Today I Learned

How to Identify Non-Apple Kernel Extensions on Your Mac with kextstat

Kernel extensions are modules that can extend the capabilities of the macOS kernel, the core part of the operating system. While many extensions are provided by Apple, third-party applications and drivers can also install these to provide additional functionality.

Learning which non-Apple kernel extensions you have can help you understand more about the background processes at work on your Mac, especially when troubleshooting performance issues or potential security concerns. Here’s a quick guide on how to list all non-Apple kernel extensions using a simple Terminal command.

First, open the Terminal application on your Mac. You can find it in the Utilities folder within your Applications folder, or you can search for it using Spotlight.

Once Terminal is open, type the following command:

kextstat | grep -v com.apple
Index Refs Address            Size       Wired      Name (Version) UUID <Linked Against>
  165    3 0xffffff7f83aa4000 0xf0000    0xf0000    org.virtualbox.kext.VBoxDrv (6.0.14) 53BAF3B2-AB27-321B-9DF8-7A1395C58923 <8 6 5 3 1>
  168    0 0xffffff7f83baf000 0x8000     0x8000     org.virtualbox.kext.VBoxUSB (6.0.14) CE24428E-4F6D-3690-89CC-1575AA093D8D <167 165 59 8 6 5 3 1>
  173    0 0xffffff7f83bd6000 0x5000     0x5000     org.virtualbox.kext.VBoxNetFlt (6.0.14) 895E2094-4B8F-349F-8951-BF361447E6C5 <165 8 6 5 3 1>
  174    0 0xffffff7f83bdb000 0x6000     0x6000     org.virtualbox.kext.VBoxNetAdp (6.0.14) 38B6099A-ED14-3D29-87D4-DF1A3E4168CF <165 6 5 1>

Press Enter, and your Mac will display a list of all loaded kernel extensions that are not from Apple. The kextstat command lists all the kernel extensions currently in use, while grep -v com.apple filters out any of the kernel extensions made by Apple, allowing you to see which third-party kexts are active.

Understanding the output:

  • Each line in the output represents one kernel extension.
  • The first column provides the index number of the extension as recognized by your Mac’s kernel.
  • The second column shows the reference count, which is the number of times the kext is being used. A higher number generally means the kext is being used by multiple processes or applications.
  • Next, you’ll see the address and size columns, showcasing where the kext is loaded in memory and how much space it occupies.
  • Finally, the most important part for most users is the bundle identifier, which typically includes the developer’s reverse domain name (e.g., com.example.driver)—this tells you what the kext is.

While the above command provides you with the list of non-Apple kexts, please note that interpreting what each kext does may require further investigation. If you’re not sure about the purpose of a specific kernel extension, conducting an internet search with its bundle identifier can usually provide more clarity.

UPDATE: With macOS 10.15 Catalina and later versions, Apple has deprecated kernel extensions in favor of system extensions as part of the system security improvements. Therefore, if you’re running macOS Big Sur, Monterey, or any newer macOS versions, you’ll find fewer kernel extensions and a transition towards safer and more secure system extensions that run in user space.