Unix OSX invisible process, how do I identify further information?

Question

Using execsnoop -v, I note a dtrace error for two processes. ID3 (ID 630) and ID2 (ID 360).

~ 03:59 am ∆:ps -p 260
PID TTY           TIME CMD
260 ??         0:02.36 /usr/libexec/UserEventAgent (Aqua)

~ 03:59 am ∆:ps -p 630
PID TTY           TIME CMD

~ 03:59 am ∆:sudo execsnoop -v
Password:

STRTIME                UID    PID   PPID ARGS
dtrace: error on enabled probe ID 2 (ID 260: syscall::execve:return): invalid >kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 3 (ID 630: syscall::posix_spawn:return): >invalid kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 3 (ID 630: syscall::posix_spawn:return): >invalid kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 3 (ID 630: syscall::posix_spawn:return): >invalid kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 3 (ID 630: syscall::posix_spawn:return): >invalid kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 3 (ID 630: syscall::posix_spawn:return): >invalid kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 3 (ID 630: syscall::posix_spawn:return): >invalid kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 3 (ID 630: syscall::posix_spawn:return): >invalid kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 3 (ID 630: syscall::posix_spawn:return): >invalid kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 3 (ID 630: syscall::posix_spawn:return): >invalid kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 3 (ID 630: syscall::posix_spawn:return): >invalid kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 2 (ID 260: syscall::execve:return): invalid >kernel access in action #8 at DIF offset 0
^C

~ 04:01 am ∆:ps -p 3
  PID TTY           TIME CMD

~ 04:01 am ∆:ps -p 2
  PID TTY           TIME CMD

My understanding is this is generated by a process that has a hold on dtrace being active for that process.

I note that the processes do not show up in the top command list nor in Activity Monitor. The two processes reoccur with a full restart, and are hence consistent and I presume some OSX process. Just puzzling that they can not be fully identified.

Curious to understand what is going on here.

As a step towards an answer, direction to online resources, articles, or specific Unix on OSX commands to explore further would be helpful. — Cam_Aust, Dec 29 '16 at 08:12

Unix OSX invisible process, how do I identify further information?

0 Answers0