Any RunningApplications-like function for non-windowed processes?

Bumping my own question with some follow-up information. The Carbon Process Manager doesn't explicitly say it only handles windowed apps so took a frightening flashback dive into Carbon and tested it and it returns the same results as RunningAppliciations.

I also dumped the libraries that Activity Monitor is linked against and nothing too interesting came out of that. The only private libraries are /PrivateFrameworks/GraphKit and /PrivateFrameworks/CrashReporterSupport. I'm 99% sure that Graphkit is the pie-chart and line drawing framework so I'm ignoring that one. I guess I can see where a Crash Reporter framework might have deeper process information than is publically available but I'm not sure where that leaves me to go. There are always options like parsing output from top and ps but that strikes me as miserable option doomed to disappointing results.

Still looking for suggestions,

=Tod

Thanks, etresoft, helpful as always. It seems that procfs gives me much of what I was looking for but it is built on MacFuse (which has its own kext I believe) and and requires pcre etc and so is pretty complicated to think about deployment. If I'm going to do what I originally wanted it looks like I need to use kauth anyway and maybe parse the output of sysctl as well. I was really hoping to stay away from sysctl and out of kernel space but it doesn't seem to any other way to do what I was hoping to.

Guess I need to decide if it's worth the effort,

=Tod

I think kqueue may be able to do what you want. Look at the EVFILT_PROC filter. You may have to watch a number of processes - perhaps all of them. But that would tell you any time you get a fork and whenever a process is reaped.

I looked at kqueue at it does what I want but you need to register it on a by process/file basis which is great for a very specific set of things but not for overall system watching. (I also looked at fsevents but it is designed as a post-event notification system.) While NSWorkspace has the usual Cocoa model notifcation willlaunchApp, didlaunchApp, etc it seems that you need to get the kernel to watch the launch lifecycle of non-windowed functions.

I actually did manage to get a comprehensive list of running apps out of parsing sysctl output with much less trouble than I expected. So far I have managed to get the pid, uid and abbreviated processname and the list seems to match the Activity Monitor list - at least at this testing printf stage. Getting the username from uid should be trivial and the full file name is doable it just requires some struct length and offset math. I'd like the launch path information but I can live without it for monitoring purposes if I can't figure out how to get it.

This means that the monitoring part of the running system seems relatively straight forward - wrapping the call in an NSTimer and watching for changes in the returned results. But the watching of the actual starting and stopping of all processes remains some deeper work.

Thanks for all the suggestions,

=Tod