This little trick I came across while I wondered why my hard disk was being used when no apps were actively running. Its a basic Terminal command that shows you which files are being accessed and by which program. Its very useful and customisable, and interesting to watch to see how you Mac uses the files stored on your hard disk. You can use it when a file is in use or an app is accessing your disk. The resulting output is great for determining if you have a rogue app accessing files it shouldn’t or if an app is heavy on file access, something which can slow your Mac down.
The Terminal Command
The Terminal command we are going to use is
opensnoop. Although there are plenty of different commands out there that can probably do the same thing, this is one that is built into your Mac and is pretty easy to use. To access it open Terminal found in Applications > Utilities and type the following:
You have to use sudo since the command will access system files which need administrator privileges.
When you run the command the text will probably wizz by. You can always stop the command my pressing Control + C
Customising The Command
The command on its own is interesting, but outputs too much information all at once to be meaningful. We need to customise it using the built in in options. The first is to add a date, this makes working out the access time later easier. This is accomplished using the command:
sudo opensnoop -v
We can narrow down the search to an app by using the following command:
opensnoop -n Finder
Either type in the app name as it appears within opensnoop or the PID, which can be found using Activity Monitor.
If you want to see when a file gets accessed and by the program responsible you can write the following:
sudo opensnoop -f /path/to/file
You can always drag and drop the file into the Terminal window instead of typing /path/to/file.
If you want to save the output you can always use the following command
sudo opensnoop > /saved/file/path/text.txt
This will create a new file and write the output to the file. When you close Terminal it will complete the file. If you want to add to the end of a file, because you have used the text file before, use double arrows (>>)
User Identifier / UID
One of the features of opensnoop is the UID or Unique Identifier. It defines which person whether it be yourself or user built into your Mac such as admin, is using a file. For example if I open a file and opensnoop captures it (which it does) it will list a UID or 501. This basically tells me that I have open the file. However you will soon notice that other UID’s are using files, these are responsible for your background tasks.
To find a UID and associate it with a physical user we have two options you can use. In Terminal type the following:
This will give you a short list correlating UID’s to names. In this list the user 501, is reported as James.
If a UID doesn’t appear in this list, you can use a more expansive system list. In Terminal again type the following:
TextEdit will open a file with lots of UID’s. Do not change anything in this file. You will however notice a name and a number associated with it. For example in the image above there is a UID of 89. In my passwd file this is linked to spotlight. I then know that spotlight was accessing a file to do what ever it has to do. You can do this will all of the users that appear. When you have finished with the passwd file, close TextEdit.
Its worth noteing at this point that FD stands for File Descriptor. You can read up on it at Wikipedia.
This command isn’t that complicated but pretty powerful. If you want to find more customisable options you can use the man page accessible by typing in the following:
If have used this command to see which files an app access and which files are locked by programs. Useful if you want to restart or clear the trash and Finder says a file is in use.
If you have any tips in using this Terminal command, please leave a comment below.