Are there processes that are *not* listed in Activity Monitor? If so, how can I get info on them?

4

3

I am running SL on my Macbook pro (model 8,1) with 4GB RAM. As it is right now I have only iTerm2, QuickSilver and Activity Monitor running (and a couple of daemons in the background e.g. Dropbox and Citations, neither using more than 20-30 MBs). When I check the memory usage, it shows 900+ MB as Wired, and almost a gig as Active.

Checked the list of My Processes, top process there appears to be eating 60-70 MBs. If I list all processes hierarchically I see kernel_task which uses about 350 MBs. Needless to say this is very peculiar.

Being the paranoid nerd I am, I started wondering if I have some hidden malware eating up resources behind the scenes. Is there a way to check that? Otherwise what could be the reason for this unexplained high mem usage?

posdef

Posted 2012-11-07T13:17:01.247

Reputation: 501

Did you check the all processes view or expand the item for launchd in the hierarchial view? – Lri – 2012-11-08T04:24:16.953

yep, nothing interesting there – posdef – 2012-11-08T06:43:23.793

Answers

3

As your user, you only can see your launchd bootstrap in OSX. You live in the Aqua domain. So, to see everything that is running because of you:

launchctl list

Will show you what is loaded. That's not all, however. launchctl has many options, such as:

bslist [PID | ..] [-j]
          This prints out Mach bootstrap services and their respective
          states. While the namespace appears flat, it is in fact hierar-
          chical, thus allowing for certain services to be only available
          to a subset of processes. The three states a service can be in
          are active ("A"), inactive ("I") and on-demand ("D").

          If [PID] is specified, print the Mach bootstrap services avail-
          able to that PID. If [..] is specified, print the Mach bootstrap
          services available in the parent of the current bootstrap. Note
          that in Mac OS X v10.6, the per-user Mach bootstrap namespace is
          flat, so you will only see a different set of services in a per-
          user bootstrap if you are in an explicitly-created bootstrap
          subset.

          If [-j] is specified, each service name will be followed by the
          name of the job which registered it.

So as your user:

launchctl bslist -j

Will give you everything that is loaded into launchd currently, anything actually running will have an 'A' beside it.

...

A  com.apple.cookied (com.apple.cookied)
D  com.apple.coreservices.quarantine-resolver (com.apple.coreservices.uiagent)

Here cookied (wtf?) is running. Below, the quarantine resolver is loaded, but not actually running.

Now, perhaps, you may be inclined to try something like:

sudo launchctl list

Thinking that as root, you will see everything. No. Root lives down in the System domain, and can not really see you clearly. You will get things running in the System, or daemon domain.

Reading the man page, you'll find:

sudo launchctl bstree -j   # This should show you everything.
ps au

As the command that gives you the entire Mach Tree that is running on the system.

Activity monitor shows you some things, but I don't really like to depend on it.

Reference:

http://developer.apple.com/library/mac/#technotes/tn2083/_index.html

chiggsy

Posted 2012-11-07T13:17:01.247

Reputation: 472

Asked: 2012-11-07T13:17:01.247

Viewed: 2 651 times

Active: 2012-11-09T00:43:44.897