library)

Library exposes two APIs:

//dump to stdout
NSInteger dump(NSURL* path);

//parse into a dictionary
NSDictionary* parse(NSURL* path);

Git stats


Failed to load latest commit information.
Latest commit message
Commit time
Jan 25, 2023
Jan 18, 2023
Jan 18, 2023


tl;dr: an open-source version of % sfltool dumpbtm

% ./dumpBTM 
Dumps (unserializes) BackgroundItems-v*.btm

Opened /private/var/db/

 Records for UID 501 : 1CAA5D2B-A526-49E2-9A6F-58CACBDF0AFB

  UUID:              68D88F8B-A750-4A4D-AD31-520E2436FE9F
  Name:              LuLu
  Developer Name:    (null)
  Team Identifier:   VBG97UB4TA
  Type:              app  (0x2)
  Disposition:       [enabled allowed visible notified] (11)
  Indentifier:       anchor apple generic and identifier "" and (certificate leaf[field.1.2.840.113635.] /* exists */ or certificate 1[field.1.2.840.113635.] /* exists */ and certificate leaf[field.1.2.840.113635.] /* exists */ and certificate leaf[subject.OU] = VBG97UB4TA)
  URL:               file:///Applications/
  Executable Path:   (null)
  Generation:        2
  Parent Identifier: (null)
  UUID:              17A60CB8-537A-44D1-A6F8-2EBD22439076
  Name:              AGSService
  Developer Name:    Adobe Creative Cloud
  Team Identifier:   JQ525L2MZD
  Type:              curated legacy daemon  (0x90010)
  Disposition:       [enabled allowed visible notified] (11)
  Indentifier:       Adobe_Genuine_Software_Integrity_Service
  URL:               file:///Library/LaunchDaemons/com.adobe.agsservice.plist
  Executable Path:   /Library/Application Support/Adobe/AdobeGCClient/AGSService
  Generation:        1
  Assoc. Bundle IDs: [com.adobe.acc.AdobeCreativeCloud]
  Parent Identifier: Adobe Creative Cloud

Note: If you're running the pre-built binary, though signed, it's not notarized (Apple doesn't support notarized commandline tools). So after making it executable, remove the quarantine attributue to make it runnable (via Terminal).

% chmod +x dumpBTM
% xattr -rc dumpBTM

Also, make sure you give Terminal "Full Disk Access" (a requirment to read the BackgroundItems-v4.btm file).

In macOS Ventura (13), Apple consolidated persistent items (login items, launch agents/daemons) in a new file: BackgroundItems-v*.btm, found in /private/var/db/ On macOS 13.0 this file is named BackgroundItems-v*.btm whereas on macOS 13.1 it's BackgroundItems-v7.btm.

This file is a serialized binary propertly list. You can dump it via Apple's sfltool, specifying the dumpbtm command line flag.

DumpBTM is an open-source version of this, which has the following benefits:

  • Open-source
  • Programmatic access to enumerate (persistent) items in the file

The latter point is most notable as this allow you to now add such logic into security/EDR tools. Specifically you can now easily and programmatically enumerate all (ok most) persistent items on a macOS Ventura system (which will include any persistently installed malware).

You can also then monitor this file for changes to detect new persistence events (as now you can parse/unserialize its contents via this project's code).

Note: Such monitoring was supposed to be accomplished via the Endpoint Security ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD event ...but this event is broken (See: "Endpoint Security Event: ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD is ...broken?" 😓).


And open-source version of % sfltool dumpbtm







No packages published