{"id":13995059,"url":"https://github.com/themittenmac/TrueTree","last_synced_at":"2025-07-22T21:31:57.068Z","repository":{"id":43254183,"uuid":"245472100","full_name":"themittenmac/TrueTree","owner":"themittenmac","description":"A command line tool for pstree-like output on macOS with additional pid capturing capabilities","archived":false,"fork":false,"pushed_at":"2024-08-23T12:57:31.000Z","size":66,"stargazers_count":220,"open_issues_count":1,"forks_count":14,"subscribers_count":13,"default_branch":"master","last_synced_at":"2024-08-24T05:49:28.779Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Swift","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/themittenmac.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"license.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-03-06T16:49:53.000Z","updated_at":"2024-08-24T05:49:28.780Z","dependencies_parsed_at":"2024-08-23T05:56:03.900Z","dependency_job_id":null,"html_url":"https://github.com/themittenmac/TrueTree","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/themittenmac%2FTrueTree","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/themittenmac%2FTrueTree/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/themittenmac%2FTrueTree/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/themittenmac%2FTrueTree/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/themittenmac","download_url":"https://codeload.github.com/themittenmac/TrueTree/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227177748,"owners_count":17743157,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-09T14:03:13.930Z","updated_at":"2024-11-29T17:30:55.404Z","avatar_url":"https://github.com/themittenmac.png","language":"Swift","readme":"#  TrueTree\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://themittenmac.com/wp-content/uploads/2020/02/Frame-5-scaled.jpg\"\u003e\u003c/p\u003e\n\n**About** \\\nRead all about the TrueTree concept [here](https://themittenmac.com/the-truetree-concept/)\n\n\nTrueTree is more than just a pstree command for macOS. It is used to display a process tree for current running processes while using a hierarchy built on additoinal pids that can be collected from the operating system.  The standard process tree on macOS that can be built with traditional pids and ppids is less than helpful on macOS due to all the XPC communication at play.  The vast majority of processes end up having a parent process of launchd. TrueTree however displays a process tree that is meant to be useful to incident responders, threat hunters, researchers, and everything in between!  \n\nMajor Update:\nBecause of the ever changing features on macOS, since macOS 11 some features don't operate quite the same as they used to when I wrote the original blog post for TrueTree. Apple has introduced the addition of a new process \"runningboardd\" which ends up being the true parent of many processes. To get around this TrueTree was updated to use the Application Services framework which allowed for aquiring the true parent in some scenarios. However, this no longer allows for the aquiring of a true parent process if that parent process has terminated. Making it difficult to pinpoint some true parents such as the \"open\" command. A small price to pay to ensure TrueTree continues to operate across macOS releases. Some other signs of a true parent can often be found inside of the launchctl procinfo output. This might be taken into consideration in the future.\n\n**./TrueTree -h** \\\n--nocolor -\u003e Do not color code items in output\n--timeline  -\u003e Sort and print all processes by their creation timestamp\n--timestamps -\u003e Include process timestamps\n--standard -\u003e Print the standard Unix tree instead of TrueTree\n--sources -\u003e Print the source of where each processes parent came from\n--nonetwork -\u003e Do not print network connection\n--nopid -\u003e Do not print the pid next to each process\n--nopath -\u003e Print process name only instead of full paths\n--version -\u003e Print the TrueTree version number\n-o \u003cfilename\u003e -\u003e output to file\n\n\u003cspan style=\"color:blue\"\u003eNote: Requires Root\u003c/span\u003e\n\n**./TrueTree** \\\nDisplays an enhanced process tree using the TrueTree concept\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://themittenmac.com/wp-content/uploads/2022/12/truetree_output.png\"\u003e\u003c/p\u003e\n\u003cbr/\u003e\u003cbr/\u003e\n\n**./TrueTree --standard** \\\nFor tree output based on standard pids and ppids use --standard\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://themittenmac.com/wp-content/uploads/2022/12/tt_standard.png\"\u003e\u003c/p\u003e\n\u003cbr/\u003e\u003cbr/\u003e\n\n**./TrueTree --timestamps** \\\nFor output in either format with process create time added use the --timestamps option\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://themittenmac.com/wp-content/uploads/2022/12/tt_timestamps.png\"\u003e\u003c/p\u003e\n\u003cbr/\u003e\u003cbr/\u003e\n\n**./TrueTree --sources** \\\nTo show where each parent pid was aquired from use the --sources option\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://themittenmac.com/wp-content/uploads/2022/12/tt_sources.png\"\u003e\u003c/p\u003e\n\u003cbr/\u003e\u003cbr/\u003e\n\n**./TrueTree --timeline** \\\nDoes not collect a tree. Instead just prints processes sorted by creation time\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://themittenmac.com/wp-content/uploads/2022/12/tt_timeline.png\"\u003e\u003c/p\u003e\n","funding_links":[],"categories":["Swift","Mac/iOS","Operating Systems"],"sub_categories":["Containers","macOS/iOS"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthemittenmac%2FTrueTree","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthemittenmac%2FTrueTree","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthemittenmac%2FTrueTree/lists"}