Single-user mode
Single-user mode is a specialized boot mode in Unix-like operating systems, including Linux distributions and macOS, that initializes the system with minimal services and processes, restricting access to a single root (superuser) session via a command-line console for diagnostic, maintenance, and recovery tasks. Similar minimal recovery modes exist in other operating systems such as Microsoft Windows.[1] This mode, also known as runlevel 1 in systems using the SysV init tradition (mapped to rescue.target in systemd-based systems), disables networking, graphical interfaces, and most daemons to provide a stable environment for operations like filesystem repairs (e.g., runningfsck), password resets, or configuration changes when normal multi-user operation is impossible due to corruption or boot failures.[2] In Linux, it typically mounts only essential filesystems such as /, /bin, and /sbin, resulting in far fewer running processes—often around 20 compared to over 70 in full multi-user graphical modes—enhancing system stability during repairs.[1]
Historically rooted in early Unix systems for administrative access, single-user mode has evolved but remains a core recovery tool, though its implementation varies by platform.[3] In modern Linux environments, administrators can enter it by editing the GRUB bootloader menu to append single or 1 to the kernel parameters (which activates rescue.target in systemd), or by issuing telinit 1 or systemctl [rescue](/page/Rescue) from a running system as root.[2] For macOS on Intel-based Macs without T2 chip, it was traditionally accessed by holding Command-S during startup to boot into a minimal UNIX shell, allowing direct filesystem access for tasks like mounting volumes read-write with /sbin/mount -uw /.[4] However, Apple disabled direct Command-S access starting with macOS Mojave (10.14) for security reasons, requiring users to enter Recovery Mode (Command-R) and use Terminal instead; on T2-equipped Intel Macs, enabling it also requires adjusting Startup Security Utility settings to "No Security," while on Apple Silicon (M-series) Macs, traditional single-user mode is unavailable and Recovery Mode Terminal provides equivalent access.[4][5]
Due to its unrestricted root privileges, single-user mode poses security risks if accessed without authentication, prompting recommendations for root password protection or firmware passwords in production environments.[1][6] It contrasts with other recovery options like safe mode, which loads essential kernel extensions but allows multi-user graphical access, or verbose mode, which displays boot logs without restricting services.[4] Overall, single-user mode exemplifies a fundamental Unix philosophy of providing low-level administrative control, though its use has diminished in cloud and containerized systems favoring automated recovery tools.[2]
Overview
Definition and Characteristics
Single-user mode is a restricted boot state in Unix-like operating systems where the system initializes with a minimal set of services, permitting access exclusively to a single administrator (root) user through a command-line interface, while disabling networking and multi-user logins.[7][8] This mode contrasts with the standard multi-user mode, which supports concurrent logins from multiple users, full networking capabilities, and a broader array of running services for everyday operations.[9] Key characteristics include the absence of a graphical user interface (GUI), with the system presenting a text-based shell for interaction; suppression of non-essential daemons and processes to minimize resource usage and potential interference during maintenance; and initial mounting of local filesystems, often in read-write mode for the root filesystem but potentially read-only for others to prevent data corruption.[7][8] Networking is typically not enabled, isolating the system from external connections, and only essential services—such as basic system mounts and a rescue shell—are activated to facilitate focused administrative tasks.[9] This configuration enforces exclusivity to one session, ensuring that no other users or processes can interfere with ongoing repairs or configurations.[8] Accessing single-user mode requires physical or remote console access to the system, as it does not support remote logins.[7] It is typically invoked by specifying parameters in the boot loader, such as appending a keyword to the kernel command line, or through dedicated recovery options in certain systems.[9]Purposes and Common Uses
Single-user mode serves primarily as a maintenance and recovery environment in operating systems, enabling administrators to perform critical repairs without the interference of multi-user operations or running services. One key purpose is system repair, particularly addressing corrupted filesystems by allowing unmounted access to partitions for diagnostic and corrective actions.[10] Another essential use is password recovery, where forgotten administrative credentials, such as the root password, can be reset directly through the mode's shell access.[11] Additionally, it facilitates software installation and updates without concurrent user activity, ensuring stability during processes like loading kernel modules or applying patches that require exclusive system control.[12] Hardware diagnostics also benefit from this mode, as it provides a controlled setting to test components without background processes complicating results.[13] Common applications include executing filesystem integrity checks to identify and fix errors on critical volumes, editing essential configuration files like those managing user accounts, and conducting isolated data backups to prevent corruption during transfer.[10] For instance, administrators might use it to repair a damaged root filesystem or test new kernel modules before full deployment, minimizing disruptions in production environments.[14] These tasks are particularly valuable when normal multi-user operation would lock resources or introduce conflicts from active sessions. The mode offers advantages such as reduced resource consumption, as it boots with minimal services and daemons, freeing CPU, memory, and I/O for intensive repair work.[10] It also provides isolation from potential user errors, malware, or network intrusions, creating a secure, root-only environment for sensitive operations.[12] However, improper handling poses risks, including potential data loss if filesystems fail to mount correctly or if repairs like filesystem checks are executed without backups.[15]History
Origins in Early Unix
Single-user mode originated in the early development of Unix at Bell Laboratories during the 1970s, where it served as a foundational mechanism for system initialization and maintenance in resource-constrained environments. The operating system, initially prototyped by Ken Thompson on a PDP-7 minicomputer in 1969–1970, supported only a single user program in core memory at a time, lacking multi-programming capabilities and featuring just two processes—one per terminal—without advanced process control primitives like fork or wait.[16] This early incarnation, while not formally multi-user, laid the groundwork for distinguishing operational states, as Unix evolved rapidly following its port to the more capable PDP-11 in 1971 by Thompson and Dennis Ritchie.[16] The design emphasized simplicity and efficiency, influenced by the developers' experiences porting and refining the system for Bell Labs' computing needs, where hardware limitations like 16-bit addressing and modest RAM (often 64 KB or less) made full multi-user operation demanding.[16] By the mid-1970s, as Unix matured into a time-sharing system supporting multiple concurrent users via the PDP-11's hardware, the init process provided for a single-user shell on boot for administrative tasks without immediately invoking the full multi-user environment. This allowed the system to initialize with minimal services, providing direct console access to a shell for root-level operations such as file system checks or repairs. The early rationale for single-user mode stemmed from the hardware realities of 1970s minicomputers, where enabling multi-user features—such as multiple ttys and getty processes—consumed significant memory and processing cycles, often leaving little for actual workloads on systems with 128 KB RAM or less. By booting with a single-user shell, administrators could perform critical tasks like fsck on the root file system or kernel reconfiguration without immediately transitioning to multi-user mode, mitigating downtime and resource contention in Bell Labs' research environment. This approach reflected the developers' pragmatic design philosophy, prioritizing reliability and ease of recovery in an era when hardware reboots were frequent and time-consuming.[16] The concept was first formally documented in the Version 7 Unix release of 1979, with the init(8) man page describing how the init process, invoked during boot, opens the console device (/dev/console) to launch a shell in single-user mode if no multi-user transition occurs. If the shell exits, init proceeds to multi-user mode by executing /etc/rc for system startup tasks like mounting file systems and spawning login processes. This documentation, part of the standard Unix Programmer's Manual, solidified single-user mode as an essential tool for administrators, enabling maintenance without the overhead of multi-user daemons and terminals.[17]Evolution Across Operating Systems
The concept of single-user mode, first distinguished in Unix Version 1 in 1971 and defaulting to single-user booting by Version 7 in 1979, proliferated across Unix variants in the 1980s as systems emphasized reliable recovery mechanisms.[18] In Berkeley Software Distribution (BSD) implementations, starting from 4BSD in the early 1980s, single-user mode became a core boot option, providing a root shell for filesystem checks and repairs without loading multi-user daemons, reflecting the need for robust administrative access in academic and research environments. Similarly, AT&T's UNIX System V, released in 1983, integrated single-user functionality, with System V Release 3 (SVR3) in 1987 introducing the /etc/inittab file to define runlevels—where runlevel 1 explicitly denoted single-user mode for maintenance. This was further standardized in System V Release 4 (SVR4) in 1988, unifying runlevel behaviors across commercial Unix implementations like Solaris and HP-UX to facilitate consistent system administration.[19] The single-user mode paradigm extended beyond Unix into proprietary operating systems in the 1990s, adapting to graphical user interfaces while retaining command-line recovery for stability in consumer and enterprise settings. Early versions of Microsoft Windows NT, such as NT 3.1 launched in 1993, provided recovery options using installation floppies to access and repair system files without full multi-user initialization; this evolved into the Recovery Console in Windows 2000 (2000), a text-based environment akin to single-user mode for tasks such as disk checks and registry edits. In Apple's ecosystem, macOS (then Mac OS X 10.0 "Cheetah"), released in 2001, incorporated single-user mode through its Darwin kernel—a BSD derivative—enabling boot into a root prompt by holding Command-S, primarily to address filesystem issues and configuration in a GUI-centric OS without network or desktop services.[3] In the 2010s, the evolution shifted toward more flexible and secure implementations, particularly with the rise of systemd in Linux distributions starting around 2010. Systemd replaced rigid runlevels with declarative targets, where the rescue.target emulates traditional single-user mode by mounting filesystems and starting essential services for a minimal shell, while emergency.target offers an even leaner recovery option; this transition, led by Lennart Poettering, improved parallelism in booting and integration with modern hardware.[20] Concurrently, in cloud and virtualized environments, single-user mode adapted for remote administration—such as via serial consoles in AWS or Azure— with security enhancements like GRUB bootloader passwords to block unauthorized entry and full-disk encryption (e.g., LUKS) requiring passphrase prompts even in recovery modes, mitigating risks from physical or virtual console access.[21]Unix-like Systems
General Boot Mechanisms
In Unix-like systems, the boot process into single-user mode begins with interaction at the boot loader stage, where users append specific parameters to the kernel command line to request runlevel S or 1. This configuration directs the system to initialize with limited services, enabling root-level maintenance such as filesystem repairs or configuration changes.[22][23] Boot loaders like GRUB facilitate this by allowing temporary edits to menu entries: at the GRUB menu, pressing 'e' opens the editor, where 'single' or '1' is added to the end of the 'linux' command line (e.g.,linux /vmlinuz root=/dev/sda1 single), followed by Ctrl-X to boot.[24] With LILO, users enter 'linux single' or 'linux 1' directly at the boot prompt to invoke the mode, assuming the default image label is 'linux'.[25] For SPARC systems using OpenBoot PROM, the 'ok' prompt accepts 'boot -s' to load the kernel in single-user state after halting the system with 'init 0'.[26]
Upon kernel loading, the init process (PID 1) assumes control as the parent of all processes and consults /etc/inittab to handle the specified runlevel.[22] For runlevel S or 1, init executes sysinit and bootwait entries first, then runs /sbin/rcS to mount the root filesystem read-write along with /usr, /var, and /tmp as needed for basic operations.[22][23] It subsequently starts a root shell directly on the console, often via a respawn entry in /etc/inittab (e.g., s1:1:respawn:/sbin/rc1), providing an interactive environment without network or multi-user services.[22] The /etc/inittab file structures these transitions, with fields defining runlevels, actions (e.g., wait, respawn), and processes for each state.[27]
To leave single-user mode, entering 'exit' at the shell prompt signals init to terminate the session and advance to the default runlevel (typically 2 or 3 for multi-user operation), resuming normal boot scripts.[23] Alternatively, 'reboot' invokes init 6 to shut down and restart into the standard multi-user mode, or 'init 6' achieves the same effect directly.[28] These mechanisms ensure controlled exits, preserving /etc/inittab-defined runlevel behaviors.[22]
Configuration and Access Methods
In Unix-like systems, single-user mode typically mounts the root filesystem as read-only to ensure system integrity during maintenance. To enable modifications, administrators can remount it read-write using system-specific commands, such asmount -o remount,rw / in Linux or mount -uw / in FreeBSD, which allows writing to the root partition without rebooting.[29][30][31] This step is essential before performing tasks like editing configuration files or installing updates.
Filesystem integrity checks are commonly performed in single-user mode using the fsck utility, which scans and repairs inconsistencies on unmounted or minimally mounted partitions. The command fsck -y /dev/sdX automatically fixes errors without prompting, making it suitable for the root filesystem after remounting it read-write if necessary; however, for the root device, it is often run before full mounting to avoid corruption risks.[32][33]
Access to single-user mode is managed through the sulogin utility, which presents a root shell prompt upon entry. By default, if the root password files are intact, sulogin requires the root password for authentication; however, if these files are damaged or absent, it grants root access without prompting, posing a security risk.[34][35] To enforce password protection explicitly, the /etc/default/sulogin file can be configured with the PASSREQ=YES option, ensuring the root password is always required regardless of file integrity.[35]
Customization of single-user mode behavior is achieved by editing boot initialization scripts, such as /etc/[rc](/page/rc) in systems like FreeBSD, which is invoked with the single=YES argument to limit services and mount only essential filesystems. Administrators can modify this script to include automated tasks, like custom mounts or preliminary checks, before the shell prompt appears.[29][36] For broader system tweaks affecting single-user entry, settings in /etc/rc.conf control aspects like console security and default shell selection.[29]
Logging in single-user mode is minimal due to limited services, but any enabled system events, such as mount operations or fsck outputs, are typically recorded in /var/log/messages if the syslog daemon is partially active or configured to persist. This file serves as the primary repository for kernel and maintenance messages, allowing post-session review of actions performed.[37][38]
Linux-Specific Implementations
In legacy Linux systems using SysV init, single-user mode corresponds to runlevel 1, which is defined in the /etc/inittab file as the default or targeted runlevel for minimal operation, typically with a line such as "id:1:initdefault:" to set it as the initial state after boot scripts.[39] This configuration directs the init process to execute essential boot scripts from /etc/init.d/, including the /etc/init.d/single script, which provides a root shell for maintenance tasks while halting non-essential services like networking.[40] To enter single-user mode from a running system, administrators use the telinit 1 command, which signals the init process to transition to runlevel 1 and invoke the associated scripts.[41] Modern Linux distributions, adopting systemd as the init system since around 2010, replace runlevels with targets, where rescue.target serves as the equivalent to SysV's single-user mode (runlevel 1), mounting the root filesystem read-write and providing a root shell for recovery without starting multi-user services. Activation occurs via systemctl isolate rescue.target, which isolates the system to this target and stops other services, or by booting with the kernel parameter systemd.unit=rescue.target appended to the GRUB command line. For even more minimal access, emergency.target offers a basic shell without full filesystem mounting, invoked similarly with systemctl isolate emergency.target or the corresponding kernel parameter. Major distributions like Ubuntu and Debian have defaulted to systemd since 2015, with Ubuntu switching in version 15.04 and Debian in version 8 (Jessie), ensuring broad compatibility for these target-based single-user implementations across contemporary Linux environments.[42][43] This shift maintains backward compatibility for SysV scripts via generators but prioritizes systemd's declarative units for precise control in rescue scenarios.BSD and Derivatives
In BSD-based systems, single-user mode provides a minimal environment for maintenance tasks, such as filesystem repairs, differing from Linux implementations by relying on loader prompts and rc-based initialization rather than runlevels or systemd. FreeBSD enters single-user mode by specifying the-s flag at the loader prompt (e.g., boot -s), which boots the kernel with the RB_SINGLE flag set, resulting in a root shell on the console without executing multi-user startup scripts.[44] In this mode, the root filesystem is mounted read-only initially to prevent accidental damage, and users must manually remount it read-write with mount -uw / after running fsck if needed for consistency checks.[45][31] Networking is not enabled by default but can be started manually via /etc/rc.d/netif start if required for tasks like remote access, with options controlled by settings in /etc/rc.conf.[29]
NetBSD and OpenBSD employ similar mechanisms, using the -s flag at the boot loader prompt to invoke single-user mode via the RB_SINGLE boothowto flag, providing a superuser shell for repairs while skipping full multi-user initialization.[46][47] In NetBSD, /etc/rc.single executes basic setup scripts after filesystem checks, handling tasks like mounting non-root filesystems if fsck succeeds. OpenBSD, prioritizing security, configures the console as "secure" in /etc/ttys by default, requiring the root password to enter the single-user shell and preventing unauthorized physical access; privilege escalation tools like doas (OpenBSD's lightweight sudo alternative) align with this emphasis on minimal, audited access, though the mode itself grants direct root privileges.[48] Both systems mount the root filesystem read-only initially and support manual fsck execution for UFS or other supported filesystems before proceeding.
Derivatives like DragonFly BSD inherit these loader-based approaches, entering single-user mode via the -s flag or boot menu selection, with configurations editable in /boot/boot.cfg for custom kernel parameters.[49] This mode supports HAMMER filesystem-specific checks, such as hammer fsck for integrity verification and repair, which runs manually after remounting filesystems read-write, extending the traditional BSD model to handle DragonFly's advanced storage features without automatic multi-user services.[50]
Microsoft Windows
Windows NT Family
In the Windows NT family, single-user mode equivalents primarily manifest through specialized recovery environments designed to facilitate system repairs, data recovery, and troubleshooting without loading the full graphical user interface or multi-user services. These mechanisms adapt the core purpose of single-user mode—providing isolated access for maintenance—into Windows-specific tools that prioritize stability and enterprise needs, such as fixing boot issues or restoring directory services.[51] The foundational recovery tool in the NT lineage is the Recovery Console, introduced with Windows 2000 on February 17, 2000, which offers a command-line interface for limited file access, disk repairs, and boot configuration on FAT and NTFS volumes. This was succeeded by the Windows Recovery Environment (WinRE) starting in Windows Vista, evolving into a more comprehensive set of diagnostic and repair options that can be invoked to address unbootable states caused by corrupted files, driver failures, or hardware issues.[51] WinRE includes an automatic repair feature that triggers after multiple failed boot attempts, scanning for and resolving common problems like startup configuration errors.[52] Accessing WinRE typically involves booting from Windows installation media, where selecting "Repair your computer" leads to options including a Command Prompt for executing utilities such aschkdsk to scan and repair disk errors or bootrec commands like /fixmbr, /fixboot, and /rebuildbcd to reconstruct boot records.[53] Alternatively, on systems supporting it, users can enable legacy boot menus via bcdedit /set {default} bootmenupolicy legacy to access advanced options with F8 (or Shift+F8 on some configurations) during startup, though modern UEFI-based systems in Windows 10 and 11 favor Shift+Restart from the login screen or Settings > Update & Security > Recovery for seamless entry.[54] Enhancements in Windows 10 and 11 integrate deeper UEFI support, allowing WinRE to handle secure boot environments and expanded push-button reset functionalities, while maintaining compatibility with tools like System File Checker (sfc /scannow) for integrity checks. However, in October 2025, a security update temporarily disabled USB input in WinRE, which was promptly addressed by a follow-up patch.[51][55]
For enterprise scenarios involving Active Directory domain controllers, Directory Services Restore Mode (DSRM) provides a dedicated single-user-like boot option, introduced alongside Active Directory in Windows 2000 Server, enabling offline repairs to the directory database without multi-user interference.[56] In DSRM, the domain controller boots into a restricted state using the local administrator account (separate from the domain admin), allowing tasks such as database recovery with ntdsutil for authoritative restores or password resets via ntdsutil set dsrm password.[57] This mode is invoked by selecting it from the boot menu (F8 in legacy BIOS) or configuring bcdedit /set {default} safeboot dsrepair for automatic entry on restart, ensuring isolated access to fix replication issues, schema errors, or corrupted Ntds.dit files before returning to normal Directory Services operation.
Windows 9x and ME
In Windows 9x and ME, single-user mode functionality was primarily accessed through Safe Mode variants, which provided a minimal graphical or command-line environment for troubleshooting system issues rooted in their MS-DOS heritage. Safe Mode with Command Prompt, often referred to as "Command Prompt Only," loaded only essential drivers such as basic VGA graphics, keyboard, and mouse support, bypassing most third-party configurations and the Windows shell to present a DOS-like prompt (C:>). This allowed users to edit critical files like autoexec.bat or config.sys directly using tools such as edit.com or copy commands, facilitating repairs to corrupted startup scripts or driver conflicts without the full GUI interfering.[58] To boot into Safe Mode with Command Prompt, users restarted the system and pressed F8 repeatedly upon seeing the "Starting Windows 95" or "Starting Windows 98" message to access the Startup Menu, then selected option 6 for "Safe mode command prompt only." The msconfig utility—available in Windows 98 and ME—enabled selective startup options under the General tab to enforce Safe Mode on subsequent boots, though command prompt access still required menu selection or manual shell exit. For broader recovery, an Emergency Boot Disk (EBD), created via the Add/Remove Programs applet or format a: /s command, provided a real-mode MS-DOS environment from a floppy diskette. Booting from the EBD granted read-write access to the C: drive on FAT file systems, enabling utilities like scandisk.exe for disk error checking and sys c: to transfer system files from the floppy to repair a non-booting installation in Windows 95 and 98; Windows ME extended this with similar floppy-based recovery but emphasized CD-ROM integration where available.[59][60][61] These modes had inherent limitations, including the absence of networking support, as they prioritized local disk and configuration access over connectivity to avoid exacerbating driver-related crashes. No option for "Safe Mode with Networking" existed, unlike later NT-based systems, restricting tasks to offline repairs. Following Windows ME's release in 2000, these DOS-derived recovery mechanisms were phased out in favor of the NT kernel's Recovery Console in subsequent Windows versions, marking the end of the 9x consumer line's single-user approaches.[62][63]macOS
Booting into Single-user Mode
Booting into single-user mode on macOS, a Unix-like operating system derived from Darwin, provides a minimal command-line environment for advanced troubleshooting by loading the kernel without the graphical Aqua interface.[4] This mode inherits general Unix-like boot mechanisms, such as kernel initialization followed by a root filesystem mount, but is tailored to Apple's hardware and security features.[64] For Intel-based Macs running macOS versions prior to Mojave (10.14), users boot into single-user mode by restarting the computer and immediately holding down the Command (⌘) + S keys until a black screen with white text appears, indicating the verbose boot process.[4] This key combination interacts with the EFI firmware to bypass the standard multi-user boot sequence, loading a minimal kernel environment.[65] In macOS Mojave and later versions, including on Intel hardware, this direct key-based method is disabled for security reasons. The standard alternative is to boot into macOS Recovery by holding Command (⌘) + R during startup, then select Utilities > Terminal from the Recovery interface to access a root shell. For T2-equipped Intel Macs, if external booting or reduced security is needed, adjust settings in Startup Security Utility to "Medium Security" or "No Security" via Recovery.[4][66] On Apple Silicon Macs (introduced in 2020 with the M1 chip and later models), traditional key combinations like Command + S are not supported due to the integrated secure boot architecture; direct single-user mode is unavailable. Instead, users access an equivalent root command-line state via macOS Recovery.[67] To do this, shut down the Mac, then press and hold the power button until the "Loading startup options" screen appears, release it, and select Options to enter Recovery mode.[67] From the Recovery interface, choose Utilities > Terminal to open a root shell. As of macOS Sequoia (2024) and subsequent releases, this remains the primary method for root-level access in a minimal environment.[4] Once booted, single-user mode presents a root shell prompt on the console device/dev/console, with the root filesystem initially mounted read-only to prevent corruption.[68] The system automatically performs a filesystem check using fsck if inconsistencies are detected during kernel initialization, displaying verbose logging of the boot sequence and any repairs on the screen.[68] Users must manually remount the filesystem as read-write with mount -uw / to perform modifications, after which standard Unix commands are available for maintenance tasks.[68] To exit and reboot normally, type reboot at the prompt.[65]
Troubleshooting Applications
Single-user mode in macOS offers a root shell environment for performing targeted diagnostics and repairs on systems where standard booting fails or advanced access is required, particularly on Intel-based Macs where it remains accessible despite deprecation in favor of Recovery mode since macOS Mojave.[4] This mode bypasses the graphical interface and multi-user processes, providing direct filesystem and configuration manipulation without interference from running services.[5] A core application involves filesystem repairs, essential for resolving corruption that prevents normal startup. Administrators can execute/sbin/fsck -fy to verify and automatically repair HFS+ volumes by scanning for inconsistencies in the directory structure and inode information.[69] For APFS volumes, introduced in macOS High Sierra, the fsck_apfs command serves a similar purpose, checking container integrity and repairing snapshots or allocation errors.[69] Following verification, the root filesystem is typically read-only; remounting it read-write enables further modifications via /sbin/mount -uw / or diskutil mount / to apply changes or access protected areas.[68]
Configuration edits represent another vital use, allowing direct intervention in system settings inaccessible during regular operation. The /etc/fstab file can be edited with tools like vi to adjust mount points or options for volumes, though macOS relies less on it than traditional Unix systems due to automated disk management.[70] Launchd property list files in /System/Library/LaunchDaemons/ or /Library/LaunchDaemons/ can be modified using plutil or text editors to tweak service behaviors, such as disabling problematic daemons before reboot. Password resets for user accounts are facilitated by first loading the Directory Services framework with launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist, followed by the passwd command to set a new password for the root or target user.
Advanced troubleshooting leverages single-user mode for specialized tasks beyond basic repairs. Kernel extensions can be tested by loading them manually with kextload to isolate compatibility issues without full system boot, aiding in debugging third-party drivers. Time Machine restores are possible via the tmutil command, allowing selective recovery of files or volumes from backups mounted in the environment. On Intel-based hardware, Target Disk Mode provides an alternative for data extraction by connecting the Mac as an external drive to another system via Thunderbolt or USB-C (on T2 models), though it is a distinct mode from single-user mode.[4][71]