ProcessMonitor is losing track of its version numbers and becoming unstable #6
Description
Possibly causing instability in other applications and seeming to be eventually given the boot by macOS.
i came across these issues as in the past week i built a macos log collector that pulls data from the objective-see tools as well as all the various MacOS system logs and some other stuff like tcp/bluetooth dumps into a single database. thankfully because it's a log collector i have the logs, which i'll post below... but subjectively, before i figured out that ProcessMonitor was the culprit, here's what i noticed that lead me to making this issue. (some of these probably have nothing to do with PM but i'm putting them here just in case. odds are at least some of them are PM related)
1. couple of files in my git repo became owned by root. like in the .git/caches dir. so suddenly i wouldn't be able to git commit. this happened multiple times.
2. ProcessMonitor seemed to confuse its version number with FileMonitor. this happened at least twice. Screenshot of my app noticing the change. This was usually a prelude to ...
3. Eventually both PM and FM would lose track of their version numbers altogether which was really weird. Here's the help output when that happened (it's also happened twice now)
4. PM doesn't run for very long before these issues come up - 20-30 minutes maybe.
5. Rebooting and reinstalling seemed to fix the issue.
6. The initial error in the logs is -67065 which a website i just looked at claims means host has no guest with the requested attributes There's other codes too, like -67062 and a lot of unix code "3".
7. For a while I had it symlinked in /usr/local/bin. When that was going on the symlinks were the ones losing track of the version numbers.
$ which ProcessMonitor
/usr/local/bin/ProcessMonitor
$ ProcessMonitor -h
(null) (v(null)) usage:
-h or -help display this usage info
-pretty JSON output is 'pretty-printed'
-skipApple ignore Apple (platform) processes
-filter <name> show events matching process namebut then it worked fine called w/full path:
$ /Applications/ProcessMonitor.app/Contents/MacOS/ProcessMonitor -h
ProcessMonitor (v1.5.0) usage:
-h or -help display this usage info
-pretty JSON output is 'pretty-printed'
-skipApple ignore Apple (platform) processes
-filter <name> show events matching process name
at least for a while...then they both started failing.
8. I would start to get error messages like these from the running process:
/Users/moonlit/workspace/log-thyself/app/models/concerns/objective_see_event.rb:49:in `parse': quoted string not terminated (after process.arguments[2]) at line 1, column 260 [parse.c:415] in '{"event":"ES_EVENT_TYPE_NOTIFY_EXEC","timestamp":"2022-08-14 03:32:52 +0000","process":{"pid":31576,"name":"git","path":"/opt/homebrew/Cellar/git/2.37.1/bin/git","uid":501,"architecture":"unknown","arguments":["git","commit","-amobjc events use postgres loader (JSON::ParserError)
about the system:
Stuff may or may not be relevant:
- this is a brand new macbook air m1 with very little on it besides homebrew, VS Code, and objective-C. everything else is basically stock.
- my use case is to pipe the output of PM into ruby's
Open3.popen3method. code is here if you want to see the specifics. - using the
-skipAppleflag mostly - I never noticed any of these things with
FileMonitorwhich i have been using to stream large quantities of events into the DB for most of a week now - onlyProcessMonitor. - i'm blocking a lot of traffic with littlesnitch