How to Remove an Unwanted Process in OS X

If you've ever gone through a software installation process, aborted it, and discovered that you have an unwanted process still running on your Mac, here's how to root it out and remove it.


First up, a gentle warning. One should not, in general, willy-nilly remove an OS X process (a software program) just because you don't recognize it or don't know what it does. OS X is complicated and has many essential processes that shouldn't be tampered with.

However, let's say that you just installed an OS X application called, decided to quit and delete the application completely. But you still see a process running in Activity Monitor called, for example, spectre_daemon or spectred. Some houskeeping utilities are able to find all the support files for an app and remove everything.  But let's say you don't have one and don't want to invest in one. You just want the unwanted, left-over process gone.

Moving on. You may suspect, as I did in the example below, that the installation procedure installed and scheduled a recurring support process—or perhaps a daemon. (A daemon is a process that runs in the background and has no user interface. Its name typically ends with the letter 'd' but not always.)

For example, a developer may need to have some kind of support daemon always running in the background even when the app itself is not running.

Stepping Lightly

Let's say that you're sure that a process you see in Activity Monitor has to go. Killing it from Activity Monitor will work temporarily, but the next time you reboot, it may start up again. That's if the installation has added it to the list of processes that will be started by OS X's process manager called launchd. (If you're curious, here's more on launchd.)

1. The first step is to be sure about the name. Awhile back, I had this unwanted process running on my Mac, shown in Activity Monitor.

2. Find the location of the process on your Mac by clicking the Info icon (small "i") at the top of Activity Monitor.

Click on the "Open Files and Ports" tab. The first line or two (underlined below in red) will show the path to the unwanted code on your Mac.

In this example, it's a daemon inside the wrapper of an application. The Info box has conveniently drilled into the package contents of the app to show the code's location and name: Samsung_Portable_SSD_Daemon. (All apps in OS X are really folders. The Finder presents that folder as an app icon that can be double-clicked. Going into the package contents means looking inside the app's folder to see the files inside.)

3. In this example, a folder was likely created by the installer, and the resulting folder was placed in /Users/john/Library/Application_Support.

Because, in this example, everything associated with that folder had to go, the entire folder named "PortableSSD" (see above) was deleted. It was safe to do because of its location in Application_Support as its own newly created and recognizable folder. While there may still be a lingering entry in launchd's plist, the code can't be launched at boot after this folder is deleted. 

This example was slightly odd because the process code was a daemon embedded in an app, and there will be other variations. That made it stand out, however. You generally wouldn't delete an enclosing folder, not part of your suspicious process, unless you're really, really know what you're doing. (And I mean really.)

Assuming you are certain that the process you find in step #3 is the culprit, you can either delete it outright, wherever you find it, or, if in doubt, (for the sake of forensics) move, not copy, to a flash drive. Either way, launchd can't find it in order to launch it the next time you boot up.

As always, make sure you have a recent Time Machine backup before embarking on a project like this. If in doubt, consult with an OS X expert.