objective-see
5 "unknown" event taps detected, "Show in Finder" does nothing
Hi, Patrick. First, my apologies if my question has been addressed somewhere already. I tried looking for an answer on your Objective-See website's product page for ReiKey and also on the Issues tab of the GitHub page for the same app, but did not see one.
I freely admit that I am not an especially tech-savvy user, but I have been using several of your Objective-See tools for the Mac to help offset my concerns about possible malware. One thing that has long puzzled me is seeing mysterious items listed as Keyboard Event Taps in your ReiKey utility/app: They are always listed as "
Up until now, I have only ever seen one, two, or three items listed as Keyboard Event Taps in the ReiKey window, but today, there were FIVE. Despite my general unfamiliarity with Terminal, I launched it and ran the "ReiKey.app/Contents/MacOS/ReiKey -scan -pretty" command from your page of information about ReiKey. That produced a list of EIGHT items, three of which did have a "sourcePath" whereas the other five items showed their sourcePath as "
Thank you for your attention and time, Scott (sdc1-ClickClack)
Sorry, after posting my Issue (inquiry), I see that some of the text I typed does not appear. In the second paragraph, the third sentence SHOULD read as follows: They are always listed as
Drat, those right-angle brackets keep being interpreted as code to be rendered. That third sentence in the second paragraph should read like THIS (except with the word 'unknown' enclosed in right-angle brackets): They are always listed as unknown followed by a 4- or 5-digit number.
Hmmm... Should the lack of a response be interpreted as a lack of interest?
@sdc1-clickclack Hey, I don't work on the project, but I have an idea: Run that command again, and check the value of "sourcePID" of the offending processes on the output, if ReiKey can't show you their paths, you can find it using this command: ps -p [INSERT_PROCESS_PID_HERE]. You can also use Activity Monitor and sort by PID.
Hey, @ivansavra1 - Thanks for your recommendation! It was so nice to see ANY response to my inquiry here. Presumably, Patrick is too busy elsewhere to respond to issues posted here.
Anyway, I apologize for the delay in my acknowledging your reply and posting this response; I was offline for a bit while sick with Covid. Lately I am not seeing the multiple "unknown" events listed as Keyboard Event Taps in the ReiKey window, but I intend to try out your suggestion the next time that I see a few listed there.
If we look at the code that is responsible for generating that message we see:
sourcePath = getProcessPath(tap.tappingProcess);
if(0 == sourcePath.length)
{
//default
sourcePath = @"<unknown>";
}
The getProcessPath function can be found here: https://github.com/objective-see/ReiKey/blob/83ceb8fca9e08dbc4e92a43ddf6ecd39c36bb37f/shared/utilities.m#L458
It will fail for example if it cannot access the process or if the process has exited, etc. etc. It would be nice to know, so I really should add, at the very least, better logging that explains!
Thanks for your response, Patrick!
Today, the ReKey window showed two of those "unknown" events (sourcePID numbers 12034 and 3772), so I tried running the "/Applications/ReiKey.app/Contents/MacOS/ReiKey -scan -pretty" command, which yielded five results. One was a "PrivateFramework" for "ViewBridge"; two were "CoreServices" for Siri; and the remaining two were the ones I cited above, still listed with a SourcePath of "unknown" inside angle brackets.
I decided to try running the "ps -p" command suggested by @ivansavra1 for both of those "unknown" events, and here are the results: xyzxyz-admin@xyz-2021-MacBook-Pro ~ % ps -p 3772 PID TTY TIME CMD xyzxyz-admin@xyz-2021-MacBook-Pro ~ % ps -p 12034 PID TTY TIME CMD
Once again, my lack of technical savvy means that I do not know what those results mean, but my hunch is that they are benign, probably routine background processes.
@sdc1-clickclack This is weird, I never had an empty output from ps, try using Activity Monitor sorting by PID. Make sure to press the Rescan button on ReiKey before checking, so the PID is fresh.
Hi, @ivansavra1 and thanks for your reply. I had begun to wonder if there was any point in continuing to pursue this issue, but today I decided that I should at least update you in the wake of your suggestion. Today, the ReiKey window listed five "unknown" processes. I clicked the Rescan button to refresh the list, although the entries remained the same after I did so. I then ran the "/Applications/ReiKey.app/Contents/MacOS/ReiKey -scan -pretty" command in Terminal, which again yielded 8 results:
[
{
"tapID" : "1131176229",
"sourcePID" : "12034",
"destinationPID" : "0",
"sourcePath" : "
I then once again ran the "ps -p [PROCESS_PID_NUMBER]" command you suggested for each of the five processes with a sourcePath of "unknown" within angle brackets (not seen in the results above, where they just appear as ""), and got these results (but with either a tab or 11 spaces between 'TTY' and 'TIME' in each instance, although that extra space does not appear here): xyzxyz-admin@xyzxyz-2021-MacBook-Pro ~ % ps -p 12034 PID TTY TIME CMD xyzxyz-admin@xyzxyz-2021-MacBook-Pro ~ % ps -p 3772 PID TTY TIME CMD xyzxyz-admin@xyzxyz-2021-MacBook-Pro ~ % ps -p 70341 PID TTY TIME CMD xyzxyz-admin@xyzxyz-2021-MacBook-Pro ~ % ps -p 27686 PID TTY TIME CMD xyzxyz-admin@xyzxyz-2021-MacBook-Pro ~ % ps -p 56712 PID TTY. TIME CMD xyzxyz-admin@xyzxyz-2021-MacBook-Pro ~ %
I then checked the Activity Monitor, sorting all entries by PID — and not one of these five PID numbers were listed there. I checked carefully in both ascending and descending order, and none of those five PID numbers are shown. I am at a loss, and freely admit that I lack the technical know-how to be able to investigate more deeply. Consequently, at this point, I can only hope that I am correct in my presumption that these are all merely benign, ordinary background processes.
(I doubt that any of these details matter, but I am still running macOS Sonoma 14.7.5 on a 2021 MacBook Pro equipped with an M1 Max chip, and I am only using the original built-in SSD; no external drive except when I connect one for Time Machine backups.)
Hi, @ivansavra1 and thanks for your reply. I had begun to wonder if there was any point in continuing to pursue this issue, but today I decided that I should at least update you in the wake of your suggestion. Today, the ReiKey window listed five "unknown" processes. I clicked the Rescan button to refresh the list, although the entries remained the same after I did so. I then ran the "/Applications/ReiKey.app/Contents/MacOS/ReiKey -scan -pretty" command in Terminal, which again yielded 8 results: [ { "tapID" : "1131176229", "sourcePID" : "12034", "destinationPID" : "0", "sourcePath" : "", "destinationPath" : "All processes" }, { "tapID" : "1540383426", "sourcePID" : "3772", "destinationPID" : "0", "sourcePath" : "", "destinationPath" : "All processes" }, { "tapID" : "1789376348", "sourcePID" : "74654", "destinationPID" : "0", "sourcePath" : "/System/Library/CoreServices/Siri.app/Contents/XPCServices/SiriNCService.xpc/Contents/MacOS/SiriNCService", "destinationPath" : "All processes" }, { "tapID" : "1504569917", "sourcePID" : "70341", "destinationPID" : "0", "sourcePath" : "", "destinationPath" : "All processes" }, { "tapID" : "740759355", "sourcePID" : "74393", "destinationPID" : "0", "sourcePath" : "/System/Library/CoreServices/Siri.app/Contents/MacOS/Siri", "destinationPath" : "All processes" }, { "tapID" : "943947739", "sourcePID" : "27686", "destinationPID" : "0", "sourcePath" : "", "destinationPath" : "All processes" }, { "tapID" : "722308542", "sourcePID" : "74330", "destinationPID" : "0", "sourcePath" : "/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary", "destinationPath" : "All processes" }, { "tapID" : "771151432", "sourcePID" : "56712", "destinationPID" : "0", "sourcePath" : "", "destinationPath" : "All processes" } ]
I then once again ran the "ps -p [PROCESS_PID_NUMBER]" command you suggested for each of the five processes with a sourcePath of "unknown", and got these results: xyzxyz-admin@xyzxyz-2021-MacBook-Pro ~ % ps -p 12034 PID TTY TIME CMD xyzxyz-admin@xyzxyz-2021-MacBook-Pro ~ % ps -p 3772 PID TTY TIME CMD xyzxyz-admin@xyzxyz-2021-MacBook-Pro ~ % ps -p 70341 PID TTY TIME CMD xyzxyz-admin@xyzxyz-2021-MacBook-Pro ~ % ps -p 27686 PID TTY TIME CMD xyzxyz-admin@xyzxyz-2021-MacBook-Pro ~ % ps -p 56712 PID TTY TIME CMD xyzxyz-admin@xyzxyz-2021-MacBook-Pro ~ %
I then checked the Activity Monitor, sorting all entries by PID — and not one of these five PID numbers were listed there. I checked carefully in both ascending and descending order, and none of those five PID numbers are shown. I am at a loss, and freely admit that I lack the technical know-how to be able to investigate more deeply. Consequently, at this point, I can only hope that I am correct in my presumption that these are all merely benign, ordinary background processes.
(I doubt that any of these details matter, but I am still running macOS Sonoma 14.7.5 on a 2021 MacBook Pro equipped with an M1 Max chip, and I am only using the original built-in SSD; no external drive except when I connect one for Time Machine backups.)
Thanks for the update, admittedly this is weird, but from what I can see (Your input was very helpful!) this is probably a bug that’s unfixed in Sonoma, it could be benign processes like you mentioned, I just don’t remember ever seeing this on Sonoma.
At this point in time, Sequoia is a stable OS, I generally recommend holding off until the third minor update (.3), so unless you use specific software that isn’t supported by its developer anymore, consider updating to the latest version. The only guaranteed way of getting rid of a buggy installation, is to format and start all over again (This applies to any OS), but that’s a major pain in the ass, and in this case it’s not worth it.