Install in Progress App, what is it?

On a M1 MBP, Ventura 13.6 a user sees suddenly this

It’s an app located under System>Library>Core Services. The user raised a “virus alert” with me, but I think it’s a genuine part of macOS, but what is it?

Apps in /System/Library are part of macOS. Looking into the package contents and browsing the various property lists with the plutil utility, I found the string table containing its messages (in every supported language):

$ plutil -p Localizable.loctable
  "en" => {
    "CANCEL_BUTTON" => "Cancel"
    "CANT_RESTART" => "Your computer can't be restarted now, because software is being installed."
    "CANT_RESTART_INFO" => "Interrupting the install may damage your computer. You can restart when the install is complete."
    "CANT_SHUTDOWN" => "Your computer can't be shut down now, because software is being installed."
    "CANT_SHUTDOWN_INFO" => "Interrupting the install may damage your computer. You can shut down when the install is complete."
    "COMBINED_INFO" => "%@ %@"
    "INSTALL_DONE" => "Installation complete"
    "INSTALLING_MORE" => "%@, and %@ are being installed."
    "INSTALLING_ONE" => "%@ is being installed."
    "INSTALLING_TWO" => "%@ and %@ are being installed."
    "OKAY_TO_RESTART" => "The install is complete. It is okay to restart your computer now."
    "OKAY_TO_SHUTDOWN" => "The install is complete. It is okay to shut down your computer now."
    "RESTART_BUTTON" => "Restart"
    "SHUTDOWN_BUTTON" => "Shut Down"

Looks like a part of the Software Update mechanism, since it has messages telling you when it is and is not safe to restart or shutdown.

If your user has automatic updates configured, then this might be appearing due to a background installation taking place.


Assured the user that there is close to zero chance of any type of Malware, let alone a virus. The System is sealed in recent versions of macOS and checked for tampering at every boot, so unless someone we haven’t run across has figured a way to work around that, any messages from the System cannot be malicious.

1 Like

That doesn’t rule out the possibility of some malware presenting messages that are not easily distinguishable from System messages. Not that that affects this particular situation, of course, but the prevalence of exactly such misleading messages on malicious web sites indicates that most users are not well equipped to tell the difference.


Thanks @alvarnell. Yes, I immediately did assure the user accordingly. People tend to say virus when they mean malware or even malfunction or just perceived malfunction.

But @Quantumpanda is right to say that actual malware does use the old tactic to make their stuff look as if it’s a legitimate system message.

The process we saw here should never have become visible to the user. Let’s blame MS, their MS Auto Updater had run at the time, always good to have a scapegoat. :slight_smile:

Excellent points all around.

While the screenshot appears to show a floating (modal ?) pop up window which in theory is “safe” as far as we know at present, it is an easy thing to have an identical looking image appear in the center of a web page. As Marquelle said, it is far too easy to fool most computer users even with extensive education campaigns.

I always thought the random macOS / iOS pop-ups were dangerous in general, because you have no way to track their source, even as a tech-savvy user. A centralized, easy to use (for low-tech users) System Alerts/Messages tool is badly needed to help verify the increasing and varied pop-ups we get.

At least when something appears over a web browser, you can minimize the browser window (and check the Window menu list) to see if the pop-up persists, but that just tells you it is most likely not generated by the browser. I am finding more alert windows from macOS and other apps float in the background behind everything and never appear in the Dock, so you only discover them much later.

I don’t think it’s modal, because it has a standard set of “traffic-light” window controls. Modals normally use “OK” and “Cancel” buttons.

It looks to me like a standard “About” window, which pretty much any app can generate saying whatever the developer wants it to, including copying that of another app. An About window guarantees nothing regarding the presence or absence of malware.