Join Us!

How can I find out ...
Clear all

How can I find out dates of auto-logins set/disabled on Mac?  

New Member

I want to know if the Mac was auto-login enabled during certain period. How can I Do that? If it is disabled now, I can’t assume it’s always been so..

Posted : 18/11/2019 9:28 pm
Senior Member

Try to investigate the KnowledgeC database.

Posted : 20/11/2019 5:27 am
New Member

You may want to look over Sarah Edwards SANs presentation on Macintosh logs

Really depends on which version of Mac you are looking at.

Posted : 20/11/2019 3:33 pm
Active Member

Sarah Edwards pdf listed above is a good source of information. Mounting the image in your Mac and using console to pull some logs from it would be a good idea. e.g. system.log

Also look in the following plists - info a about last logged on user - keeps info on deleted user accounts, this will only be present if an account has been deleted.

Within the plists above, keep an eye out for guest profile, if the guest option is active a person could boot the Mac, login to guest without password, do some "naughty things" and log out.

Posted : 20/11/2019 7:07 pm
Junior Member

As pointed out, the autologin enable/disable setting is in this plist

The password (its obfuscated version actually) is stored here

I would also look at timestamps on that file, if it exists. And review logs of course.

My mac_apt tool ( will pull out all these files for you automatically when you run it on your evidence.

Posted : 02/12/2019 3:35 am