Login Items & Background Task Management

Location

Description

macOS login items registered through the BackgroundTaskManagement framework (macOS 13+) or the legacy LSSharedFileList mechanism. These items launch automatically when a user logs in and include applications, helper tools, and scripts. The backgrounditems.btm database tracks all registered background tasks and login items in a single location.

Forensic Value

Login Items provide user-level persistence that survives reboots and executes in the user session context. The backgrounditems.btm file on macOS Ventura and later consolidates all login items and background tasks into a single parseable database, simplifying forensic review. Legacy login items stored in LSSharedFileList plists may contain entries not visible through the modern System Settings interface. Comparing registered login items against expected software identifies attacker-installed persistence. The Items tab in System Settings > General > Login Items displays current entries but may not show all historical registrations visible in the raw data.

Tools Required

Collection Commands

sfltool dumpbtm > /forensics/backgrounditems_btm_dump.txt

plutil -p ~/Library/Application\ Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm > /forensics/btm_parsed.txt

cp ~/Library/Application\ Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm /forensics/backgrounditems.btm

find ~/Library/Application\ Support/com.apple.sharedfilelist -name "*.sfl2" -exec plutil -p {} \; > /forensics/login_items_sfl2.txt

Collection Constraints

• •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

MITRE ATT&CK Techniques

References