Autoruns is a useful Sysinternals utility for Windows computers to quickly check all of the places a program can hook into Windows to launch automatically. This is useful for troubleshooting annoying behaviors of applications or malware infections. A similar application for Mac OS X is called KnockKnock.
KnockKnock (UI) is a native Objective-C, portable application that you can run by just double-clicking the application. Once launched, you just click the Start Scan button at the top to scan for persistently installed software in these locations:
- Authorization Plugins
- Browser Extensions
- Kernel Extensions
- Launch Items
- Library Inserts
- Login Items
- Spotlight Importers
While the scan progresses, you may receive a prompt for credentials to elevate access to scan certain areas.
Once the scan completes, you can manually browse each of the areas to understand what is installed and hooked into your computer. A summary is also presented with how many items were found. Apple-signed binaries are filtered out but other third party software is included, as you can see from my screenshot above. Each row also indicates if a binary is signed with the padlock icon and provides the full path to where the file resides.
The latest version integrates VirusTotal, a service that scans files against more than 50 antivirus engines. It will tell you if any of the detected applications are flagged by VirusTotal to help detect malware. You can disable the VirusTotal integration under Preferences.
You can download the free application KnockKnock (UI) from objective-see.com