Recovering from Mac Kernel panics with a little help from Osquery

Mac OSX kernel panic screen

Recovering from a panic a boot time

If you end up in a continual loop where the system crashes upon each restart before getting to the login screen. You can get a more detailed or verbose debug message by holding down the following keys during the system start:

⌘ + v
(Command + v)
Mac boot process

Mac recovery mode

If it looks like the issue maybe with software or a recent configuration change that you wish to undo. You can boot your mac into its recovery mode and access the hard drive directly.

⌘ + r
(Command + r)
Accessing the Mac recovery partition
cd /Volumes/OSX/ (Or your drive name)

Diagnostic mode

If it looks like it might be a hardware fault. You can restart your mac again. This time using the following keyboard combination:

⌘ + d
(Command + d)
Mac OSX Diagnose completion screen

NVRAM / PRAM reset

NVRAM (nonvolatile random-access memory) is a small amount of memory that your Mac uses to store certain settings and access them quickly. PRAM (Parameter RAM) stores similar information.

⌘ + ⌥ + p + r 
(Command + Option + p + r)

SMC Reset

The System Management Controller (SMC). Controls how your Mac manages power, thermals, battery charging, video mode switching, sleep and wake, hibernation, and LED indicators. Any issues affecting the above maybe fixed with a reset of the SMC. Otherwise, leave it alone. More information can be found here.

ctrl + ⌥ + shift
(Control + Option + Shift)

Debugging a panic post boot time

If you can still boot into OSX. The Console application will have direct access to all your system logs. As well as the ability to parse some of the .asl and .diag file formats.

cd ~/Library/Logs/DiagnosticReports
cd /Library/Logs/DiagnosticReports
cat /var/log/system.log
sudo dmesg

More information on Apple kernel panics

https://support.apple.com/en-us/TS3742

The kernel_panic table in Osquery

Osquery has a helpful table for remotely checking if a system has had any recent kernel panics. Useful if uses have been reporting bad system behavior.

SELECT * FROM kernel_panic;
.mode line
SELECT * FROM kernel_panics ORDER BY time DESC LIMIT 1;
path = /Library/Logs/DiagnosticReports/Kernel_2015-06-10-104120_Example.panic
time = Wed Jun 10 10:41:19 2015
registers = CR0:0x0000000080010033 CR2:0x0000004300000007 CR3:0x0000000168ac8126 CR4:0x00000000001627e0 RAX:0x0000004300000006 RBX:0x0000000000000066 RCX:0xffffff7f9c654c06 RDX:0xffffff8039263480 RSP:0xffffff822b67b990 RBP:0xffffff822b67b9e0 RSI:0x000000008020690c RDI:0xffffff805aed4a08 R8:0x0000000000000000 R9:0x00000000000001b0 R10:0x00000000000001b8 R11:0x0000000000000202 R12:0xffffff8056d66008 R13:0x0000000000000002 R14:0xffffff8056d66400 R15:0x0000000000000066 RFL:0x0000000000010282 RIP:0xffffff7f9c654c9b CS:0x0000000000000008 SS:0x0000000000000010
frame_backtrace = 0xffffff822b67b640 : 0xffffff801ad2bda1
module_backtrace = foo.tun(1.0)[424F8631-7A29-4E02-B0C9-2442FB894E25]@0xffffff7f9c654000->0xffffff7f9c659fff
dependencies =
name = ifconfig
os_version = 14D136
kernel_version = Darwin Kernel Version 14.3.0: Mon Mar 23 11:59:05 PDT 2015; root:xnu-2782.20.48~5/RELEASE_X86_64
system_model = MacBookPro11,1 (Mac-189A3D4F975D5FFC)
uptime = 162729462029316
last_loaded = com.apple.driver.CoreStorageFsck 471.20.7 (addr 0xffffff7f9cebc000, size 102400)
last_unloaded = com.apple.driver.AppleUSBCDC 4.3.3b1 (addr 0xffffff7f9c759000, size 16384)
SELECT * FROM file WHERE path LIKE '/Library/Logs/DiagnosticReports/%';
SELECT * FROM carves WHERE path IN (SELECT path FROM kernel_panics ORDER BY time DESC LIMIT 1) AND carve = 1;

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store