Recovering from Mac Kernel panics with a little help from Osquery

Mac OSX kernel panic screen

Recovering from a panic a boot time

⌘ + v
(Command + v)
Mac boot process

Mac recovery mode

⌘ + r
(Command + r)
Accessing the Mac recovery partition
cd /Volumes/OSX/ (Or your drive name)

Diagnostic mode

⌘ + d
(Command + d)
Mac OSX Diagnose completion screen

NVRAM / PRAM reset

⌘ + ⌥ + p + r 
(Command + Option + p + r)

SMC Reset

ctrl + ⌥ + shift
(Control + Option + Shift)

Debugging a panic post boot time

cd ~/Library/Logs/DiagnosticReports
cd /Library/Logs/DiagnosticReports
cat /var/log/system.log
sudo dmesg

More information on Apple kernel panics

The kernel_panic table in Osquery

SELECT * FROM kernel_panic;
.mode line
SELECT * FROM kernel_panics ORDER BY time DESC LIMIT 1;
path = /Library/Logs/DiagnosticReports/Kernel_2015-06-10-104120_Example.panic
time = Wed Jun 10 10:41:19 2015
registers = CR0:0x0000000080010033 CR2:0x0000004300000007 CR3:0x0000000168ac8126 CR4:0x00000000001627e0 RAX:0x0000004300000006 RBX:0x0000000000000066 RCX:0xffffff7f9c654c06 RDX:0xffffff8039263480 RSP:0xffffff822b67b990 RBP:0xffffff822b67b9e0 RSI:0x000000008020690c RDI:0xffffff805aed4a08 R8:0x0000000000000000 R9:0x00000000000001b0 R10:0x00000000000001b8 R11:0x0000000000000202 R12:0xffffff8056d66008 R13:0x0000000000000002 R14:0xffffff8056d66400 R15:0x0000000000000066 RFL:0x0000000000010282 RIP:0xffffff7f9c654c9b CS:0x0000000000000008 SS:0x0000000000000010
frame_backtrace = 0xffffff822b67b640 : 0xffffff801ad2bda1
module_backtrace = foo.tun(1.0)[424F8631-7A29-4E02-B0C9-2442FB894E25]@0xffffff7f9c654000->0xffffff7f9c659fff
dependencies =
name = ifconfig
os_version = 14D136
kernel_version = Darwin Kernel Version 14.3.0: Mon Mar 23 11:59:05 PDT 2015; root:xnu-2782.20.48~5/RELEASE_X86_64
system_model = MacBookPro11,1 (Mac-189A3D4F975D5FFC)
uptime = 162729462029316
last_loaded = 471.20.7 (addr 0xffffff7f9cebc000, size 102400)
last_unloaded = 4.3.3b1 (addr 0xffffff7f9c759000, size 16384)
SELECT * FROM file WHERE path LIKE '/Library/Logs/DiagnosticReports/%';
SELECT * FROM carves WHERE path IN (SELECT path FROM kernel_panics ORDER BY time DESC LIMIT 1) AND carve = 1;



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store