How to determine which process is creating a file?












2














Two files have suddenly appeared in my home directory, called "aa" and "err". They are empty. I'm wondering how they got there. I deleted the files and they are created again after some seconds.



Is there a way to monitor the home directory for the creation of files to find out where they came from?



I mention that lsof couldn't help in this case (I got an empty result using lsof aa)






macos file







share|improve this question





























    2














    Two files have suddenly appeared in my home directory, called "aa" and "err". They are empty. I'm wondering how they got there. I deleted the files and they are created again after some seconds.



    Is there a way to monitor the home directory for the creation of files to find out where they came from?



    I mention that lsof couldn't help in this case (I got an empty result using lsof aa)






    macos file







    share|improve this question



























      2












      2








      2







      Two files have suddenly appeared in my home directory, called "aa" and "err". They are empty. I'm wondering how they got there. I deleted the files and they are created again after some seconds.



      Is there a way to monitor the home directory for the creation of files to find out where they came from?



      I mention that lsof couldn't help in this case (I got an empty result using lsof aa)






      macos file







      share|improve this question















      Two files have suddenly appeared in my home directory, called "aa" and "err". They are empty. I'm wondering how they got there. I deleted the files and they are created again after some seconds.



      Is there a way to monitor the home directory for the creation of files to find out where they came from?



      I mention that lsof couldn't help in this case (I got an empty result using lsof aa)






      macos file




      macos file






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 3 hours ago









      bmike

      156k46282606




      156k46282606










      asked 4 hours ago









      Kwadz

      13316




      13316






















          1 Answer
          1






          active

          oldest

          votes


















          2














          fs_usage is your tool for this.



          The file system usage tool is ideal since it taps in to the real time file system events and dumps activity to a file or the screen. Since you know the exact path of the file, you can filter out all the thousands of irrelevant (to this case) filesystem changes and see what reads / writes to that file pretty quickly.



          If your home directory is /Users/me then you can filter for /Users/me/aa



          mac:~ me$ sudo fs_usage | grep /Users/me/aa
          
09:35:21  stat64            /Users/me/aa      0.000033   touch       
          
09:35:21  utimes            /Users/me/aa      0.000104   touch       
          
09:35:21  fsgetpath         /Users/me/aa      0.000119   Finder      
          
09:35:22  lstat64           /Users/me/aa      0.000039   fseventsd   
          
09:35:22  fsgetpath         /Users/me/aa      0.000027   mds         
          
09:35:22  getattrlist       /Users/me/aa      0.000064   mds         
          
09:35:22  listxattr         /Users/me/aa      0.000012   mds         
          
09:35:22  getattrlist       /Users/me/aa      0.000130   mds         
          
09:35:22  getattrlist       /Users/me/aa      0.000033   mds         
          
09:35:22  open              /Users/me/aa      0.000071   mdworker_sha
          
09:35:22    RdData[AT2]     /Users/me/aa      0.000331 W mdworker_sha
          
09:35:22  getattrlist       /Users/me/aa      0.000042   mds         
          
09:35:24  lstat64           /Users/me/aa      0.000114   rm          
          
09:35:24  access            /Users/me/aa      0.000209   rm          
          
09:35:24  unlink            /Users/me/aa      0.000909   rm          
          
09:35:25  lstat64           /Users/me/aa      0.000042   fseventsd   
          
09:35:25  lstat64           /Users/me/aa      0.000006   rm


          (note: I deleted a lot of white space above - the fs_usage command outputs a wide amount of empty space so you can't easily see the touch command on the far right if I copy/paste the exact output.)



          Here I use the touch command to create the file, append a string to it and then rm it from the command line.



          mac:~ me$ touch ~/aa
          
mac:~ me$ echo foo >> ~/aa
          
mac:~ me$ rm ~/aa


          There will be tons of other apps that read, so you can filter on the stat64 and lstat74 operations if there are too many attribute reads and spotlight activity around the file once it's created.




          • http://toddsnotes.blogspot.com/2014/02/use-fsusage-to-monitor-file-system.html

          • https://developer.apple.com/library/archive/documentation/Performance/Conceptual/FileSystem/Articles/FileSystemCalls.html


          The manual page for this command is quite dense (and not a "how-to") which is typical but better than no documentation from Apple on how to use it.






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "118"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fapple.stackexchange.com%2fquestions%2f347040%2fhow-to-determine-which-process-is-creating-a-file%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            2














            fs_usage is your tool for this.



            The file system usage tool is ideal since it taps in to the real time file system events and dumps activity to a file or the screen. Since you know the exact path of the file, you can filter out all the thousands of irrelevant (to this case) filesystem changes and see what reads / writes to that file pretty quickly.



            If your home directory is /Users/me then you can filter for /Users/me/aa



            mac:~ me$ sudo fs_usage | grep /Users/me/aa
            
09:35:21  stat64            /Users/me/aa      0.000033   touch       
            
09:35:21  utimes            /Users/me/aa      0.000104   touch       
            
09:35:21  fsgetpath         /Users/me/aa      0.000119   Finder      
            
09:35:22  lstat64           /Users/me/aa      0.000039   fseventsd   
            
09:35:22  fsgetpath         /Users/me/aa      0.000027   mds         
            
09:35:22  getattrlist       /Users/me/aa      0.000064   mds         
            
09:35:22  listxattr         /Users/me/aa      0.000012   mds         
            
09:35:22  getattrlist       /Users/me/aa      0.000130   mds         
            
09:35:22  getattrlist       /Users/me/aa      0.000033   mds         
            
09:35:22  open              /Users/me/aa      0.000071   mdworker_sha
            
09:35:22    RdData[AT2]     /Users/me/aa      0.000331 W mdworker_sha
            
09:35:22  getattrlist       /Users/me/aa      0.000042   mds         
            
09:35:24  lstat64           /Users/me/aa      0.000114   rm          
            
09:35:24  access            /Users/me/aa      0.000209   rm          
            
09:35:24  unlink            /Users/me/aa      0.000909   rm          
            
09:35:25  lstat64           /Users/me/aa      0.000042   fseventsd   
            
09:35:25  lstat64           /Users/me/aa      0.000006   rm


            (note: I deleted a lot of white space above - the fs_usage command outputs a wide amount of empty space so you can't easily see the touch command on the far right if I copy/paste the exact output.)



            Here I use the touch command to create the file, append a string to it and then rm it from the command line.



            mac:~ me$ touch ~/aa
            
mac:~ me$ echo foo >> ~/aa
            
mac:~ me$ rm ~/aa


            There will be tons of other apps that read, so you can filter on the stat64 and lstat74 operations if there are too many attribute reads and spotlight activity around the file once it's created.




            • http://toddsnotes.blogspot.com/2014/02/use-fsusage-to-monitor-file-system.html

            • https://developer.apple.com/library/archive/documentation/Performance/Conceptual/FileSystem/Articles/FileSystemCalls.html


            The manual page for this command is quite dense (and not a "how-to") which is typical but better than no documentation from Apple on how to use it.






            share|improve this answer




























              2














              fs_usage is your tool for this.



              The file system usage tool is ideal since it taps in to the real time file system events and dumps activity to a file or the screen. Since you know the exact path of the file, you can filter out all the thousands of irrelevant (to this case) filesystem changes and see what reads / writes to that file pretty quickly.



              If your home directory is /Users/me then you can filter for /Users/me/aa



              mac:~ me$ sudo fs_usage | grep /Users/me/aa
              
09:35:21  stat64            /Users/me/aa      0.000033   touch       
              
09:35:21  utimes            /Users/me/aa      0.000104   touch       
              
09:35:21  fsgetpath         /Users/me/aa      0.000119   Finder      
              
09:35:22  lstat64           /Users/me/aa      0.000039   fseventsd   
              
09:35:22  fsgetpath         /Users/me/aa      0.000027   mds         
              
09:35:22  getattrlist       /Users/me/aa      0.000064   mds         
              
09:35:22  listxattr         /Users/me/aa      0.000012   mds         
              
09:35:22  getattrlist       /Users/me/aa      0.000130   mds         
              
09:35:22  getattrlist       /Users/me/aa      0.000033   mds         
              
09:35:22  open              /Users/me/aa      0.000071   mdworker_sha
              
09:35:22    RdData[AT2]     /Users/me/aa      0.000331 W mdworker_sha
              
09:35:22  getattrlist       /Users/me/aa      0.000042   mds         
              
09:35:24  lstat64           /Users/me/aa      0.000114   rm          
              
09:35:24  access            /Users/me/aa      0.000209   rm          
              
09:35:24  unlink            /Users/me/aa      0.000909   rm          
              
09:35:25  lstat64           /Users/me/aa      0.000042   fseventsd   
              
09:35:25  lstat64           /Users/me/aa      0.000006   rm


              (note: I deleted a lot of white space above - the fs_usage command outputs a wide amount of empty space so you can't easily see the touch command on the far right if I copy/paste the exact output.)



              Here I use the touch command to create the file, append a string to it and then rm it from the command line.



              mac:~ me$ touch ~/aa
              
mac:~ me$ echo foo >> ~/aa
              
mac:~ me$ rm ~/aa


              There will be tons of other apps that read, so you can filter on the stat64 and lstat74 operations if there are too many attribute reads and spotlight activity around the file once it's created.




              • http://toddsnotes.blogspot.com/2014/02/use-fsusage-to-monitor-file-system.html

              • https://developer.apple.com/library/archive/documentation/Performance/Conceptual/FileSystem/Articles/FileSystemCalls.html


              The manual page for this command is quite dense (and not a "how-to") which is typical but better than no documentation from Apple on how to use it.






              share|improve this answer


























                2












                2








                2






                fs_usage is your tool for this.



                The file system usage tool is ideal since it taps in to the real time file system events and dumps activity to a file or the screen. Since you know the exact path of the file, you can filter out all the thousands of irrelevant (to this case) filesystem changes and see what reads / writes to that file pretty quickly.



                If your home directory is /Users/me then you can filter for /Users/me/aa



                mac:~ me$ sudo fs_usage | grep /Users/me/aa
                
09:35:21  stat64            /Users/me/aa      0.000033   touch       
                
09:35:21  utimes            /Users/me/aa      0.000104   touch       
                
09:35:21  fsgetpath         /Users/me/aa      0.000119   Finder      
                
09:35:22  lstat64           /Users/me/aa      0.000039   fseventsd   
                
09:35:22  fsgetpath         /Users/me/aa      0.000027   mds         
                
09:35:22  getattrlist       /Users/me/aa      0.000064   mds         
                
09:35:22  listxattr         /Users/me/aa      0.000012   mds         
                
09:35:22  getattrlist       /Users/me/aa      0.000130   mds         
                
09:35:22  getattrlist       /Users/me/aa      0.000033   mds         
                
09:35:22  open              /Users/me/aa      0.000071   mdworker_sha
                
09:35:22    RdData[AT2]     /Users/me/aa      0.000331 W mdworker_sha
                
09:35:22  getattrlist       /Users/me/aa      0.000042   mds         
                
09:35:24  lstat64           /Users/me/aa      0.000114   rm          
                
09:35:24  access            /Users/me/aa      0.000209   rm          
                
09:35:24  unlink            /Users/me/aa      0.000909   rm          
                
09:35:25  lstat64           /Users/me/aa      0.000042   fseventsd   
                
09:35:25  lstat64           /Users/me/aa      0.000006   rm


                (note: I deleted a lot of white space above - the fs_usage command outputs a wide amount of empty space so you can't easily see the touch command on the far right if I copy/paste the exact output.)



                Here I use the touch command to create the file, append a string to it and then rm it from the command line.



                mac:~ me$ touch ~/aa
                
mac:~ me$ echo foo >> ~/aa
                
mac:~ me$ rm ~/aa


                There will be tons of other apps that read, so you can filter on the stat64 and lstat74 operations if there are too many attribute reads and spotlight activity around the file once it's created.




                • http://toddsnotes.blogspot.com/2014/02/use-fsusage-to-monitor-file-system.html

                • https://developer.apple.com/library/archive/documentation/Performance/Conceptual/FileSystem/Articles/FileSystemCalls.html


                The manual page for this command is quite dense (and not a "how-to") which is typical but better than no documentation from Apple on how to use it.






                share|improve this answer














                fs_usage is your tool for this.



                The file system usage tool is ideal since it taps in to the real time file system events and dumps activity to a file or the screen. Since you know the exact path of the file, you can filter out all the thousands of irrelevant (to this case) filesystem changes and see what reads / writes to that file pretty quickly.



                If your home directory is /Users/me then you can filter for /Users/me/aa



                mac:~ me$ sudo fs_usage | grep /Users/me/aa
                
09:35:21  stat64            /Users/me/aa      0.000033   touch       
                
09:35:21  utimes            /Users/me/aa      0.000104   touch       
                
09:35:21  fsgetpath         /Users/me/aa      0.000119   Finder      
                
09:35:22  lstat64           /Users/me/aa      0.000039   fseventsd   
                
09:35:22  fsgetpath         /Users/me/aa      0.000027   mds         
                
09:35:22  getattrlist       /Users/me/aa      0.000064   mds         
                
09:35:22  listxattr         /Users/me/aa      0.000012   mds         
                
09:35:22  getattrlist       /Users/me/aa      0.000130   mds         
                
09:35:22  getattrlist       /Users/me/aa      0.000033   mds         
                
09:35:22  open              /Users/me/aa      0.000071   mdworker_sha
                
09:35:22    RdData[AT2]     /Users/me/aa      0.000331 W mdworker_sha
                
09:35:22  getattrlist       /Users/me/aa      0.000042   mds         
                
09:35:24  lstat64           /Users/me/aa      0.000114   rm          
                
09:35:24  access            /Users/me/aa      0.000209   rm          
                
09:35:24  unlink            /Users/me/aa      0.000909   rm          
                
09:35:25  lstat64           /Users/me/aa      0.000042   fseventsd   
                
09:35:25  lstat64           /Users/me/aa      0.000006   rm


                (note: I deleted a lot of white space above - the fs_usage command outputs a wide amount of empty space so you can't easily see the touch command on the far right if I copy/paste the exact output.)



                Here I use the touch command to create the file, append a string to it and then rm it from the command line.



                mac:~ me$ touch ~/aa
                
mac:~ me$ echo foo >> ~/aa
                
mac:~ me$ rm ~/aa


                There will be tons of other apps that read, so you can filter on the stat64 and lstat74 operations if there are too many attribute reads and spotlight activity around the file once it's created.




                • http://toddsnotes.blogspot.com/2014/02/use-fsusage-to-monitor-file-system.html

                • https://developer.apple.com/library/archive/documentation/Performance/Conceptual/FileSystem/Articles/FileSystemCalls.html


                The manual page for this command is quite dense (and not a "how-to") which is typical but better than no documentation from Apple on how to use it.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited 3 hours ago

























                answered 3 hours ago









                bmike

                156k46282606




                156k46282606






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Ask Different!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fapple.stackexchange.com%2fquestions%2f347040%2fhow-to-determine-which-process-is-creating-a-file%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Morgemoulin

                    Image
                    Morgemoulin — miejscowość i gmina — Państwo   Francja Region Grand Est Departament Moza Okręg Verdun Kod INSEE 55357 Powierzchnia 6,82 km² Populacja  (1990) • liczba ludności 75 • gęstość 11 os./km² Kod pocztowy 55400 Położenie na mapie Francji Morgemoulin 49°14′N   5°35′E / 49,233333   5,583333 Portal Francja Morgemoulin – miejscowość i gmina we Francji, w regionie Grand Est, w departamencie Moza. Według danych na rok 1990 gminę zamieszkiwało 75 osób, a gęstość zaludnienia wynosiła 11 osób/km² (wśród 2335 gmin Lotaryngii Morgemoulin plasuje się na 970. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 848.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Verdun Abaucourt-Hautecourt • Aincreville • Ambly-sur-Meuse • Amel-sur-l'Étang • Ancemont • Arrancy-sur-Crusne • Aubréville • Autré...
                    Read more

                    Scott Moir

                    Image
                    Scott Moir Tessa Virtue i Scott Moir w 2016 r. Reprezentacja   Kanada Data i miejsce urodzenia 2 września 1987 London Wzrost 180 cm Konkurencja Pary taneczne Partner sportowy Tessa Virtue Trener Marie-France Dubreuil, Patrice Lauzon, Romain Haguenauer Poprzednio: Marina Zujewa, Oleg Epstein, Igor Szpilband, Johnny Johns, Carol Moir, Paul MacIntosh, Suzanne Killing Klub Montreal International School of Skating Poprzednio: Arctic Edge FSC Ilderton Skating Club Lokalizacja treningowa Montreal Poprzednio: Canton Kitchener Rekordy życiowe ISU przed sezonem 2018/2019 Nota łączna 206,07 Igrzyska Olimpijskie 2018 Taniec krótki 83,67 Igrzyska Olimpijskie 2018 Taniec dowolny 122,40 Igrzyska Olimpijskie 2018 Dorobek medalowy Reprezentacja   Kanada Igrzyska olimpijskie Złoto Vancouver 2010 pary taneczne Złoto Pjongczang 2018 pary taneczne Złoto Pjongczang 2018 drużynowo Srebro S...
                    Read more

                    Souastre

                    Image
                    Souastre — miejscowość i gmina — Herb Państwo   Francja Region Hauts-de-France Departament Pas-de-Calais Okręg Arras Kod INSEE 62800 Powierzchnia 7,18 km² Populacja  (1990) • liczba ludności 352 • gęstość 49 os./km² Kod pocztowy 62111 Położenie na mapie Francji Souastre 50°09′N   2°34′E / 50,150000   2,566667 Portal Francja Souastre – miejscowość i gmina we Francji, w regionie Hauts-de-France, w departamencie Pas-de-Calais. Według danych na rok 1990 gminę zamieszkiwały 352 osoby, a gęstość zaludnienia wynosiła 49 osób/km² (wśród 1549 gmin regionu Nord-Pas-de-Calais Souastre plasuje się na 887. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 507.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Arras Ablain-Saint-Nazaire Ablainzevelle Acheville Achicourt Achiet-le-Grand Achiet-le-Pe...
                    Read more