How to Audit Login Items on Mac and Linux
July 5, 2026

That moment when your laptop feels a little off - a browser opens slower, a fan spins up for no reason, or a process keeps coming back after you quit it - is usually when people start asking how to audit login items. That’s a smart place to look. Login items and other startup mechanisms are one of the simplest ways for legitimate apps to launch automatically, and one of the most common ways unwanted software sticks around.
If you only check the visible list in System Settings or your desktop environment, you’ll miss part of the picture. A real audit means figuring out what starts automatically, why it starts, who put it there, and whether it still makes sense. On macOS and Linux, that can include user-facing login items, launch agents, system services, cron jobs, shell profiles, and a few less obvious persistence paths.
What a login item audit is really checking
A good audit is not just a cleanup exercise. It’s a trust exercise. You are checking which programs get to run before you ask for them, and whether those programs match your expectations.
Some entries are harmless but stale. Think old update helpers, chat apps you uninstalled months ago, or vendor utilities that survived a migration. Others deserve more attention, especially if they launch from odd file paths, use random-looking names, call hidden scripts, or point to binaries you do not recognize.
This is also where trade-offs matter. Not every auto-starting item is bad. Security tools, backup daemons, password managers, VPN clients, and hardware drivers often need to start in the background. The goal is not to get to zero. The goal is to get to known and justified.
How to audit login items on macOS
On macOS, start with the obvious layer. Open System Settings, then General, then Login Items. You’ll see apps that open at login and a separate section for items allowed to run in the background. This view is useful, but it is not the whole startup surface.
The next layer is LaunchAgents and LaunchDaemons. These are property list files that tell macOS to launch software automatically. User-level agents often live in a Library folder inside a user account, while system-wide agents and daemons are typically stored under top-level Library paths. If you are auditing manually, look at the file names, the program path they call, and whether the vendor is familiar.
A clean entry usually gives itself away. It names the app or vendor clearly, points to a signed application or helper in a standard location, and matches software you know you installed. Suspicious entries tend to be vaguer. They may use generic names like updater, helper, or agent without a vendor prefix, or they may reference executables in temporary folders, hidden directories, or user-writable locations that make little sense for persistent software.
Terminal can help you verify what is loaded and where it points. You can inspect launch-related directories, review plist contents, and compare them against installed applications. If a launch item references a file that no longer exists, that is usually clutter. If it references a file that does exist but you cannot tie it to a known app, that deserves a closer look.
Also pay attention to shell startup files if you use Terminal regularly. A modified shell profile can launch commands at login or when a terminal session opens. That may be intentional for developers, but it is also a quiet place for persistence. If you see curl commands, base64 blobs, long obfuscated lines, or scripts fetched from unusual locations, treat that as a red flag.
How to audit login items on Linux
Linux is more flexible, which also means startup behavior can be spread across more places. For desktop users, begin with your session’s startup applications settings. That catches the easy cases, but serious auditing goes deeper.
On most modern distributions, systemd is central. Review enabled services at both the system and user level. A service may be perfectly normal, but the questions stay the same: what binary does it run, where is that binary stored, and do you know why it should start automatically?
User-level autostart entries are another common place to check. Desktop environments often use .desktop files in autostart directories to launch apps on login. Read the Exec line carefully. If it points to a well-known app in a standard path, that is probably fine. If it launches a shell script from a hidden directory or calls a command with obfuscated arguments, pause there.
Then check cron. Scheduled tasks are not login items in the narrow sense, but they are part of the same persistence story. A malicious or unwanted process does not care whether it starts at login, every reboot, or every minute. If your goal is visibility, include crontabs, anacron jobs, and timer units in the audit.
For server operators, startup auditing matters even more because there may be no graphical login at all. The relevant question becomes what begins automatically after boot or when a user session starts over SSH. On Linux servers, the usual suspects are systemd services, rc.local-style scripts, cron, and shell initialization files for administrative accounts.
What to look for when an entry seems wrong
The fastest way to judge a startup entry is context. Does the name match installed software? Does the file path look standard? Is the binary signed or packaged by your distro or a known vendor? Was it created around the same time you installed something legitimate?
There are a few patterns that deserve extra scrutiny. Randomized names are one. Hidden directories inside a home folder are another, especially when paired with scripts that re-create themselves. Items that launch network utilities, persistence scripts, or unsigned binaries from writable directories are not automatically malicious, but they should not get a free pass.
The timing matters too. If an item appeared right after installing a new printer driver, that is one story. If it appeared after opening a suspicious attachment or running a one-line install script from a forum post, that is a different story.
This is where plain-English tooling helps. Raw startup entries are easy to collect and hard to interpret. A small host-monitoring tool that checks startup items alongside network connections, browser extensions, and sensitive system files can give you a broader answer than a folder listing ever will. Instead of staring at a plist or unit file and guessing, you get a clearer view of whether that item fits the rest of the system’s behavior.
Remove carefully, not aggressively
Once you find something questionable, resist the urge to delete first and ask questions later. Some startup entries are tied to software that breaks badly if you remove only one helper component. Others will simply come back because the parent app recreates them.
Start by disabling rather than deleting when possible. On macOS, remove the item from login settings or unload the corresponding launch configuration after recording the original file path. On Linux, disable the user or system service, move the autostart file aside, or comment out the scheduled task. Then reboot or log out and back in to confirm what changed.
If the system behaves normally and nothing recreates the entry, you can decide whether to remove the underlying files. If the item reappears, that tells you something important: another process is managing persistence. At that point, you are no longer just cleaning up startup clutter. You are tracing control.
A simple audit routine that actually works
For most people, the best routine is quarterly, or anytime the machine starts acting strangely. Check visible login items first. Then review deeper startup paths for your platform. Validate unfamiliar names by their executable path, package ownership, and install history. Finally, compare startup entries with the rest of the machine’s behavior - outbound connections, recent file changes, browser add-ons, and authentication events.
That cross-check is what separates a real audit from cosmetic cleanup. A login item by itself may look harmless. The same item paired with a suspicious network connection and a recently modified shell profile tells a very different story.
If you want to keep the process low-friction, use tools that stay local, read the system without taking it over, and explain findings in normal language. That is the difference between a giant wall of logs and a plain-English answer you can trust. Tools like avai are built for exactly that kind of visibility, especially if you want startup inspection without shipping your machine data to somebody else’s cloud.
The best reason to audit startup behavior is not paranoia. It is confidence. When you know what launches automatically and why, your computer stops feeling mysterious and starts feeling under your control again.