An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#30967 - 08/26/14 08:20 PM Can't delete this file from Trash
kevs Offline


Registered: 12/07/09
I have a file called boot.efi in trash. It wont delete from trash.

I tried secure empty, with option and/ or shift.

Short of going to the genius bar on this one, I would love if someone had a clear step by step way to nuke it out of there. thanks.

Top
#30968 - 08/26/14 08:26 PM Re: Can't delete this file from Trash [Re: kevs]
artie505 Online


Registered: 08/04/09
That's a system file that doesn't sound at all like it ought to be in the trash; before you nuke it, have you got any idea how it got there?

When I search my HD (Edit: OS X 10.6.8), I find these two items:
   /System/Library/CoreServices/boot.efi
   /usr/standalone/i386/boot.efi


Edited by artie505 (08/26/14 08:26 PM)
_________________________
The new Great Equalizer is the SEND button.

Top
#30973 - 08/27/14 02:30 AM Re: Can't delete this file from Trash [Re: kevs]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
It's possible that your Mac put it there after repairing your system. That's easily checked by restarting and seeing if it disappears from Trash.

Checking your system files to see that you have the requisite bits and pieces as suggested by artie wouldn't hurt either.

If all seems to be OK but it's still stuck in Trash, remove it via OnyX.

Top
#30975 - 08/27/14 04:43 AM Re: Can't delete this file from Trash [Re: kevs]
MarkG Offline


Registered: 08/06/09
I did a search for boot.efi, Included in the search preferences was system files are included. It showed on my mac in 2 places
Macintosh HD usr standalone 1386 boot.efi
An alias also showed in
Macintosh HD System Library CoreServices boot.efi
I am running 10.9.4 on an iMac, as previous people have suggested it might be a good idea to run a search for it

Top
#30978 - 08/27/14 08:49 AM Re: Can't delete this file from Trash [Re: MarkG]
kevs Offline


Registered: 12/07/09
It was identified by Sophos, my new virus software as a threat. I have no idea why or what it is. It in folders called system, in Time Machine, again, no idea. 40 threats, all deleted ok except this one. I renamed the folders to test, still would not delete. I don't have Onyx, it's the free one right? Any other ideas or utlities?

Top
#30979 - 08/27/14 09:02 AM Re: Can't delete this file from Trash [Re: kevs]
jchuzi Online


Registered: 08/04/09
Loc: New York State
OnyX is free. You want version 2.4.0. Select the Cleaning tab and then select Trash.
_________________________
Jon

OS 10.14.2, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#30982 - 08/27/14 11:45 AM Re: Can't delete this file from Trash [Re: jchuzi]
kevs Offline


Registered: 12/07/09
Problem solved.

Ah.. Jon, your post and link came after I did my own search, dang.

I Google Onyx and chose the first one listed, Google Adword, free download, and then my antivirus brought up a new threat, said spyware something... Search Genie, then took over my homepage...

So after I dealt with that, I found MacUpdates Onyx page. Then it would not download, said it was not an identified developer.

Did a search on Macupdate for "empty trash:" or delete trash, and the first one up is called Trash it!

Also not identified developer, but I overrode that and took a risk.

Ran the software, (an to my surprise), the trash can was clear as a bell afterwards.


Edited by kevs (08/27/14 11:46 AM)

Top
#30983 - 08/27/14 11:46 AM Re: Can't delete this file from Trash [Re: kevs]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
Some heuristic-based antivirus apps will wrongly flag boot.efi as a threat because it does things that a normal app should never do (contains code that changes how the Mac starts up). If you upload a clean boot.efi file from OS X to virustotal.com for instance, one of their scanners will flag it as possibly malicious.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#30989 - 08/27/14 02:55 PM Re: Can't delete this file from Trash [Re: tacit]
kevs Offline


Registered: 12/07/09
This was the last file in a filder called Mac, HD, then a folder system, etc to that file. And it was in Time Machine, don't ask me why, but it got scanned as a threat and would not delete from the trash. Headache.

Top
#31005 - 08/28/14 01:56 PM Re: Can't delete this file from Trash [Re: kevs]
ganbustein Offline


Registered: 08/04/09
When your Mac starts up, some file somewhere has to be the first file executed. This file, and the folder that contains it, is pointed to by from a fixed location (the Boot blocks) on an HFS+ volume. The file is called the blessed file, and the folder containing it is called the blessed folder. Having these fields filled in is what makes a volume bootable.


Begin trip down memory lane: On the original Macintosh, before HFS, the filesystem was flat. Folders existed only in the imagination of Finder, which obviously has not started running yet when the system is just booting up. The name of the blessed file (normally "System") was stored in the boot blocks.

HFS introduced folders, and the folder ID of the blessed folder was stored in the boot blocks, along with the name (still normally "System") of the blessed file, which was searched for only in that folder. Finder would automatically bless the first folder it saw containing both "System" and "Finder" (configurable in the boot blocks), and unbless any folder that you removed either "System" or "Finder" from. The fact that a blessed folder has been selected is what makes a volume bootable.

HFS+ replaced the names ("System" and "Finder") in the boot blocks with their inode numbers. The boot blocks contain the inode numbers of the blessed folder and the blessed file. (It also saves alternates of these, so that a single disk volume can boot into either OS X or Mac OS 9 or, in principle, some other OS. Press X or 9 at startup to select from the alternates, if any.)

End trip down memory lane.


The OS X installer sets the blessed folder to /System/Library/CoreServices, and the blessed file to /System/Library/CoreServices/boot.efi. You can see this by running the Terminal command:

bless --info

So, that's what boot.efi is intended to be. It's the very first file executed when you start up your system, and is the one responsible for getting everything else started.

Time Machine will, of course, back it up. If it didn't, a full disk restore wouldn't be bootable.

As of OS X 10.7 Lion, the installer will also try to create a Recovery HD partition. It sets the blessed folder of that to ./com.apple.recovery.boot, and the blessed file to ./com.apple.recovery.boot/boot.efi.

As of OS X 10.7.2, Time Machine backs up Recovery HD. Since Recovery HD may change (for example, if you upgrade the OS, or if you back up multiple machines to the same local disk and they're running different versions of the OS), it may have multiple backups of Recovery HD. It keeps them all in separate subfolders of backupvolume/Backups.backupdb/.RecoverySets. Each backup will have its own copy of com.apple.recovery.boot/boot.efi.

Then Time Machine sets the blessed folder of the Time Machine volume to the root folder of that volume, and the blessed file to tmbootpicker.efi. That makes the TM volume bootable. tmbootpicker.efi's job is to search through the Recovery HD backups in Backups.backupdb/.RecoverySets to find the right one for this machine, and transfers control to its boot.efi file. The boot continues as if you had booted into the Recovery HD partition that was backed up there.

In short, it is not unusual to find many copies of boot.efi scattered around your system. You should expect to see one in /System/Library/CoreServices on every volume you've installed OS X on, and in every TM backup of that volume. If you look under the right rocks, you'll also find one in the com.apple.recover.boot folder on every Recovery HD partition, and on each Time Machine volume backing up such a partition. There's also one inside the InstallESD.dmg file inside each OS X installer. Some of those rocks aren't exactly easy to look under. laugh

There's no reason for it to appear anywhere else, though. Anti-malware software might find it suspicious to find one where it's not expected.

boot.efi is typically locked. (tmbootpicker.efi is typically both locked and hidden.) You can't normally empty locked files from the Trash. You can unlock a file in Finder using Get Info and unchecking the Locked checkbox, or from Terminal using chflags nouchg files.... Holding down the option key when emptying the Trash will normally automatically unlock locked files, but boot.efi is normally owned by root, and you don't have permission to unlock it.

Top
#31007 - 08/28/14 02:27 PM Re: Can't delete this file from Trash [Re: ganbustein]
kevs Offline


Registered: 12/07/09
Thanks Gan, I understood the gist of that, but yes, Sophos flagged it, I deleted it, and it caused a lot of grief, until I found trash it! which nuked it instantly.

Lot of people on another forum suggesting terminal this, terminal that... lot of run a round....

Top
#31013 - 08/29/14 09:14 AM Re: Can't delete this file from Trash [Re: ganbustein]
Ira L Offline


Registered: 08/13/09
Loc: California
Originally Posted By: ganbustein
Finder would automatically bless the first folder it saw containing both "System" and "Finder" (configurable in the boot blocks), and unbless any folder that you removed either "System" or "Finder" from.


Nice explanation! To add to the memory trip, in the older days, if a folder was blessed, its icon in Finder had a special "system symbol". As you said, if you "unblessed" the folder by removing System or Finder, the folder icon would revert to the plain icon version.
_________________________
On a Mac since 1984.
Currently: 27" iMacs, Macbook Air, macOS 10.14.x,; iPhones, iPods and iPads galore!

Top

Moderator:  alternaut, dkmarsh, joemikeb