We build system extension with ES framework. And register AUTH_OPEN,AUTH_CREATE and other event types. After test, it can get file system events successfully. For example, we use system extension to monitor the Finder process, it will show us all the file operations we did by Finder App.
But for the DesktopServicesHelper process, the ES seems can not get all file events which DesktopServiceHelper actually did: We paste 10 files to a directory, the ES can monitor 2 files AUTH_CREATE in the new folders, it lost 8 file events.
Our Test Log:
默认 17:27:35.294079+0800 DesktopServicesHelper Read options: 1 -- URL: <private> -- purposeID: com.apple.desktopservices.copyengine -- claimID: 0709A049-AFEF-4618-8A61-3417F686ACDA
默认 17:27:35.298715+0800 DesktopServicesHelper Claim 0709A049-AFEF-4618-8A61-3417F686ACDA granted in client
默认 17:27:35.298743+0800 DesktopServicesHelper Claim 0709A049-AFEF-4618-8A61-3417F686ACDA invoked in client
默认 17:27:35.311764+0800 DesktopServicesHelper Read options: 1 -- URL: <private> -- purposeID: com.apple.desktopservices.copyengine -- claimID: 952CC31D-A23F-4C4D-8005-FD4245B29CFB
默认 17:27:35.318353+0800 DesktopServicesHelper Claim 952CC31D-A23F-4C4D-8005-FD4245B29CFB granted in client
默认 17:27:35.318423+0800 DesktopServicesHelper Claim 952CC31D-A23F-4C4D-8005-FD4245B29CFB invoked in client
默认 17:27:35.624607+0800 DesktopServicesHelper Read options: 1 -- URL: <private> -- purposeID: com.apple.desktopservices.copyengine -- claimID: A6AA8D96-2697-4D74-BD9C-3A0A1B0BC7FA
默认 17:27:35.625058+0800 DesktopServicesHelper Received claim A6AA8D96-2697-4D74-BD9C-3A0A1B0BC7FA
默认 17:27:35.625154+0800 DesktopServicesHelper Claim A6AA8D96-2697-4D74-BD9C-3A0A1B0BC7FA granted in server
默认 17:27:35.625638+0800 DesktopServicesHelper Claim A6AA8D96-2697-4D74-BD9C-3A0A1B0BC7FA invoked in client
默认 17:27:35.625833+0800 DesktopServicesHelper Claim A6AA8D96-2697-4D74-BD9C-3A0A1B0BC7FA was revoked
默认 17:27:35.626065+0800 DesktopServicesHelper Read options: 1 -- URL: <private> -- purposeID: com.apple.desktopservices.copyengine -- claimID: 5BD5A74D-35C2-4C02-A9A4-6ACE5780AFE1
默认 17:27:35.626308+0800 DesktopServicesHelper Received claim 5BD5A74D-35C2-4C02-A9A4-6ACE5780AFE1
默认 17:27:35.626526+0800 DesktopServicesHelper Claim 5BD5A74D-35C2-4C02-A9A4-6ACE5780AFE1 granted in server
默认 17:27:35.626739+0800 DesktopServicesHelper Claim 5BD5A74D-35C2-4C02-A9A4-6ACE5780AFE1 invoked in client
默认 17:27:35.626794+0800 DesktopServicesHelper Claim 5BD5A74D-35C2-4C02-A9A4-6ACE5780AFE1 was revoked
默认 17:27:35.627051+0800 DesktopServicesHelper Read options: 1 -- URL: <private> -- purposeID: com.apple.desktopservices.copyengine -- claimID: 5B93CA4D-3A8A-4A35-A322-9E83E861F4EE
默认 17:27:35.627577+0800 DesktopServicesHelper Received claim 5B93CA4D-3A8A-4A35-A322-9E83E861F4EE
默认 17:27:35.627657+0800 DesktopServicesHelper Claim 5B93CA4D-3A8A-4A35-A322-9E83E861F4EE granted in server
默认 17:27:35.627806+0800 DesktopServicesHelper Claim 5B93CA4D-3A8A-4A35-A322-9E83E861F4EE invoked in client
默认 17:27:35.627952+0800 DesktopServicesHelper Claim 5B93CA4D-3A8A-4A35-A322-9E83E861F4EE was revoked
默认 17:27:35.628140+0800 DesktopServicesHelper Read options: 1 -- URL: <private> -- purposeID: com.apple.desktopservices.copyengine -- claimID: F62C2FCE-F3F3-4C5B-8D2C-61B07E5C3300
默认 17:27:35.628437+0800 DesktopServicesHelper Received claim F62C2FCE-F3F3-4C5B-8D2C-61B07E5C3300
默认 17:27:35.628555+0800 DesktopServicesHelper Claim F62C2FCE-F3F3-4C5B-8D2C-61B07E5C3300 granted in server
默认 17:27:35.629003+0800 DesktopServicesHelper Claim F62C2FCE-F3F3-4C5B-8D2C-61B07E5C3300 invoked in client
默认 17:27:35.629106+0800 DesktopServicesHelper Claim F62C2FCE-F3F3-4C5B-8D2C-61B07E5C3300 was revoked
默认 17:27:35.630939+0800 DesktopServicesHelper Read options: 1 -- URL: <private> -- purposeID: com.apple.desktopservices.copyengine -- claimID: 62238E4D-9120-4846-834A-7EFA5C6E67D3
默认 17:27:35.631118+0800 DesktopServicesHelper Received claim 62238E4D-9120-4846-834A-7EFA5C6E67D3
默认 17:27:35.631212+0800 DesktopServicesHelper Claim 62238E4D-9120-4846-834A-7EFA5C6E67D3 granted in server
默认 17:27:35.631412+0800 DesktopServicesHelper Claim 62238E4D-9120-4846-834A-7EFA5C6E67D3 invoked in client
默认 17:27:35.631483+0800 DesktopServicesHelper Claim 62238E4D-9120-4846-834A-7EFA5C6E67D3 was revoked
默认 17:27:35.639940+0800 com.sangfor.dev.SfService.Extension [com.sangfor.dev.SfService.Extension] [D] [JUST FOR 2020] [-[MessageCommonHandler handleEvent:]] file: /Users/jiangsen/Desktop/test/20202020/destination/vmware_desktop 17.26.54/caches by process name: DesktopServicesHelper, process path: /System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper, Event is 44, pid is 64552, started pid is 0
默认 17:27:35.640408+0800 com.sangfor.dev.SfService.Extension [com.sangfor.dev.SfService.Extension] [D] [JUST FOR 2020] [-[MessageCommonHandler handleEvent:]] file: /Users/jiangsen/Desktop/test/20202020/destination/vmware_desktop 17.26.54/caches/screenshots by process name: DesktopServicesHelper, process path: /System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper, Event is 44, pid is 64552, started pid is 0
==>
Only last two events of DesktopServicesHelper was reported by ES system extension
But for the DesktopServicesHelper process, the ES seems can not get all file events which DesktopServiceHelper actually did: We paste 10 files to a directory, the ES can monitor 2 files AUTH_CREATE in the new folders, it lost 8 file events.
Our Test Log:
默认 17:27:35.294079+0800 DesktopServicesHelper Read options: 1 -- URL: <private> -- purposeID: com.apple.desktopservices.copyengine -- claimID: 0709A049-AFEF-4618-8A61-3417F686ACDA
默认 17:27:35.298715+0800 DesktopServicesHelper Claim 0709A049-AFEF-4618-8A61-3417F686ACDA granted in client
默认 17:27:35.298743+0800 DesktopServicesHelper Claim 0709A049-AFEF-4618-8A61-3417F686ACDA invoked in client
默认 17:27:35.311764+0800 DesktopServicesHelper Read options: 1 -- URL: <private> -- purposeID: com.apple.desktopservices.copyengine -- claimID: 952CC31D-A23F-4C4D-8005-FD4245B29CFB
默认 17:27:35.318353+0800 DesktopServicesHelper Claim 952CC31D-A23F-4C4D-8005-FD4245B29CFB granted in client
默认 17:27:35.318423+0800 DesktopServicesHelper Claim 952CC31D-A23F-4C4D-8005-FD4245B29CFB invoked in client
默认 17:27:35.624607+0800 DesktopServicesHelper Read options: 1 -- URL: <private> -- purposeID: com.apple.desktopservices.copyengine -- claimID: A6AA8D96-2697-4D74-BD9C-3A0A1B0BC7FA
默认 17:27:35.625058+0800 DesktopServicesHelper Received claim A6AA8D96-2697-4D74-BD9C-3A0A1B0BC7FA
默认 17:27:35.625154+0800 DesktopServicesHelper Claim A6AA8D96-2697-4D74-BD9C-3A0A1B0BC7FA granted in server
默认 17:27:35.625638+0800 DesktopServicesHelper Claim A6AA8D96-2697-4D74-BD9C-3A0A1B0BC7FA invoked in client
默认 17:27:35.625833+0800 DesktopServicesHelper Claim A6AA8D96-2697-4D74-BD9C-3A0A1B0BC7FA was revoked
默认 17:27:35.626065+0800 DesktopServicesHelper Read options: 1 -- URL: <private> -- purposeID: com.apple.desktopservices.copyengine -- claimID: 5BD5A74D-35C2-4C02-A9A4-6ACE5780AFE1
默认 17:27:35.626308+0800 DesktopServicesHelper Received claim 5BD5A74D-35C2-4C02-A9A4-6ACE5780AFE1
默认 17:27:35.626526+0800 DesktopServicesHelper Claim 5BD5A74D-35C2-4C02-A9A4-6ACE5780AFE1 granted in server
默认 17:27:35.626739+0800 DesktopServicesHelper Claim 5BD5A74D-35C2-4C02-A9A4-6ACE5780AFE1 invoked in client
默认 17:27:35.626794+0800 DesktopServicesHelper Claim 5BD5A74D-35C2-4C02-A9A4-6ACE5780AFE1 was revoked
默认 17:27:35.627051+0800 DesktopServicesHelper Read options: 1 -- URL: <private> -- purposeID: com.apple.desktopservices.copyengine -- claimID: 5B93CA4D-3A8A-4A35-A322-9E83E861F4EE
默认 17:27:35.627577+0800 DesktopServicesHelper Received claim 5B93CA4D-3A8A-4A35-A322-9E83E861F4EE
默认 17:27:35.627657+0800 DesktopServicesHelper Claim 5B93CA4D-3A8A-4A35-A322-9E83E861F4EE granted in server
默认 17:27:35.627806+0800 DesktopServicesHelper Claim 5B93CA4D-3A8A-4A35-A322-9E83E861F4EE invoked in client
默认 17:27:35.627952+0800 DesktopServicesHelper Claim 5B93CA4D-3A8A-4A35-A322-9E83E861F4EE was revoked
默认 17:27:35.628140+0800 DesktopServicesHelper Read options: 1 -- URL: <private> -- purposeID: com.apple.desktopservices.copyengine -- claimID: F62C2FCE-F3F3-4C5B-8D2C-61B07E5C3300
默认 17:27:35.628437+0800 DesktopServicesHelper Received claim F62C2FCE-F3F3-4C5B-8D2C-61B07E5C3300
默认 17:27:35.628555+0800 DesktopServicesHelper Claim F62C2FCE-F3F3-4C5B-8D2C-61B07E5C3300 granted in server
默认 17:27:35.629003+0800 DesktopServicesHelper Claim F62C2FCE-F3F3-4C5B-8D2C-61B07E5C3300 invoked in client
默认 17:27:35.629106+0800 DesktopServicesHelper Claim F62C2FCE-F3F3-4C5B-8D2C-61B07E5C3300 was revoked
默认 17:27:35.630939+0800 DesktopServicesHelper Read options: 1 -- URL: <private> -- purposeID: com.apple.desktopservices.copyengine -- claimID: 62238E4D-9120-4846-834A-7EFA5C6E67D3
默认 17:27:35.631118+0800 DesktopServicesHelper Received claim 62238E4D-9120-4846-834A-7EFA5C6E67D3
默认 17:27:35.631212+0800 DesktopServicesHelper Claim 62238E4D-9120-4846-834A-7EFA5C6E67D3 granted in server
默认 17:27:35.631412+0800 DesktopServicesHelper Claim 62238E4D-9120-4846-834A-7EFA5C6E67D3 invoked in client
默认 17:27:35.631483+0800 DesktopServicesHelper Claim 62238E4D-9120-4846-834A-7EFA5C6E67D3 was revoked
默认 17:27:35.639940+0800 com.sangfor.dev.SfService.Extension [com.sangfor.dev.SfService.Extension] [D] [JUST FOR 2020] [-[MessageCommonHandler handleEvent:]] file: /Users/jiangsen/Desktop/test/20202020/destination/vmware_desktop 17.26.54/caches by process name: DesktopServicesHelper, process path: /System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper, Event is 44, pid is 64552, started pid is 0
默认 17:27:35.640408+0800 com.sangfor.dev.SfService.Extension [com.sangfor.dev.SfService.Extension] [D] [JUST FOR 2020] [-[MessageCommonHandler handleEvent:]] file: /Users/jiangsen/Desktop/test/20202020/destination/vmware_desktop 17.26.54/caches/screenshots by process name: DesktopServicesHelper, process path: /System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper, Event is 44, pid is 64552, started pid is 0
==>
Only last two events of DesktopServicesHelper was reported by ES system extension