How to monitor events from other processes

Question

What I'm ultimately trying to do is write a daemon-type process that monitors the start/death of another process I'm interested in watching.

I know GCD has the proc dispatch source type, but you need a PID for that, and I wouldn't know that info from the monitoring process.

So are there any OSX APIs that let you know what processes have been started / stopped? How do programs like Activity Monitor, or 'top' do it?

Answer 1

It seems pretty clear, from their behavior, that Activity Monitor and top are polling, and not responding to asynchronous events. For instance, you can easily contrive a situation in which a short-lived process never appears in top or Activity Monitor. It stands to reason that if there was an event-driven mechanism, that the system tools would use it (at least Activity Monitor, which is OSX-specific would; top might be too BSD-general, but regardless.)

dtrace has hooks that are triggered for exec events, and fs_usage also has the capability to log exec/spawn events, but both of these require root privileges, and therefore likely have access to facilities that top and Activity Monitor don't.

If running in user space is a requirement, you might consider a user space app that communicates with a kext or something like that.