Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/jjtech0130/launchservices

Experimenting with the Launch Services system on iOS and macOS
https://github.com/jjtech0130/launchservices

Last synced: 12 months ago
JSON representation

Experimenting with the Launch Services system on iOS and macOS

Awesome Lists containing this project

README 

          
# What is LaunchServices?



LaunchServices is an almost completely undocumented service that is critical for launching applications on macOS and iOS.



# How does LaunchServices work?



`lsd`, the LaunchServices daemon, is responsible for most of the heavy lifting. APIs such as `LSApplicationWorkspace` communicate with it over XPC in order to perform tasks and register applications with it.



`lsd` creates a giant database of all applications on the system, and uses this database to determine which application to launch when a file is opened or a URL is clicked.



# What does this repository contain?

- `samples/`: contains a bunch of files sampled from macOS and iOS that are related to LaunchServices

- `objc/`: contains Objective-C code for using CoreServicesStore.framework on macOS

- `csstore.py`: a command line tool for reversing the LaunchServices database



### How do I use `csstore.py`?

```shell

python ./csstore.py ./samples/com.apple.LaunchServices-5019-v2.csstore dump ./csstore.txt

```



## LaunchServices Database



### Where is the database located?

On macOS, several versions of the database exist, one for each user. 

They are stored in `DARWIN_USER_DIR/com.apple.LaunchServices.dv/com.apple.LaunchServices--v2.csstore`.



`DARWIN_USER_DIR` can be found with `getconf DARWIN_USER_DIR`, it is derived from the user's UID and UUID[^1].



For example, the path might look like this:

```

/private/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/0/com.apple.LaunchServices.dv/com.apple.LaunchServices-5019-v2.csstore

```



On iOS 15, the database is located at 

```

/private/var/containers/Data/System//Library/Caches/com.apple.LaunchServices--v2.csstore

```

With iOS 16, the database was moved to 

```

/private/var/mobile/Containers/Data/InternalDaemon//Library/Caches/com.apple.LaunchServices--v2.csstore

```



The version number seems to be tied to the macOS/iOS version that created the database, here are the known associations:

- macOS 14.3.1: `5019`

- iOS 15.8.3: `3027`

- iOS 16.1.2: `4031`



### How is the database structured?

As evidenced by the `.csstore` extension, the database is in the proprietary and undocumented `CoreServicesStore` format.

LaunchServices structures the database contents with the following tables:



- ``: ?

- `DB Header`: ?

- `Bundle`: ?

- `Claim`: ?

- `Service`: ?

- `Type`: ?

- `HandlerPref`: ?

- `Container`: ?

- `Alias`: ?

- `Plugin`: ?

- `ExtensionPoint`: ?

- `BindingList`: ?

- `PropertyList`: ?

- `LocalizedString`: ?

- `CanonicalString`: ?

- `BindableKeyMap`: ?

- `UTIBinding`: ?

- `ExtensionBinding`: ?

- `OSTypeBinding`: ?

- `MIMEBinding`: ?

- `NSPasteboardBinding`: ?

- `DeviceModelCodeBinding`: ?

- `BluetoothVendorProductIDBinding`: ?

- `URLSchemeBinding`: ?

- `BundleIDBinding`: ?

- `BundleNameBinding`: ?

- `ActivityTypeBinding`: ?

- `PluginBundleIDBinding`: ?

- `PluginProtocolBinding`: ?

- `PluginUUIDBinding`: ?

- `ExtensionPointIDBinding`: ?

- ``: ?



### How can I inspect the database contents?

On macOS, a handy tool is included: `lsregister`. You can use it to dump the contents of the database in a human readable form:

```shell

/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump

```



On iOS, a similar tool is located at `/usr/bin/lsdiagnose`



### A note about sysdiagnose

A dump of the database is also included in sysdiganose tarballs. The dump in the sysdiagnose is ends with `.csstoredump`, and it is NOT the raw database, but rather a human readable version that was serialized (why?)



According to the README included with every sysdiagnose...

```

.csstoredump files:

sysdiagnose generates the output of lregister/lsaw in a binary form. To convert

these .csstoredump files to text files, use the following command: 



	lsaw dump --file "PATH TO DUMP FILE" > lsaw.txt



These files can also be opened in CSStore Viewer.

```

...however, I have no idea where one can obtain `lsaw` or `CSStore Viewer`.



[^1]: https://www.swiftforensics.com/2017/04/the-mystery-of-varfolders-on-osx.html