Not receiving ES notification for inflated files

Question

Created Feb ’23

Replies 2

Boosts 0

Participants 2

I would have thought ES would emit an es_event_create_t for files being created as a result of inflating an archive in the Downloads folder.

A good test for this would be to:

Download Visual Studio Code (or any zip archive) to ~/Downloads
Run /usr/bin/eslogger create | grep "Visual Studio Code" and watch for file creation events you'll notice a bunch in /private/var/folders but none in ~/Downloads
Expand the archive and notice there's no file creation events
You can run sudo eslogger create | grep "/Downloads/Visual Studio Code.app" to see that there are no files being "created" in the Downloads folder by that name.

I briefly went through the other "File Metadata Event Types" and did not seem to find one that fit the bill. Completely understand there could be another event that will collect behavior. My mute set is pretty standard and don't think there is an issue there.

Any suggestions would be greatly appreciated!

Answered by DTS Engineer in 745238022

Most unarchiving tools do the unarchiving in a temporary directory and then, when that’s all done, do a rename to move the item into place.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Feb ’23

Accepted Answer

Most unarchiving tools do the unarchiving in a temporary directory and then, when that’s all done, do a rename to move the item into place.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

brandon-dalton OP

Feb ’23

Perfect! Exactly what we needed. I was searching through the telemetry as if it would be reported as /Downloads/$SOME_FILE but eslogger reports it as "destination type" and "file name". This is going to make life a bit harder with what we're trying to do, but thanks Quinn!

For those curious it looks something like this:

{
    "event": {
        "rename": {
            "destination": {
                "new_path": {
                    "dir": {
                        "path": "\/Users\/brandondalton\/Downloads"
                    },
                    "filename": "Visual Studio Code.app"
                }
            },
            "source": {
                "path": "\/private\/var\/folders\/8b\/fg_9sj9j2_9c0ghl_knlpp1c0000gp\/T\/com.apple.desktopservices.ArchiveService\/TemporaryItems\/NSIRD_ArchiveService_oK7iOq\/Visual Studio Code.app"
            }
        }
    }
}

0