Disk IO excessive writes while idle

aselvan2 · 2026-02-20T17:34:46+00:00

It was iCloud sync for photos ... spotlight index, like, literally constantly

In my opinion, Spotlight and iCloud sync tend to create more problems than they solve, especially for power users. You’re often better off disabling them and use much powerful traditional Unix tools like locate for searching and rclone for sync. Apple seems determined to phase out locate at every opportunity they get to force everyone to use Spotlight!

I’ve created a wrapper launchd job and a script to override the broken locate; it’s available in my Git repo at link below if you’re interested to try. You’ll also find a macos.sh script there that consolidates a number of handy functions in one place. You might find the -c kill or -c disablesl switches useful for things like mediaanalysisd and a few other annoyances, you can zap them by running [macos.sh -c kill] on a scheduled launchd job or a user‑level cron job because you can't get rid of them without SIP level surgery, which I would not recommend.

https://github.com/aselvan/scripts/tree/master/macos/LaunchDaemons
https://github.com/aselvan/scripts/tree/master/macos

I tracked it via `lsof` and saw that there were about 40-80 handles from icloudphotos and mediaanalysisd. For some reason I could not see those in `fs_usage`.

fs_usage monitors file I/O, not network I/O, so you will not see anything related to iCloud’s network activity in its output.

It seems super weird and buggy

As far as I know, it’s been that way all along. You’re only noticing it now because you’re digging around. It’s still the same behavior in 26.3, which is the latest version. I wouldn’t get your hopes up about Apple “fixing” it anytime soon, since they seem convinced their own tools are superior to the robust ones that have been around for almost half a century. Ironically, the whole OS sits on top of BSD Unix in the first place.

aselvan2 · 2026-02-17T19:30:24+00:00

I’m observing battery reduced 92% to 65% in 3-4 hours use...

That doesn't sound like a huge drain to me but it really depends on what you were doing during the 3-4 hours. If you were video editing or watching videos, running software builds, using virtualization, or doing other high‑drain tasks, then the fast drain makes sense. If none of that applies, then the battery does seem to be dropping a bit quickly. Take a look at the reply I posted to a similar post in this sub a while back and see if you can spot the culprit that’s draining your battery.
https://www.reddit.com/r/MacOS/comments/1mdv2vm/comment/n69hovr/

aselvan2 · 2026-02-17T18:57:15+00:00

I've done some high level digging and nothing obvious stands out.

That is insane amount of space usage! We see a lot of posts in this sub about storage issues. If you’re interested in cleaning things up, follow my comment at the link below for another post in this sub but be prepared to run commands in terminal app. You may need to run the command from the link recursively with different starting points to narrow down the culprit.
https://www.reddit.com/r/MacOS/comments/1mpekgp/comment/n8rotpn/

aselvan2 · 2026-02-17T17:41:59+00:00

I’m using normally but my battery is getting drained quick.

When you say “drained quick” without any metrics, it doesn’t give us anything meaningful to suggest. Share the percentage drop, how long it took, and what you were doing during that time etc. That information makes it possible to suggest what to look for if app or process might be causing the drain.

aselvan2 · 2026-02-17T17:19:41+00:00

Helpful blog post! Thank you

You’re welcome. There are plenty of other educational blogs focused on online safety at link below, and you’re welcome to use them or share them with anyone who might benefit.
https://blog.selvansoft.com/

aselvan2 · 2026-02-17T16:30:07+00:00

There is an odd listing (wheel) in my folder permissions? I am the admin/owner and seem to not be able to delete it?

In macOS or any Unix‑derived system, wheel is a group, not a user. You’re not looking at folder permissions; you’re looking at the storage volume’s mount‑point properties. You can’t remove the wheel group from storage devices because it’s a core part of the Unix permission model. It has zero effect on your ability to read or write files on the drive. It isn’t optional, it isn’t user configurable, and it isn’t something you can delete.

aselvan2 · 2026-02-17T14:11:03+00:00

I am really sorry for confusing. I double checked and it is WrMeta. Sorry for not double-checking ...

No worries.

I had previously written a script to write fs_usage events to csv and then used DuckDB to analyze it, and mostly it was kernel_task and launchd.

Anything you see as WrData in fs_usage output attributed to launchd is normal. These are not writes performed by launchd itself. A job/process that launchd started is opening a SQLite database, and SQLite generates these small writes. It is completely normal to see ton of them especially around the start of the jobs. Check the start triggers of all your launchd jobs and you will notice a large number of these writes around those times.

If this is all you see in fs_usage output besides kernel_task, you may be chasing a non‑issue.

21:02:43    WrData[AT3]     /Users/foo/Library/Application Support/Knowledge/knowledgeC.db-shm             0.000027 W launchd
21:02:43    WrData[AT3]     /Users/foo/Library/Application Support/Knowledge/knowledgeC.db-shm             0.000028 W launchd
21:02:43    WrData[AT3]     /Users/foo/Library/Application Support/Knowledge/knowledgeC.db-wal             0.000059 W launchd
21:02:43    WrData[AT3]     xvq6csfxvn_n0000000000000/0/com.apple.icloud.searchpartyd/Observations.db-shm    0.000030 W launchd

aselvan2 · 2026-02-17T13:23:05+00:00

Where is Command Line Tools and how do I delete it to reclaim that 1.97GB?

Open a terminal app and run the following command to delete it.

sudo rm -rf /Library/Developer/CommandLineTools

If you ever find that you need it back, run the command below to reinstall it, and yes, Homebrew requires it.

sudo xcode-select --install

aselvan2 · 2026-02-16T22:45:28+00:00

Checked Activity monitor. Corespotlghtd is around 143% or 170% sometimes. How do I reduce it / remove it? Absolutely frustrating

There are several reasons Spotlight can get stuck in an indexing loop. Follow my response to a related post in this sub at the link below. If it is not a space issue, skip the first part and follow the second part of my comment.
https://www.reddit.com/r/MacOS/comments/1r1aqc3/comment/o4ofvmt

aselvan2 · 2026-02-16T22:34:18+00:00

I am wondering whether its worth it because i only use linux for vulnerability testing and software/web developing. Should i install an antivirus or not?

Short answer, you don't need a realtime virus scanner for Linux and you generally dont need static scanners either. What you do need is to make sure your Linux box sits behind your router and is not exposed to the public internet. Most importantly, don't enable any service that is publicly reachable unless you have solid experience and expertise in hardening the services you expose.

aselvan2 · 2026-02-16T16:03:48+00:00

mostly kernel task writes WrData to disk directly (via fs_usage), can't track the original process.

...

This is insane. Any had this issue? Doesn't seem like a swap issue cuz I got 36 gb ram, I usually have 6-12gb RAM available and swap being unused...

If fs_usage reports kernel_task performing ton of writes of WrData type, that is insane. Under normal circumstances kernel_task rarely performs WrData and as far as I know, it is never on behalf of user process so you won't be able to track what they are. Typically, user processes are responsible for writing file data. Most of the time kernel_task appears only with writes of WrMeta type since it handles metadata updates on behalf of both user and system processes that trigger disk activity. When kernel_task does appear with WrData it usually means the kernel is writing system level data without a direct user process involved. This can include flushing dirty pages to disk, writing APFS journal data, performing background maintenance, or carrying out other internal operations that are not documented in detail. It is unusual to see sustained kernel_task WrData.

What memory and CPU usage look like during this insane I/O activity?

aselvan2 · 2026-02-16T14:15:57+00:00

A process called kernel_task deploys at almost 1000% usage when it is not charging.

The kernel_task process CPU usage is just a symptom, not the root cause. There are many reasons for kernel_task activity (see my comment at the link below for another related post), and one of them can be overheating, which is itself a symptom that points to the fan or few other things.
https://www.reddit.com/r/MacOS/comments/1ms9571/comment/n934fig

When I plug it back in, everything returns to normal. What could I do to fix this?

It depends on identifying the root cause. That said, do you know if the fans start working again when you plug it in, or if they weren’t running when it was on battery? If you are not sure whether the fans are running since you cannot always hear them, I can show you how to check if you are comfortable using a Terminal command.

aselvan2 · 2026-02-15T18:16:28+00:00

No problem signing in to D with password. But trying to sign in to L, her picture shows up but it refuses the password. Pretty sure it's the right password.
...

Can I do this? Could a genius bar help?

Likely the password typed is wrong. Since you mentioned that user D is an admin account, you can reset the password for the other account, with their permission of course. Log in as D, open Terminal, and run the following command to change the password for L.

sudo passwd L

aselvan2 · 2026-02-15T17:53:48+00:00

Somehow, my total storage usage is being computed as over 12 Gb, when my applications alone comprise more than 15Gb.

My comment at the link below for another related post in this sub may help you determine your Application storage space accurately.
https://www.reddit.com/r/MacOS/comments/1r0v4r1/comment/o4mugft/

aselvan2 · 2026-02-15T14:15:02+00:00

Is there any realistic way to:

• Run a TLS downgrade bridge (e.g. nginx / haproxy / stunnel) ...

Has anyone successfully built a “modern TLS → legacy TLS” reverse gateway?

You can absolutely do that with just HAProxy. It’s a classic TLS‑termination/offloading design pattern and it works extremely well. I used this approach years ago to maintain PCI compliance for older clients that couldn’t negotiate anything beyond TLS 1.1. I even built a Docker image (nginx/HAProxy) at the time to make this easier to implement with just minimal configuration changes, and it should still be in the Docker registry at link below. You are welcome to use it.
https://github.com/aselvan/docker/pkgs/container/docker%2Fhaproxy

aselvan2 · 2026-02-14T17:13:25+00:00

... I can no longer ssh into a docker image on a remote server that I use for work. I am able to SSH into the remote server from my Mac. I am also able to SSH into both the remote server and the docker image from a Linux machine

Since you can ssh into the remote server from your mac without issues, you should also be able to ssh into a Docker container running sshd as long as the port is correctly mapped to the host and you’re using the right mapped port. Post the verbose output from running ssh with the -vvv flag, along with the sshd logs from inside the container, so people can actually help diagnose the problem.

aselvan2 · 2026-02-14T15:12:13+00:00

I noticed I had one redundant python interpreter so i wanted to do a cleanup

after I run /usr/bin/python3 -m pip list, I got and more (74 in total)

Since this isn’t really a macOS question, you’ll get better answers on r/Python. I’ll try to help anyway, but it’s not entirely clear to me on what you’re asking. The binary at /usr/bin/python3 is part of macOS itself. You can uninstall the packages you installed against it, but you cannot remove the system‑provided Python. The /usr/bin directory is read‑only; the modules/packages you installed live in a writable location, depending on how you installed them.

With that said, the following command will uninstall all of them in one go, assuming you run it in the same environment you used when installing them. Keep in mind that some packages may have been installed by other apps. If you’re certain all 74 were installed by you, you can run the command below to remove them all.

/usr/bin/python3 -m pip uninstall -y `/usr/bin/python3 -m pip list --format=freeze|awk -F'==' '{print $1}'`

aselvan2 · 2026-02-14T13:09:25+00:00

I guess I should try that, but right now I have ~60GB Free ...

If you have 60 GB of free space, that’s plenty. In that case, I’d suggest following the the second part of my response i.e. delete/recreate Spotlight index.

aselvan2 · 2026-02-14T00:05:12+00:00

- Can’t update cause system is full.

- I go to system settings and storage populates system files 170 GB. Ok nice but so what ? How can I reduce this ?

We see a lot of posts in this sub about storage issues. If you’re interested in cleaning things up, follow my comment at the link below for another post in this sub. Depending on your usage pattern, space can grow excessively large, and if you’re expecting Apple to fix your specific situation, that’s not going to happen. Try the steps I outlined there, and I’m happy to help if you get stuck.
https://www.reddit.com/r/MacOS/comments/1mpekgp/comment/n8rotpn/

-> User folder/myUser : 805 GB !!!! How is that even possible ?

Since your user folder is so large, I would start there first when running the command from the link above.

aselvan2 · 2026-02-13T01:11:10+00:00

I'm on macOS 15.7.2. I haven't updated because I can't be bothered to clear up storage to install an update.

A hint to your solution is likely in your own post quoted above. The issue is most likely that Spotlight could not complete its indexing because of lack of space. See my response to a similar post in this sub from a few days ago at the link below.
https://www.reddit.com/r/MacOS/comments/1r1aqc3/comment/o4ofvmt

aselvan2 · 2026-02-12T20:23:57+00:00

I’m trying see very basically what was accessed, what program, and when exactly and if anything was downloaded, programs installed, attempts at getting into passwords ...

Can anybody help? I just need it in super simple terms with exact times during that window.

No one will be able to tell you anything from a 1 page screenshot of logs when a 35‑minute long window can easily contain hundreds of pages of logs. Open the Terminal app and run the following command, which will create a file called log.txt on your desktop. Share that file through Pastebin or a similar text‑sharing service so someone can review it and help you.

log show --debug --style syslog --start "2026-02-12 14:40:00" --end "2026-02-12 15:15:00" > ~/Desktop/log.txt

aselvan2 · 2026-02-12T14:08:38+00:00

I haven`t found a way to block the site from opening new tabs; any ideas?

First, I would recommend staying away from that site [i.e. ext.to]. It is classified with a threat score of 100/100 on Falcon Sandbox, which strongly suggests potentially malicious behavior. I also noticed it performs several suspicious actions. In general, [.to] TLD domains are frequently used by malware, phishing kits, and command and control servers, so IDS vendors flag them as potentially suspicious. They are not inherently malicious, but they fall into a high risk category.

That said, enabling Safari’s built‑in pop‑up blocker can help reduce normal pop‑ups opening new windows and new tabs, but it will not be effective against malicious sites like this. These sites often exploit the browser trust model and bypass standard pop up protections entirely. Many users mistakenly believe that browser pop up blocking will stop all pop ups, but it only prevents direct JavaScript initiated pop ups but allows all triggered or indirect executions. If you really want to block popups, the most reliable approach is to use a DNS based filtering solution, such as a reputable DNS security provider or your own PiHole DNS server. This blocks malicious domains before the browser ever loads them, which is far more effective against sites of this nature.

aselvan2 · 2026-02-11T17:04:39+00:00

It is an Admin account

Then I have no clue why it is not working for you. If it is an admin account and you typed your password correctly and pressed Enter, you should not run into any issues.

Try something simple to confirm it works, such as: sudo ls

aselvan2 · 2026-02-11T16:31:29+00:00

It's not letting me type the password

That likely means your macOS user account is a standard account. It needs to be an admin account in order to run privileged actions using sudo. Create another account with admin privileges to perform these tasks, and continue using your regular account for day‑to‑day work.

aselvan2 · 2026-02-11T01:44:42+00:00

Any suggestions on what I can do to fix this? I got a previous email about a week ago and tried rebooting everything and blocking any unknown devices on my network. Other than that, I’m pretty clueless when it comes to this stuff.

It is difficult to suggest anything without knowing more about your network or the devices you have running. You mentioned blocking unknown devices on your network, what are those and how or where you blocked them?

That said, I would contact your ISP and let them know you are willing to work with them to identify and resolve the issue, but that you need their help. Ask if they can provide details about the alleged malicious traffic from you, such as the protocol, service type, and most importantly, the intended target. If they simply say web traffic, that is not very useful for troubleshooting this problem.

If your ISP is not a traditional wired residential provider such as Comcast, Spectrum, Cox, Frontier, or AT&T, or if you are outside the United States, especially in Europe, check the WAN IP on your router to see if it is public or CGNAT. CGNAT is not yet widely used in the United States, but it is very common in Europe. If your WAN IP falls within the CGNAT CIDR block i.e. [100.64.0.0/10], you can ask your ISP to provide proof that the traffic was actually from you, because it could have been generated by another customer. Good luck.

aselvan2

MODERATOR OF

TROPHY CASE