One of my var folders gets periodically deleted

Discussion in 'macOS' started by budsimrin, Jul 3, 2013.

  1. budsimrin macrumors newbie

    budsimrin

    Joined:
    Sep 18, 2008
    Location:
    Fort Worth, TX
    #1
    For the past year I have been plagued by some process periodically deleting the folder

    /private/var/folders/g3/gm1shdzs1wsff1phr823tp0c0000gs/T

    Lately this happens every day. I have at least 20 different applications that store temporary data there, and when the folder is removed, those applications choke in various ways. For example, my checkbook application is unable to save changes made during a session; Appigo Todo sends me error messages of a corrupted file. I can fix the folder "T" by rebooting, but by then the damage has already been done. Besides, who wants to constantly have to monitor an invisible folder?

    Sometimes the folder disappears when I am not even touching the keyboard which makes me suspect an application working in the background but I can't be sure of that. I am using Mountain Lion but I believe I had this problem back in Lion, also.

    1. Does anyone have any idea of an application or a process that might do this?
    2. Failing that, does anyone have an idea how I might either stop or, better, track down whatever is doing this? For example, is there some folder action I could put on the folder gm1shdzs1wsff1phr823tp0c0000gs that would tell me what process is deleting its subfolder "T"? Or could I change permissions on gm1shdzs1wsff1phr823tp0c0000gs so that apps could read-write-delete their data within folder T but not be able to delete T itself? If there is something like this that I can do, would I have to re-do it every time I reboot?
     
  2. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #2
    Those are supposed to be temporary folders. It sounds like you have a different problem.
     
  3. budsimrin thread starter macrumors newbie

    budsimrin

    Joined:
    Sep 18, 2008
    Location:
    Fort Worth, TX
    #3
    The problems only occur when the T folder has disappeared

    Tech Support for my checkbook program confirmed that the program could not save my work if the T file disappeared. This is not supposed to happen and the program makes no allowances for this possibility.

    This really IS my problem.
     
  4. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #4
    You can use the following DTrace script, adapted from one to watch the creation and deletion of files via VFS interface calls, to see which process is actually removing the folder in question:

    Code:
    #!/usr/sbin/dtrace -s
    
    #pragma D option quiet
    #pragma D option switchrate=10hz
    
    dtrace:::BEGIN
    {
        printf("%-12s %6s %6s %-12.12s %-12s %s\n", "TIME(ms)", "UID",
            "PID", "PROCESS", "CALL", "DIR/FILE");
    }
    
    /* see sys/bsd/sys/vnode_if.h */
    
    /*fbt::VNOP_CREATE:entry,*/
    /*fbt::VNOP_REMOVE:entry,*/
    fbt::VNOP_MKDIR:entry,
    fbt::VNOP_RMDIR:entry
    {
        this->path = ((struct vnode *)arg0)->v_name;
        this->name = ((struct componentname *)arg2)->cn_nameptr;
        printf("%-12d %6d %6d %-12.12s %-12s %s/%s\n",
            timestamp / 1000000, uid, pid, execname, probefunc,
            this->path != NULL ? stringof(this->path) : "<null>",
            stringof(this->name));
    }
    When running this will produce a list of all creations and deletions of directories as they happen.
     
  5. budsimrin, Jul 4, 2013
    Last edited: Jul 4, 2013

    budsimrin thread starter macrumors newbie

    budsimrin

    Joined:
    Sep 18, 2008
    Location:
    Fort Worth, TX
    #5
    ElectricSheep,

    Thank you so much for your response. I believe this is exactly what I am looking for, but I am not a programmer and need a few step-by-steps to use this.

    I can put this script in, for example, and Editra document but I don't know how to create an executable or how to run such an executable if that is even the correct thing to do.

    I do have the Developer Tools installed but I only use them rarely when I am given specific instructions. Can you explain how to use this script or do I need a deep understanding of the developer tools?

    I am comfortable using Terminal if that's what this requires.

    I would like to monitor only this one folder because it may take up to 16 hours before it is finally deleted. Does this script monitor all folder creations and deletion? Do I need to replace v_name and cn_nameptr with "T" and "/private/var/folders/g3/gm1shdzs1wsff1phr823tp0c0000gs/", repsectively?
     
  6. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #6
    Here is a modification that will only trigger the probe when creating or removing a directory that has the name "T":

    Code:
    #!/usr/sbin/dtrace -s
    
    #pragma D option quiet
    #pragma D option switchrate=10hz
    
    dtrace:::BEGIN
    {
        printf("%-12s %6s %6s %-12.12s %-12s %s\n", "TIME(ms)", "UID",
            "PID", "PROCESS", "CALL", "DIR/FILE");
    }
    
    /* see sys/bsd/sys/vnode_if.h */
    
    /*fbt::VNOP_CREATE:entry,*/
    /*fbt::VNOP_REMOVE:entry,*/
    fbt::VNOP_MKDIR:entry,
    fbt::VNOP_RMDIR:entry
    /((struct componentname *)arg2)->cn_nameptr == "T"/
    {
        this->path = ((struct vnode *)arg0)->v_name;
        this->name = ((struct componentname *)arg2)->cn_nameptr;
        printf("%-12d %6d %6d %-12.12s %-12s %s/%s\n",
        timestamp / 1000000, uid, pid, execname, probefunc,
        this->path != NULL ? stringof(this->path) : "<null>",
        stringof(this->name));
    }
    
    Just save this code to a plain text file with a name like watch.d, then in the Terminal change its executable bit with sudo chmod a+x watch.d. Execute the script in the Terminal with sudo ./watch.d and just let it run. You can test it by creating and deleting a directory with the name "T". You should see some output.

    Just leave the Terminal window running and use ctrl-C to end the probing when you are finished.
     
  7. budsimrin, Jul 5, 2013
    Last edited: Jul 5, 2013

    budsimrin thread starter macrumors newbie

    budsimrin

    Joined:
    Sep 18, 2008
    Location:
    Fort Worth, TX
    #7
    ElectricSheep,

    Thank you. Your explanation was very clear but I suspect the code may not be working for me. I executed the 2nd code in Terminal (after changing the executable bit) and Terminal immediately displayed the headers (TIME, UID, etc.) but when I created and deleted folders named T in various places (e.g., Desktop, /var/folders/g3), nothing further happened in Terminal. I then opened a 2nd Terminal window and executed the first code you sent and, again, immediately obtained the headers. But creating and/or deleting new folders with various names in either Desktop or even in the folder "gm1shdzs1wsff1phr823tp0c0000gs" did not cause either Terminal window to display anything else. See attachment screenshot of both Terminal windows.

    I will monitor the 2 windows all day, but does this suggest to you that the script is not behaving quite correctly?
     

    Attached Files:

  8. budsimrin thread starter macrumors newbie

    budsimrin

    Joined:
    Sep 18, 2008
    Location:
    Fort Worth, TX
    #8
    Update

    I just installed several program updates and the 2nd Terminal window shows a bunch of VNOP_RMDIR. So maybe this is working and I just need to wait for "V" to be removed. :)
     
  9. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #9
    Well, some caveats: If you create a folder in the Finder, it will be created with the name "untitled folder" and that is what DTrace will pick up. If you delete it with the Finder, it just gets moved to the Trash. If you empty the trash and the folder has the name "T", you should see a message appear in the Terminal.
     
  10. budsimrin thread starter macrumors newbie

    budsimrin

    Joined:
    Sep 18, 2008
    Location:
    Fort Worth, TX
    #10
    Success!

    Thank you so very much. The T folder is suddenly empty, and MenuEverywhere seems to be the culprit. I'll disconnect the app to confirm and then contact their Tech Support to alert them about this.

    Here is the Terminal output:

    TIME(ms) UID PID PROCESS CALL DIR/FILE
    3271976 505 319 MenuEverywhe VNOP_RMDIR gm1shdzs1wsff1phr823tp0c0000gs/T
    3888640 505 319 MenuEverywhe VNOP_RMDIR gm1shdzs1wsff1phr823tp0c0000gs/T
    3890409 505 319 MenuEverywhe VNOP_RMDIR gm1shdzs1wsff1phr823tp0c0000gs/T
    3930399 505 319 MenuEverywhe VNOP_RMDIR gm1shdzs1wsff1phr823tp0c0000gs/T
    3
     

Share This Page