Apple - Disabling startup items that run on their own

Day One seems to store the login item in /var/db/launchd.db/com.apple.launchd.peruser.501/overrides.plist:

$ /usr/libexec/PlistBuddy -c 'Print _com.apple.SMLoginItemBookmarks:com.dayoneapp.dayone-agent' /var/db/launchd.db/com.apple.launchd.peruser.501/overrides.plist
book 0(UserslaurTorrents
                        Day One.apContentsLibrary
LoginItemsDay One Reminders.app $4HXh?kld ????$A????H???A?1M?$5DF7A03E-A7FB-3E80-B61D-F10CD8BF7B5D?/?0c75ae904b0f99cb3a794e7360629c822a0f4a14;00000000;0000000000000020;com.apple.app-sandbox.read-write;00000001;01000002;0000000000641712;/users/lauri/torrents/day one.app/contents/library/loginitems/day one reminders.app??????D|@l 0 ? ? ? ?  0 <???????D

Changing this to true in that same file disabled it:

<key>com.dayoneapp.dayone-agent</key>
<dict>
    <key>Disabled</key>
    <false/>
</dict>

(This is not about the user visible Login Items under the Users & Groups Systems Preferences)

The Contents/Library/LoginItems/ buried in the application bundle is what appears to be the implementation of Apple's approach to sandboxed apps.

The tip from @user495470 about the storage of the login item reference in /var/db/launchd.db/ seems to be now defunct in macOS 10.12

Apple's direction appears to be heading into the app-self-contained approach where the LaunchDaemons, LaunchAgents, and StartupItems may be off-limits in the future as Mac apps may be required to be sandboxed at some point (personal conjecture, not fact). On the other hand CFPreferences API and sending AppleEvents to launch are deprecated...

Ref:

  • Adding Login Items - Apple Developer
  • Table 3: Std locations for code in bundle
  • App Sandbox LoginItem Sample Code

While in the past it was easy to look in the aforementioned folders for startup launch information (per Dan), this new sandboxed model, while theoretically safer operationally, hides the an app's (or Trojan's?) startup capability from all normal users and most superusers who know to look in the system directories. Finding these hidden Login Items now has become a PITA (pain in the app) with either grep'ing your way through the Applications folder or manually open app bundles looking in /Contents/Library/ for a "LoginItems" folder and it's contents. For the user level solution, I did find a tool that lists the app bundle embedded Login Items called CleanMyMac (can deactivate or activate them. Be careful, only get this app from the company. There are cracked versions available that actually carry a virus in a way very similar to how Login Items now works (irony)..) CleanMyMac showing Login Items picker

And notice how these items, enabled or disabled, are not part of the user visible "Login Items" under the "Users & Groups" System Preferences:

If you are like me and you are working this at a code level, a consolidated guide to implementation is here (by Tim Schroeder 2013): The Launch at Login Sandbox Project