Channels
#macos
Title
# macos
g
grant seltzer
03/13/2020, 12:43 PMDoes anyone know if there’s a way to do a query that’ll tell you if a macbook lid is closed? or if the screensaver is running/sleeping?
s
seph
03/13/2020, 12:46 PM
I know I’ve found a way to get the length of time a machine has been awake for. (Though I forget where I found that)
Though that’s not really the same as lid closed
g
grant seltzer
03/13/2020, 12:50 PMYea that’s the
uptimeI’m looking around seeing if there’s a file that gets created when the lid is closed or something
s
seph
03/13/2020, 12:50 PM
Uptime is time since boot. There’s another plae to query time since sleep.
But that’s not the same as whether or not it’s locked
g
grant seltzer
03/13/2020, 12:55 PMoh interesting! yea I misread
I’ll keep looking and update here if you’re curious
Ah ok, found this nice command:
pmset -g log|grep -e " Sleep " -e " Wake "Now how to expose that through osquery
s
seph
03/13/2020, 1:02 PM
I know I found something in it already. Maybe in nvram or a plist somewhere
g
grant seltzer
03/13/2020, 1:06 PMinteresting, maybe screen/battery saver has a plist file
f
fritz
03/13/2020, 1:07 PMthe screensaver time is in the power management plist
i'll nab you a query i wrote for that
Copy code
osquery> SELECT * FROM plist WHERE path = '/Library/Preferences/com.apple.PowerManagement.plist';
+---------------------+---------------------------------+-------+------------------------------------------------------+
| key | subkey | value | path |
+---------------------+---------------------------------+-------+------------------------------------------------------+
| SystemPowerSettings | Update DarkWakeBG Setting | 1 | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power | Display Sleep Uses Dim | 1 | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power | DarkWakeBackgroundTasks | 1 | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power | Wake On LAN | 1 | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power | System Sleep Timer | 10 | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power | Disk Sleep Timer | 10 | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power | Automatic Restart On Power Loss | 0 | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power | GPUSwitch | 2 | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power | Display Sleep Timer | 10 | /Library/Preferences/com.apple.PowerManagement.plist |
+---------------------+---------------------------------+-------+------------------------------------------------------+Bear in mind any plist can be overwritten by managed_policies etc. and is not the safest point of reference
This also does not answer your original question
which is whether the lid is closed or the screensaver is currently active
g
grant seltzer
03/13/2020, 1:16 PMInteresting, so these are just settings right?
Still useful! thank you!
f
fritz
03/13/2020, 1:17 PMThat's correct @grant seltzer
Unfortunately these prefs do not seem to be captured in the standard
preferencesIf you ever want to search for plists that encode settings/preferences my workflow is typically to use FSMonitor.app and then while it is running adjust a given setting:
g
grant seltzer
03/13/2020, 1:23 PMHm, what exactly am I looking at here?
Why would a plist file not encode settings?
f
fritz
03/13/2020, 1:25 PMYou are looking at the output of FSMonitor an app that monitors all File System events while recording.
I changed my Energy Saver settings while recording in FSMonitor to see the files that were touched.
Which led me to
com.applePowerManagement.plistThere is a way to retrieve lid state from the terminal using
ioreg Copy code
ioreg -r -k AppleClamshellState -d 4 | grep AppleClamshellState | head -1🆒 1
g
grant seltzer
03/13/2020, 4:25 PMah cool, that one was really helpful, thank you!
I can’t use osquery to shell out and run that command, can I?
s
seph
03/13/2020, 4:26 PM
Not in core, no.
You can write a plugin.
g
grant seltzer
03/13/2020, 4:29 PMI suppose that’s a good thing lol
Thank you!
t
theopolis
03/13/2020, 8:33 PM
It might be a good idea to explore creating a table that gives you all of the ioreg properties for a given node name
f
fritz
03/13/2020, 8:41 PM@theopolis That is an awesome idea!
Vs. a dozen tables with the same underlying approach
osquery 1
a
allister
03/15/2023, 1:22 AMPardon the thread necromancy, but I bikeshedded on this in the meantime
Copy code
/usr/sbin/ioreg -r -k AppleClamshellState -d 4 | /usr/bin/awk '/ClamshellS/ {print $4}'s
seph
03/15/2023, 1:24 AM
Kolide launcher ships an ioreg table (it’s an exec) if make not be suitable for all environments.
11 Views