LaunchServices is an almost completely undocumented service that is critical for launching applications on macOS and iOS.
lsd, the LaunchServices daemon, is responsible for most of the heavy lifting. APIs such as LSApplicationWorkspace communicate with it over XPC in order to perform tasks and register applications with it.
lsd creates a giant database of all applications on the system, and uses this database to determine which application to launch when a file is opened or a URL is clicked.
samples/: contains a bunch of files sampled from macOS and iOS that are related to LaunchServicesobjc/: contains Objective-C code for using CoreServicesStore.framework on macOScsstore.py: a command line tool for reversing the LaunchServices database
python ./csstore.py ./samples/com.apple.LaunchServices-5019-v2.csstore dump ./csstore.txtOn macOS, several versions of the database exist, one for each user.
They are stored in DARWIN_USER_DIR/com.apple.LaunchServices.dv/com.apple.LaunchServices-<VERSION>-v2.csstore.
DARWIN_USER_DIR can be found with getconf DARWIN_USER_DIR, it is derived from the user's UID and UUID1.
For example, the path might look like this:
/private/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/0/com.apple.LaunchServices.dv/com.apple.LaunchServices-5019-v2.csstore
On iOS 15, the database is located at
/private/var/containers/Data/System/<UUID>/Library/Caches/com.apple.LaunchServices-<VERSION>-v2.csstore
With iOS 16, the database was moved to
/private/var/mobile/Containers/Data/InternalDaemon/<UUID>/Library/Caches/com.apple.LaunchServices-<VERSION>-v2.csstore
The version number seems to be tied to the macOS/iOS version that created the database, here are the known associations:
- macOS 14.3.1:
5019 - iOS 15.8.3:
3027 - iOS 16.1.2:
4031
As evidenced by the .csstore extension, the database is in the proprietary and undocumented CoreServicesStore format.
LaunchServices structures the database contents with the following tables:
<array>: ?DB Header: ?Bundle: ?Claim: ?Service: ?Type: ?HandlerPref: ?Container: ?Alias: ?Plugin: ?ExtensionPoint: ?BindingList: ?PropertyList: ?LocalizedString: ?CanonicalString: ?BindableKeyMap: ?UTIBinding: ?ExtensionBinding: ?OSTypeBinding: ?MIMEBinding: ?NSPasteboardBinding: ?DeviceModelCodeBinding: ?BluetoothVendorProductIDBinding: ?URLSchemeBinding: ?BundleIDBinding: ?BundleNameBinding: ?ActivityTypeBinding: ?PluginBundleIDBinding: ?PluginProtocolBinding: ?PluginUUIDBinding: ?ExtensionPointIDBinding: ?<string>: ?
On macOS, a handy tool is included: lsregister. You can use it to dump the contents of the database in a human readable form:
/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dumpOn iOS, a similar tool is located at /usr/bin/lsdiagnose
A dump of the database is also included in sysdiganose tarballs. The dump in the sysdiagnose is ends with .csstoredump, and it is NOT the raw database, but rather a human readable version that was serialized (why?)
According to the README included with every sysdiagnose...
.csstoredump files:
sysdiagnose generates the output of lregister/lsaw in a binary form. To convert
these .csstoredump files to text files, use the following command:
lsaw dump --file "PATH TO DUMP FILE" > lsaw.txt
These files can also be opened in CSStore Viewer.
...however, I have no idea where one can obtain lsaw or CSStore Viewer.