Anyone else have aggregated.diskwrites logs on ios 14?

[humpbacktwale]

Noticed them under my diagnostic logs. The heaviest stack for the largest process are as follows:

• libsystem_pthread.dylib
• libdispatch.dylib
• PowerlogCore
• libsqlite3

I have gotten about 3 of these in the last month, and can't really find anything useful about what they indicate. Only thing that really jumps out is under Parent in the log, it just says UNKNOWN [1], however this also seems to be the case for some other crashlogs. Apart from the fact they all have the same heaviest stack, I can't find a cause for them, so wondered if anyone else could shed some light?

Edit: Just for clarification in case anyone else wants to look or doesn't know what I am talking about, these are the diagnostic logs found under Privacy-> Analytics and Improvements->Analytics Data

 

[PinkyMacGodess]

This XCode document might shed some light on it...

Aggregated writes seem to be writes from multiple sources being cached and written at once. The OS can't write immediately all of the time, and such immediate writes will slow the entire system down. I think most 'advanced' OSes cache their writes to storage. It was one of the issues with power outages with Unix. It caches a lot of data to be written, and if the power drops, all that data is gone. If it is data that was necessary for the OS, and the power died, the filesystem may be corrupted and made unable to restart. A painful incident for sure...

 

[humpbacktwale]

Hmm, ok, but I wonder what is the cause, which I why I wanted to see if anyone else had similar logs? The fact that PowerLogCore appears seems strange. Why would there be excessive writes needing to be cached for it?

 

[PinkyMacGodess]

Hmm, ok, but I wonder what is the cause, which I why I wanted to see if anyone else had similar logs? The fact that PowerLogCore appears seems strange. Why would there be excessive writes needing to be cached for it?

It would depend on the load on the system at the time. If your system is busy doing things, it will cache more data for writes. The system also keeps track of where the data is, and if it hasn't been written, the system knows where to find it. Some data is never written because it changes so much. Memory management seems more art than science.

I don't think I'd be worried about it, as long as the system is working okay. And don't Google that too much. There are a raft of brain dead posts insinuating that the existence of that count means you have been hacked. There is no information I could find to support that hypothesis.

Looking at the logs is sometimes humorous, and sometimes horrifying. I remember, in early versions of macOS, seeing humorous error and warning messages. Seeing 'These aren't the droids you're looking for' made me laugh. It was probably a tag put in by programmers to announce an issue that they were researching at the time. I used to put 'call-outs' to track program execution, and it's a vital tool to help, usually, in programming. I've seen words like 'panic', and 'failed', but some of those failed's are supposed to fail. When I ran my company, I counseled clients to not look at their logs, as they are often filled with random useless data that means, in many cases, that everything is working like it should. Distilling logs is like sifting sand, Even pros can get lost deciphering them.

Unless someone else has an opinion otherwise, I wouldn't freak out too much...

 

[humpbacktwale]

I don't think I'd be worried about it, as long as the system is working okay. And don't Google that too much. There are a raft of brain dead posts insinuating that the existence of that count means you have been hacked. There is no information I could find to support that hypothesis.

Yeah see this is the annoying thing. Anytime I get curious about log reports and go have a look, it's just people with the same logs saying their phone has been hacked, which is very annoying :/

I wonder, given its PowerLogCore, could this somehow be related to the battery issues people have been having recently with iOS 14, as in data related to it isn't being managed correctly? Looking at some of those posts, ravings aside, the all do seem to be from the last 6 months or so.....

 

[PinkyMacGodess]

Yeah see this is the annoying thing. Anytime I get curious about log reports and go have a look, it's just people with the same logs saying their phone has been hacked, which is very annoying :/

I wonder, given its PowerLogCore, could this somehow be related to the battery issues people have been having recently with iOS 14, as in data related to it isn't being managed correctly? Looking at some of those posts, ravings aside, the all do seem to be from the last 6 months or so.....

It could be literally nothing...

 

[humpbacktwale]

True. I am just curious if anyone else is getting something similar. Mainly, when I seen this entry on alienvault, it mentioned both aggregated and powerlogcore, which I find concerning, although the post in general seems very incoherent, and I can't make out what they are actually indicating.

 

[PinkyMacGodess]

True. I am just curious if anyone else is getting something similar. Mainly, when I seen this entry on alienvault, it mentioned both aggregated and powerlogcore, which I find concerning, although the post in general seems very incoherent, and I can't make out what they are actually indicating.

It looks like junk to me. There is no 'Department of Technology' that I've ever been aware of. There are other groups that I would trust one hell of a lot more than a poorly worded post on a site like that.

I mean, get a grip. There is so much bull crap swamping the world right now, and people are able to leverage that BS to frighten people and make money. Likely, every click on that site supports someone laughing at how gullible people are, laughing at them, and hoping the gullibility continues...

I'm beginning to wonder if you are part of a way for the BS artists to market their scare tactics to more people. Because if it were as nefarious as you keep insinuating, way more information would exist than what I'm finding.

Powerlogcore appears to be a private framework released in 2016 for iOS 10. Its use is unknown to me. But if you are going to work yourself up over this, then continue...

This could be a useful and benign framework used by an app you have installed. Find the app, and you have your 'crime'.


I remember there were hysterical posts about a file in Windows. That if you see that file, you had to 'delete it AT ONCE!' because 'you were at GREAT RISK'. Thousands of people deleted that file, a name that seemed innocuous enough, but their Windows never restarted. People had to reinstall their Windows. So once again: log files contain a lot of information, and anyone seeking to frighten people can pick a lot from them to scare the living crap out of gullible people.

Buy hey, carry on. I wish you luck. There is a lot to freak out about out there...

 

[humpbacktwale]

I'm beginning to wonder if you are part of a way for the BS artists to market their scare tactics to more people. Because if it were as nefarious as you keep insinuating, way more information would exist than what I'm finding.

Powerlogcore appears to be a private framework released in 2016 for iOS 10. Its use is unknown to me. But if you are going to work yourself up over this, then continue...

All I asked in my post was if anyone else had similar logs, which I think is reasonable, to ascertain whether this is a recent bug or not. I didn't say it was nefarious, only that some of what was returned when I searched seemed concerning, as I couldn't find any actual information about what exaclty was causing it.

I mean, get a grip. There is so much bull crap swamping the world right now, and people are able to leverage that BS to frighten people and make money. Likely, every click on that site supports someone laughing at how gullible people are, laughing at them, and hoping the gullibility continues...

Open Threat Exchange is a fairly popular open source threat intelligence repository created by AT&T. I don't think it's likely it was created to scare people, but to for them to get a foothold in a market where their competitors already have one.

This could be a useful and benign framework used by an app you have installed. Find the app, and you have your 'crime'.

Given it is part of PowerCore, I assume it is just something that the operating system is using. There is not indication in any of the logs what application is utilising this framework, unfortunately.

 

[PinkyMacGodess]

All I asked in my post was if anyone else had similar logs, which I think is reasonable, to ascertain whether this is a recent bug or not. I didn't say it was nefarious, only that some of what was returned when I searched seemed concerning, as I couldn't find any actual information about what exaclty was causing it.

Open Threat Exchange is a fairly popular open source threat intelligence repository created by AT&T. I don't think it's likely it was created to scare people, but to for them to get a foothold in a market where their competitors already have one.

Given it is part of PowerCore, I assume it is just something that the operating system is using. There is not indication in any of the logs what application is utilising this framework, unfortunately.

Well, to be honest, there is a slight chance that this is nefarious, but it is slight. Apple bans apps that uses private frameworks, but that depends, from what I have found, on what the private framework is. *Some* are apparently okayed, but many are not.

But is it possbile that this an attack Possible Anything is possible. Likely? No. Does this mean that it's all BS? Well, scaring people is what political parties and groups of all kinds do on a regular basis. Scaring people makes those scared freakout and do things that are in not their short term, and long term best interests. So, from what I found, this seems to be, it if is a compromise of macOS, an under-reported assault on Apple Mac products. You could make millions, or at least some money if you can prove it's real. It's long odds. Good luck.

I had a client that found a flaw in Windows Media Player. If you had over a certain amount of 'content', the system crashed. He found the flaw. An 80 year old man with a love of harp music, and polkas. I used to joke that it was 'quality control, and a reaction to the amount of polka music he had on his computer. He actually hit me! (More of a smack on the arm, and we both LOAO afterward)

 

[humpbacktwale]

Don't think it could be a malicious app. I only have 2 non-apple apps on my phone atm, and they are massively popular ones. From what I can tell from the logs, aggregated is what was using powerlogcore, and the other privateframeworks, and it itself is a privateframework.

Just thought this may have been a bug or something.

 

[ApfelKuchen]

The trouble with reading the contents of logs is that, unless you're an engineer intimately familiar with what it all means, you're going to have a whole lot more questions than answers. Is a call to a particular software module expected or unexpected? That depends upon a wide variety of circumstances - what else was running/trying to run at that time? These are very complex systems.

All too often, people concerned about what they see in their logs assume that something they don't recognize must be abnormal. While that's certainly within the realm of possibility, when engineers inspect logs they are typically looking for correlation to a known fault - a trail of breadcrumbs left when something malfunctions. When they're not looking for faults, they're using the logs for things like code/process/hardware optimization.

"Just thought this may have been a bug or something." Well, was something not working correctly? For these purposes, "Could be working better" isn't a useful answer. There's always something that can work better - better power efficiency, faster execution, etc. But unless/until the issue is identified and the code rewritten, "less than optimal" is going to be "normal" operation.

If things seem to be working normally, then chances are what you're seeing in the logs is normal.

 

[humpbacktwale]

Honestly, my main issue is that, the only recent posts, ie from 2021 that I can find with a log for both aggregated and powerlogcore are usually people saying help, I've been hacked, which doesn't, as PinkyMacGoddess pointed out, really help. That combined with very little information on either of these privateframeworks/daemons.

 

[PinkyMacGodess]

Honestly, my main issue is that, the only recent posts, ie from 2021 that I can find with a log for both aggregated and powerlogcore are usually people saying help, I've been hacked, which doesn't, as PinkyMacGoddess pointed out, really help. That combined with very little information on either of these privateframeworks/daemons.

Well, private frameworks are private. Most of them are barred from being used in the Apple App Store, which is a solid reason why Apple should not be barred from keeping their app store a oasis in a world of crooks and cheats.

I applaud Apple for trying to keep their customers safe, and I may be biased, but I'm one of them. *Something* has to stand up to the hacks, crooks, scammers, nefarious people who feed off gullible people.

I can say it again, it is entirely possible that this is benign and this is nothing, or, more nefarious, that bad information is being seeded into areas to deliberately befuddle and confuse people who might trip upon this issue.

But, hey, if you love the excitement, and can convince yourself that *someone* has hacked you, go for it. I loved it when people hit my firewall. I spent many nights watching people try to pick their way through my firewall, and I would block them, and they would try with another IP address. Why was I concerned? I really wasn't. I have no state secrets on my network, no nuclear secrets, no online banking, no secret plans, no secret recipes, not nothing. My network is pretty boring. But that doesn't mean that I want people in China, or Peoria, pawing through my stuff. When I first saw it, I was a little panicked. Then I realized I could make life interesting for them too. It was fun. Several entire IP address ranges related to China, Korea, Russia, and Indiana are blocked. The entire subnet, blocked.

So anyway. There is a LOT of disinformation out there. TONS AND TONS!!! A huge part of searching on the internet is using the 'is it possible', and 'where is this information coming from'. If it sounds like transliterated 'English', it smells strong. If it comes from a sketchy URL, it stinks even more. If that is the only site, and other sites are also 'smelly', you really need to just sit down, take a deep breath, and figure out why you want to be a victim.

Enjoy...

 

[humpbacktwale]

A huge part of searching on the internet is using the 'is it possible', and 'where is this information coming from'. If it sounds like transliterated 'English', it smells strong. If it comes from a sketchy URL, it stinks even more. If that is the only site, and other sites are also 'smelly', you really need to just sit down, take a deep breath, and figure out why you want to be a victim.

I'd hardly call OTX, the apple discussions and a malwarebytes forum sketchy or smelly......

Again, I was simply commenting that I found it odd that the only posts I could find were about people assuming this was malicious. I didn't state it was. I just wanted to see if this was a common diagnostic log, and not indicative of a bug, or a sign that my phones flash memory was going to be excessively written to and degrade.

 

[PinkyMacGodess]

I'd hardly call OTX, the apple discussions and a malwarebytes forum sketchy or smelly......

Again, I was simply commenting that I found it odd that the only posts I could find were about people assuming this was malicious. I didn't state it was. I just wanted to see if this was a common diagnostic log, and not indicative of a bug, or a sign that my phones flash memory was going to be excessively written to and degrade.

Apologies, I was never meant to directly criticize you. I was ust trying to point out that there are many areas where disinformation pops up. And you do you. If it is nefarious, I would assume more people would be commenting on it, and it would be more widely known.

I could be wrong. I could be right. I hope it's nothing...

 

[humpbacktwale]

Interestingly, according to amnesty international and citizen labs pegasus malware uses a process called aggregatenotd and spoofs its binary as the aggregated process. However, I don't know how likely it would be for a log report to be generated if this was the case, or if it was, would the log be generated because it mistakes it for the actual process and as such list the legitimate processes file path.