Ways to monitor hard-drive activity and usage in OS X

There are several ways to figure out what files are being accessed by a specific application in OS X, which can help when troubleshooting various settings and system features.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
4 min read

Every now and then it can be useful to track how a program or process is accessing the hard drive. There are times when troubleshooting when you may want to track what files get changed when application settings are adjusted, or which files are accessed when you load a particular feature. Apple provides the Activity Monitor utility that will show you the overall input and output rates of the hard drive, but this overview does not specify the files that are being accessed.

While there are numerous ways to monitor hard-drive activity and usage in OS X, I've found that the following three options seem to work very well for identifying specific files that are updated by program activity.

Oddly enough, the Finder or another filesystem browser can be exceptionally useful in isolating files that are updated by programs. When a file is edited its modification date will change, so if you suspect a particular file holds a specific system setting then you can go to that folder in the Finder and sort items in list view by their creation dates.

After doing this, keep the Finder window open and monitor the creation date values when toggling your setting of interest. If a file in the present folder is altered by the settings, then you should see it go to the top of the list and be updated to reflect the new creation date. Sometimes when doing this it helps to wait at least a minute between invoking setting changes so you can clearly see a time change in the file's modification date (the Finder by default only shows date changes to the nearest minute).

While the Finder is a useful tool, it is fairly limited in that it will only show you when a file has been changed and not when it's accessed, and it will also only do so for the files in a single directory. You can sometimes get creative and lucky by using smart searches and other Finder features to expand these limitations, but overall it is still a rather crude approach.

Instead of using the Finder, a few third-party applications are available that can really help determine when files are being accessed. The one I use the most, called Fseventer, builds a graphical filesystem tree of the files and folders that have been accessed after a given point in time. The utility is fast and shows all filesystem events, including those in hidden files and even temporary files.

Fseventer activity window
Fseventer will show numerous attributes about the files that have been changed in a given monitoring session.

To use the utility, just open it and then go to the application or setting you wish to test. Click the Play/Go button at the top of Fseventer's window and the program will start monitoring filesystem events. Then perform the action you are interested in and watch the Fseventer window to see what files are accessed. After this, to prevent Fseventer from showing activity from other processes, go back and click the Play/Go button again.

While Fseventer is an exceptionally useful program, it does rather blindly target all filesystem events, so if in the middle of your monitoring session the system performs a MobileMe synchronization or other similar action then you may see the window fill up with events that are not associated with the events you are monitoring. Therefore it may be useful to repeat monitoring sessions several times with Fseventer to confirm that the files being accessed are correct.

Finally, in addition to the Finder and Fseventer, you can use the Terminal command "fs_usage" to show filesystem events. This uses the same underlying technology as Fseventer, but can be used to isolate the filesystem events that were invoked by a certain process name or id. To use the fs_usage command, you will need to do the following:

fs_usage running in the Terminal
The Terminal tool 'fs_usage' will output all filesystem activity in a list, but the tool's options can be used to better isolate activity from various programs.

  1. Open the Terminal utility

  2. Type the following into the Terminal:

    sudo fs_usage

  3. Optionally type an additional space followed by the name of the application you are monitoring. In the case of iCal, for example, the command would look like the following:

    sudo fs_usage iCal

After the command is typed, press Enter and supply your password (this must be done from an Admin account) and the command will output to the Terminal window each time the program performs a filesystem access operation. This is a basic use of the command, but if you read the manual page for the command you can supply flags and options to further specify the type of events the command will monitor. When you want to quit the process in the Terminal window, just press Control-C.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.