Inside my Documents folder there are a bunch of folders named with what appear to be hexidecimal numbers, eg. 01, 1b, 84, aa, etc. Often they're empty, but some have one or two files named with a hash: 5aaebbb6c171adb2159c17cd1c8e629fc774f1be.file I assume the files are binaries because when I open them in a text editor they consist of rows of eight two digit hex values, 00eb babf 314c 00eb babf 3130 d3aa 0109.
I deleted the folders a few weeks ago, but they slowly grew back.
My question is twofold:
-
What is writing these files/folders?
-
And because I doubt it can be diagnosed from my description, how
do I monitor and figure out what is writing them?
I'm on 10.11, El Capitan.
I sometimes run a Windows VM in VirtualBox, I run Vagrant from the command line, and Docker as well. I run phpstorm, Spotify, uTorrent, Steam, Slack, Skitch, Xcode, Tunnel Bear. The list goes on. I guess what I'm looking for is a strategy or technique to figure out which application is writing.
Best Answer
A few things for you to try:
Per this SO link, do
lsof path-to-filenameto list all processes accessing that file. There's also a frontend to lsof called Sloth. The problem with this is if the programme doing the writes only edits the file momentarily (like if it didtouch foldername) then you probably wouldn't see it, sincelsofonly lists current processes' access to the file.Alternatively, get FSeventer (direct download link from archive.org - in my (klanomath's) opinion the only reliable source), which graphically monitors filesystem IO events. You could probably set it to run on your documents folder and then wait for one of those writes to happen, although based on your description that may take a while. The website for FSeventer seems to be down right now :(, but if/when it goes back up it may be able to solve your problem. FSeventer isn't really ElCap ready and often fails to work after the first launch - usually it works after launching it a second time.