Recovering from Mac Kernel panics with a little help from Osquery

Mac OSX kernel panic screen

Recovering from a panic a boot time

⌘ + v
(Command + v)
Mac boot process

Mac recovery mode

⌘ + r
(Command + r)
Accessing the Mac recovery partition
cd /Volumes/OSX/ (Or your drive name)

Diagnostic mode

⌘ + d
(Command + d)
Mac OSX Diagnose completion screen

NVRAM / PRAM reset

⌘ + ⌥ + p + r 
(Command + Option + p + r)

SMC Reset

ctrl + ⌥ + shift
(Control + Option + Shift)

Debugging a panic post boot time

cd ~/Library/Logs/DiagnosticReports
cd /Library/Logs/DiagnosticReports
cat /var/log/system.log
sudo dmesg

More information on Apple kernel panics

The kernel_panic table in Osquery

SELECT * FROM kernel_panic;
.mode line
SELECT * FROM kernel_panics ORDER BY time DESC LIMIT 1;
path = /Library/Logs/DiagnosticReports/Kernel_2015-06-10-104120_Example.panic
time = Wed Jun 10 10:41:19 2015
registers = CR0:0x0000000080010033 CR2:0x0000004300000007 CR3:0x0000000168ac8126 CR4:0x00000000001627e0 RAX:0x0000004300000006 RBX:0x0000000000000066 RCX:0xffffff7f9c654c06 RDX:0xffffff8039263480 RSP:0xffffff822b67b990 RBP:0xffffff822b67b9e0 RSI:0x000000008020690c RDI:0xffffff805aed4a08 R8:0x0000000000000000 R9:0x00000000000001b0 R10:0x00000000000001b8 R11:0x0000000000000202 R12:0xffffff8056d66008 R13:0x0000000000000002 R14:0xffffff8056d66400 R15:0x0000000000000066 RFL:0x0000000000010282 RIP:0xffffff7f9c654c9b CS:0x0000000000000008 SS:0x0000000000000010
frame_backtrace = 0xffffff822b67b640 : 0xffffff801ad2bda1
module_backtrace = foo.tun(1.0)[424F8631-7A29-4E02-B0C9-2442FB894E25]@0xffffff7f9c654000->0xffffff7f9c659fff
dependencies =
name = ifconfig
os_version = 14D136
kernel_version = Darwin Kernel Version 14.3.0: Mon Mar 23 11:59:05 PDT 2015; root:xnu-2782.20.48~5/RELEASE_X86_64
system_model = MacBookPro11,1 (Mac-189A3D4F975D5FFC)
uptime = 162729462029316
last_loaded = com.apple.driver.CoreStorageFsck 471.20.7 (addr 0xffffff7f9cebc000, size 102400)
last_unloaded = com.apple.driver.AppleUSBCDC 4.3.3b1 (addr 0xffffff7f9c759000, size 16384)
SELECT * FROM file WHERE path LIKE '/Library/Logs/DiagnosticReports/%';
SELECT * FROM carves WHERE path IN (SELECT path FROM kernel_panics ORDER BY time DESC LIMIT 1) AND carve = 1;

--

--

--

Real-time security and compliance delivered.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Understand Cascade-to-Null Feature and How it Can Allow the Use of Null Foreign Key

How to Commit using Git Bash

Delegates in C#

How I Boosted My Coding Speed and Productivity with AI

AWS Design Pattern: Floating IP

FileMaker Pro 19: How To Fix The License Certificate Not Installing

Git Bash and Unity Guide part 3

Maverick Protocol Round 2 Testnet Experience

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Zercurity

Zercurity

Real-time security and compliance delivered.

More from Medium

Using Lua on NuttX

Multipass with Hyper-V on Windows 10 Home

6 Levels of RAID for Backups

Vim and TWM open a new curious world