Develop Reference

Using Powershell [DateTime]::ParseExact - Funny Strings?

Good afternoon Powershell wizards!
I am hoping someone can explain to me how I can fix this issue, and more importantly what the issue actually is!
I'm attempting to fix an old script I wrote years ago that searches for several dates on a files properties and picks one to use for renaming that file.
The issue I'm having is that when I use parseExact it fails for the date strings read from the files... but it works if I manually type the same string into powershell!
Please note that this script is only going to be ran on my PC and only needs to work with dates from my files formats so I'm not too worried about use of $null unless it's related.
See example below:
Write-Host "TEST 1"
$DateTime = [DateTime]::ParseExact("240720211515","ddMMyyyyHHmm",$null)
Write-Host $DateTime # WORKS!
Write-Host "TEST 2"
$DateTime2 = [DateTime]::ParseExact("‎24‎07‎2021‏1515","ddMMyyyyHHmm",$null)
Write-Host $DateTime2 # FAILS!
Looks the same right?
Here is a more real world example of what I'm up to that fails
$file = Get-Item "C:\SomeFolder\somefile.jpg"
$shellObject = New-Object -ComObject Shell.Application
$directoryObject = $shellObject.NameSpace( $file.Directory.FullName )
$fileObject = $directoryObject.ParseName( $file.Name )
$property = 'Date taken'
for(
$index = 5;
$directoryObject.GetDetailsOf( $directoryObject.Items, $index ) -ne $property;
++$index) { }
$photoDate = $directoryObject.GetDetailsOf($fileObject, $index)
Write-Host $photoDate # <-- This reads ‎03/‎08/‎2021 ‏‎09:15
$output = [DateTime]::ParseExact($photoDate,"dd/MM/yyyy HH:mm",$null) # <-- This fails
Write-Host $output
# If i manually type in here it works.... If I copy and paste from the Write-Host it fails...
$someInput = "03/08/2021 09:15"
$workingOutput = [DateTime]::ParseExact($someInput,"dd/MM/yyyy HH:mm",$null)
Write-Host $workingOutput

For anyone else who comes across this, it seems like there are invisible characters being added. Thanks for the spot #SantiagoSquarzon
This fixes it for my particular purposes:
$photoDate = $directoryObject.GetDetailsOf($fileObject, $index)
$utfFree = $photoDate -replace "\u200e|\u200f", ""

I ran into this issue when I started exploring metadata with PowerShell. My solution was to create a regex "inverted whitelist" character class and delete (replace with '') all non-whitelist characters.
But then I learned of an alternate method avaiable to FolderItem obejcts: the ExtenedProperty() method.
Gets the value of a property from an item's property set. The property can be specified either by name or by the property set's format identifier (FMTID) and property identifier (PID).
It's primary strength being the feturn type corresponds to the property value type:
When this method returns, contains the value of the property, if it exists for the specified item. The value will have full typing—for example, dates are returned as dates, not strings.
Using this method to access date properties eliminates string parsing and the issues you encountered:
PS Pictures> $FileInfo = Get-Item "C:\Users\keith\Pictures\Leland\2009\Leland 191.JPG"
PS Pictures> $Shell = New-Object -ComObject shell.application
PS Pictures> $comFolder = $Shell.NameSpace($FileInfo.DirectoryName)
PS Pictures> $comFile = $comFolder.ParseName($FileInfo.Name)
PS Pictures>
PS Pictures> $comFolder.GetDetailsOf($null,12)
Date taken
PS Pictures> $comFolder.GetDetailsOf($comFile,12)
‎9/‎5/‎2009 ‏‎2:06 PM
PS Pictures> $comFolder.GetDetailsOf($comFile,12).GetType()
IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True True String System.Object
PS Pictures> $comFile.ExtendedProperty("DateTaken")
PS Pictures> $comFile.ExtendedProperty("System.Photo.DateTaken")
Saturday, September 5, 2009 07:06:41 PM
PS Pictures> $comFile.ExtendedProperty("System.Photo.DateTaken").GetType()
IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True True DateTime System.ValueType
It also returns arrays for properties than can contain multiple values (Tags, Contributing Artists, etc/):
PS Pictures> $comFolder.GetDetailsOf($null,18)
Tags
PS Pictures> $comFolder.GetDetailsOf($comFile,18)
Leland; Tim; Jorge
PS Pictures> $comFolder.GetDetailsOf($comFile,18).GetTYpe()
IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True True String System.Object
PS Pictures> $comFile.ExtendedProperty("System.KeyWords")
PS Pictures> $comFile.ExtendedProperty("System.Keywords")
Leland
Tim
Jorge
PS Pictures> $comFile.ExtendedProperty("System.Keywords").GetType()
IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True True String[] System.Array
But GetDetailsOf() is still useful, particularly for values that use an EnumList:
PS Pictures> $comFolder.GetDetailsOf($null,261)
Flash mode
PS Pictures> $comFolder.GetDetailsOf($comFile,261)
No flash, auto
PS Pictures> $comFile.ExtendedProperty("System.Photo.Flash")
24

Yeah something weird is going on with that string. (paste with control v in the console) It doesn't display right in stackoverflow, but ascii only goes up to code 0x7f (127). You can see the 200e and 200f hex codes. They look like little hooks. (emoji's would require extra handling with the surrogate characters)
$string = '# <-- This reads ‎03/‎08/‎2021 ‏‎09:15'
function chardump {
param($string)
[char[]]$string |
% { [pscustomobject]#{Char = $_; Code = [int]$_ | % tostring x} }
}
chardump $string
Char Code
---- ----
# 23
20
< 3c
- 2d
- 2d
20
T 54
h 68
i 69
s 73
20
r 72
e 65
a 61
d 64
s 73
20
‎ 200e
0 30
3 33
/ 2f
‎ 200e
0 30
8 38
/ 2f
‎ 200e
2 32
0 30
2 32
1 31
20
‏ 200f
‎ 200e
0 30
9 39
: 3a
1 31
5 35
chardump $string | ? {[int]('0x' + $_.code) -gt 0x7f}
Char Code
---- ----
‎ 200e
‎ 200e
‎ 200e
‏ 200f
‎ 200e

Windows Volume without a Partition

Background:
I'm working on a powershell script to automate installation from a USB stick via WinPE. Because the target systems have several drives, each possibly having a couple partitions, Windows quickly runs out of drive letters. Part of my script unassigns all drive letters, then reassigns only the necessary disks. Right now, I assign hard-coded letters to certain partitions, but I've run into a problem with one of the letters not being unassigned.
The issue is that I somehow have a volume with an assigned drive letter, yet there's apparently no underlying partition, and since Remove-PartitionAccessPath requires a partition object, there's no way to do it from powershell (without resorting to diskpart).
Here's the output of diskpart - you can see the selected disk has no partitions, yet somehow has a volume:
Microsoft DiskPart version 10.0.15063.0
Copyright (C) Microsoft Corporation.
On computer: MININT-6GI0UNM
DISKPART> list disk
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 5589 GB 0 B *
Disk 1 Online 5589 GB 0 B *
Disk 2 Online 5589 GB 0 B *
Disk 3 Online 5589 GB 0 B *
Disk 4 Online 5589 GB 0 B *
Disk 5 Online 5589 GB 0 B *
Disk 6 Online 5589 GB 0 B *
Disk 7 Online 5589 GB 0 B *
Disk 8 Online 5589 GB 0 B *
Disk 9 Online 5589 GB 0 B *
Disk 10 Online 5589 GB 0 B *
Disk 11 Online 5589 GB 0 B *
Disk 12 Online 447 GB 0 B *
Disk 13 Online 447 GB 0 B *
Disk 14 Online 232 GB 0 B *
Disk 15 Online 29 GB 29 GB
Disk 16 Online 28 GB 0 B *
DISKPART> sel disk 15
Disk 15 is now the selected disk.
DISKPART> list part
There are no partitions on this disk to show.
DISKPART> detail disk
ATA Hypervisor USB Device
Disk ID: E0623CE6
Type : USB
Status : Online
Path : 0
Target : 0
LUN ID : 0
Location Path : UNAVAILABLE
Current Read-only State : No
Read-only : No
Boot Disk : No
Pagefile Disk : No
Hibernation File Disk : No
Crashdump Disk : No
Clustered Disk : No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 20 E Removable 0 B Unusable
DISKPART>
Here's what happens when I try to remove the letter from powershell:
PS X:\sources> Get-Volume -DriveLetter E | Remove-PartitionAccessPath -AccessPath "E:"
Remove-PartitionAccessPath : The input object cannot be bound to any parameters for the command either because the
command does not take pipeline input or the input and its properties do not match any of the parameters that take
pipeline input.
At line:1 char:29
+ ... t-Volume -DriveLetter E | Remove-PartitionAccessPath -AccessPath "E:"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (MSFT_Volume (Ob...rosoft/Wind...):PSObject) [Remove-PartitionAccessPat
h], ParameterBindingException
+ FullyQualifiedErrorId : InputObjectNotBound,Remove-PartitionAccessPath
PS X:\sources> Get-Volume -DriveLetter E | fl *
OperationalStatus : Unknown
HealthStatus : Healthy
DriveType : Removable
FileSystemType : Unknown
DedupMode : NotAvailable
ObjectId : {1}\\MININT-6GI0UNM\root/Microsoft/Windows/Storage/Providers_v2\WSP_Volume.ObjectId="{63585070-
3cd2-11e7-b877-806e6f6e6963}:VO:\\?\Volume{635850c4-3cd2-11e7-b877-806e6f6e6963}\"
PassThroughClass :
PassThroughIds :
PassThroughNamespace :
PassThroughServer :
UniqueId : \\?\Volume{635850c4-3cd2-11e7-b877-806e6f6e6963}\
AllocationUnitSize : 0
DriveLetter : E
FileSystem :
FileSystemLabel :
Path : \\?\Volume{635850c4-3cd2-11e7-b877-806e6f6e6963}\
Size : 0
SizeRemaining : 0
PSComputerName :
CimClass : ROOT/Microsoft/Windows/Storage:MSFT_Volume
CimInstanceProperties : {ObjectId, PassThroughClass, PassThroughIds, PassThroughNamespace...}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties
PS X:\sources> Get-Volume -DriveLetter E | Get-Partition
PS X:\sources> $null -eq (Get-Volume -DriveLetter E | Get-Partition)
True
Powershell version table:
PS X:\sources> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.15063.0
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.15063.0
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
I can try to get more details about the contents of the disk in question if necessary.
What could be causing this? Is there a powershell workaround?
Note: I realize it would probably be better to have Windows pick drive letters instead of hard-coding them, but I'm still curious about the mysterious volume.

Try this:
Get-Volume -Drive 'E' | Get-Partition | Remove-PartitionAccessPath -AccessPath 'E:\'
Reference: https://blogs.technet.microsoft.com/heyscriptingguy/2015/12/07/powertip-use-powershell-to-remove-drive-letter/

Windows / NTFS: Two files with identical long-names in the same directory?

I have been a lurker at stackoverflow.com for many years (great site and users here), but never had the need to ask a question. Now the time has come :-) Let me begin:
OS: x64 Windows 8.0 to Windows 10 (15063.14) (the issue exists since years, but I have never pursued it fully yet, so we can exclude that it is specific to a specific Windows version)
FS: NTFS
Issue: 2 files with the same (long) name in the same directory and I cannot figure out how this is even possible. This happens to me since years whenever I manually upgrade my Email client. The main .EXE file of it (MailClient.exe) is never asking for replacement if copying the new one over to the same directory. Instead they are both placed there, with the exact same long name.
The issue has nothing to do with a specific directory, I can copy around both .EXE files to freshly created directories on the NTFS drive without issues (also getting no "overwrite" question there).
Let me show you:
C:\temp\2>dir
Volume in drive C is SSD 840 Pro
Volume Serial Number is 0C6D-D489
Directory of C:\temp\2
13.04.2017 02:29 <DIR> .
13.04.2017 02:29 <DIR> ..
21.10.2016 17:10 24.742.760 MailClient.exe
27.12.2016 03:26 24.911.872 MailCliеnt.exe
2 File(s) 49.654.632 bytes
2 Dir(s) 78.503.038.976 bytes free
However, if doing a dir /x, this comes up:
C:\temp\2>dir /x
Volume in drive C is SSD 840 Pro
Volume Serial Number is 0C6D-D489
Directory of C:\temp\2
13.04.2017 02:29 <DIR> .
13.04.2017 02:29 <DIR> ..
21.10.2016 17:10 24.742.760 MAILCL~2.EXE MailClient.exe
27.12.2016 03:26 24.911.872 MAILCL~1.EXE MailCliеnt.exe
2 File(s) 49.654.632 bytes
2 Dir(s) 78.503.038.976 bytes free
So they obviously have a different 8.3 name, OK, but the exact same long name. Here is another screenshot of the situation. Both files show the same location within the Windows "properties" dialog (right click) too. Unfortunately I am not allowed to post images just yet (it seems) - just tried. So you will have to take my word.
I cannot figure out how this is possible and this is bugging me ;) As soon as I rename both files for example to 1.exe, Windows starts telling me that there is already a file with that name in the same directory. So it obviously has something to do with the filename, but they are both exactly identical, no extra spaces, nothing, as you can see from the DIR command.
I´ve also tried to rename them and re-wrote the exact wording "MailCient.exe" manually for both, to make sure the characters are EXCACTLY the same, Windows still won´t complain, they both go there once again under the same name. However, renaming them to "Mail.exe" and "Mail.exe" will NOT work, then Windows is saying that another file with that name already exists. However, naming them both back to "MailClient.exe" is just absolutely fine, no complains by Windows with that.
Another fun fact about this, if I dir for mailclient.exe directly, this happens:
C:\temp\2>dir mailclient.exe
Volume in drive C is SSD 840 Pro
Volume Serial Number is 0C6D-D489
Directory of C:\temp\2
21.10.2016 17:10 24.742.760 MailClient.exe
1 File(s) 24.742.760 bytes
0 Dir(s) 78.501.998.592 bytes free
However, if looking for *.exe, this happens:
C:\temp\2>dir *.exe
Volume in drive C is SSD 840 Pro
Volume Serial Number is 0C6D-D489
Directory of C:\temp\2
21.10.2016 17:10 24.742.760 MailClient.exe
27.12.2016 03:26 24.911.872 MailCliеnt.exe
2 File(s) 49.654.632 bytes
0 Dir(s) 78.501.990.400 bytes free
This yields also interesting results:
C:\temp\2>ren mailclient.exe *.bak
C:\temp\2>dir
Volume in drive C is SSD 840 Pro
Volume Serial Number is 0C6D-D489
Directory of C:\temp\2
13.04.2017 02:50 <DIR> .
13.04.2017 02:50 <DIR> ..
21.10.2016 17:10 24.742.760 MailClient.bak
27.12.2016 03:26 24.911.872 MailCliеnt.exe
2 File(s) 49.654.632 bytes
2 Dir(s) 78.501.990.400 bytes free
And back:
C:\temp\2>ren mailclient.bak MailClient.exe
C:\temp\2>dir
Volume in drive C is SSD 840 Pro
Volume Serial Number is 0C6D-D489
Directory of C:\temp\2
13.04.2017 02:51 <DIR> .
13.04.2017 02:51 <DIR> ..
21.10.2016 17:10 24.742.760 MailClient.exe
27.12.2016 03:26 24.911.872 MailCliеnt.exe
2 File(s) 49.654.632 bytes
2 Dir(s) 78.501.982.208 bytes free
I´ve also checked permissions on the files and took ownership, it changes nothing. Additionally I´ve cleared the NTFS Journal and even the transaction log + run chkdsk, which reveals no errors either.
Any ideas on this mysterious situation? What am I missing?
Thanks so much:)
UPDATE #1:
I´ve just tried this: going to Windows explorer and renaming both files after each other by truncating their names. So I first renamed the first "MailClient.exe" to "MailClien.exe", then the seconds "MailClient.exe" to "MailClien.exe". Again, no message by Windows that they have the same name, it just renamed both fine. I then continued to "MailClie.exe". Worked.
However, as soon as I tried to renamed both to "MailCli.exe", Windows complained and told me that there is already another file with that name. Trying to rename both back from there to "MailClient.exe" also does not work, just for one of them, because then Windows says (and right so too) that a file with that name already exists. So it seems to come down to the "e" possibly having another ANSI-character in both filenames? I, however, wouldn´t know of another one for "e", or am I missing something?

Harry Johnston is right: one of the filenames contains a Unicode character that just looks the same as an ANSI character.
Read Naming Files, Paths, and Namespaces:
On newer file systems, such as NTFS, exFAT, UDFS, and FAT32, Windows
stores the long file names on disk in Unicode, which means that the
original long file name is always preserved. This is true even if a
long file name contains extended characters, regardless of the code
page that is active during a disk read or write operation.
Use the following PowerShell script 43381802b.ps1 to detect and show non-ANSI file names (see different calls below):
param( [string[]]$Path = '.',
[switch]$Cpp, ### list any non-ANSI character in file names like a C++ literal
### i.e. a prefix \u followed by a four digit Unicode code point
[switch]$All ### list all files including pure ANSI-encoded file names
)
Set-StrictMode -Version latest
$strArr = Get-ChildItem -path $Path
$arrDiff = #()
for ($i=0; $i -lt $strArr.Count; $i++) {
$strDiff = 'ANSI'
$strName = ''
$auxName = $strArr[$i].Name
for ( $k=0; $k -lt $auxName.Length; $k++ ) {
if ( [int][char]$auxName[$k] -gt 255 ) {
$strDiff = 'UCS2'
$strName += '\u{0:X4}' -f [int][char]$auxName[$k]
} else {
$strName += $auxName[$k]
}
}
if ( $All.IsPresent -or $strDiff -eq 'UCS2' ) {
$strArr[$i] | Add-Member NoteProperty Code $strDiff
$strArr[$i] | Add-Member NoteProperty CppName $strName
$arrDiff += $strArr[$i]
}
}
if ( $Cpp.IsPresent ) {
$arrDiff | Select-Object -Property Code, Mode, LastWriteTime, Length, CppName | ft
} else {
$arrDiff | Select-Object -Property Code, Mode, LastWriteTime, Length, Name | ft
}
Output:
PS D:\PShell> .\SO\43381802b.ps1 'C:\testC\43381802'
Code Mode LastWriteTime Length Name
---- ---- ------------- ------ ----
UCS2 -a---- 02/05/2017 11:47:53 317 MailCliеnt.txt
UCS2 -a---- 02/05/2017 11:49:04 317 МailClient.txt
UCS2 -a---- 02/05/2017 11:50:16 399 МailCliеnt.txt
PS D:\PShell> .\SO\43381802b.ps1 'C:\testC\43381802' -Cpp
Code Mode LastWriteTime Length CppName
---- ---- ------------- ------ -------
UCS2 -a---- 02/05/2017 11:47:53 317 MailCli\u0435nt.txt
UCS2 -a---- 02/05/2017 11:49:04 317 \u041CailClient.txt
UCS2 -a---- 02/05/2017 11:50:16 399 \u041CailCli\u0435nt.txt
PS D:\PShell> .\SO\43381802b.ps1 'C:\testC\43381802' -Cpp -All
Code Mode LastWriteTime Length CppName
---- ---- ------------- ------ -------
ANSI -a---- 02/05/2017 11:44:05 235 MailClient.txt
UCS2 -a---- 02/05/2017 11:47:53 317 MailCli\u0435nt.txt
UCS2 -a---- 02/05/2017 11:49:04 317 \u041CailClient.txt
UCS2 -a---- 02/05/2017 11:50:16 399 \u041CailCli\u0435nt.txt
Use the following 43381802a.ps1 script to get more info about non-ANSI characters (see the first call bellow) and their position in file names (see the latter call bellow with -Detail switch):
param( [string[]] $strArr = #('ΗGreek', 'НCyril', 'HLatin'),
[switch]$Detail )
Set-StrictMode -Version latest
$auxArr = #()
if ( ( Get-Command -Name Get-CharInfo -ErrorAction SilentlyContinue ) -and
( -not $Detail.IsPresent ) ) {
$auxArr = $strArr | Get-CharInfo |
Where-Object { [int]$_.Codepoint.Replace('U+', '0x') -ge 128 }
} else {
foreach ($strStr in $strArr) {
for ($i = 0; $i -lt $strStr.Length; $i++ ) {
if ( [int][char]$strStr[$i] -ge 128 ) {
$auxArr += [PSCustomObject] #{
Char = $strStr[$i]
CodePoint = 'U+{0:x4}' -f [int][char]$strStr[$i]
Category = $i + 1 ### 1-based index
Description = $strStr ### string itself
}
}
}
}
}
$auxArr
Output:
PS D:\PShell> .\SO\43381802a.ps1 ( Get-childitem -path 'C:\testC\43381802' ).Name
Char CodePoint Category Description
---- --------- -------- -----------
е U+0435 LowercaseLetter Cyrillic Small Letter Ie
М U+041C UppercaseLetter Cyrillic Capital Letter Em
М U+041C UppercaseLetter Cyrillic Capital Letter Em
е U+0435 LowercaseLetter Cyrillic Small Letter Ie
PS D:\PShell> .\SO\43381802a.ps1 ( Get-childitem -path 'C:\testC\43381802' ).Name -detail
Char CodePoint Category Description
---- --------- -------- -----------
е U+0435 8 MailCliеnt.txt
М U+041c 1 МailClient.txt
М U+041c 1 МailCliеnt.txt
е U+0435 8 МailCliеnt.txt
Tested on files:
==> dir /-C /X /A-D C:\testC\43381802\
Volume in drive C has no label.
Volume Serial Number is …
Directory of C:\testC\43381802
02/05/2017 11:44 235 MAILCL~1.TXT MailClient.txt
02/05/2017 11:47 317 MAILCL~2.TXT MailCliеnt.txt
02/05/2017 11:49 317 AILCLI~1.TXT МailClient.txt
02/05/2017 11:50 399 AILCLI~2.TXT МailCliеnt.txt
4 File(s) 1268 bytes
0 Dir(s) 69914857472 bytes free
==>

How to parse the output in powershell?

The command Get-Process gives output like below:
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
65 6 1152 840 59 77.50 6048 Appx
78 8 2233 444 61 10.11 7878 Application
but I need a solution like below:
PM(K)=1152, ProcessName=Appx ; PM(K)=2233, ProcessName=Application
How do I parse output like above mentioned?

you can use -f to format your string :
PS>$resu=""
PS>gps | foreach {$resu+=("PM(K)= {0},appName={1};" -f ($_.pm/1KB),$_.name) }
PS>$resu

Try something like this:
$p = Get-Process | select #{n='PM(K)';e={$_.PM/1KB}}, ProcessName
($p | fl | Out-String) -replace "`n`n", ' ; ' -replace "`n", ', '

Dtrace to get write size by distribution

I'm trying to get write size distribution by process. I ran:
sudo dtrace -n 'sysinfo:::writech { #dist[execname] = quantize(arg0); }'
and got the following error:
dtrace: invalid probe specifier sysinfo:::writech...
This is Mac OSX. Please help.

The error message is telling you that Mac OS X doesn't support the sysinfo::: provider. Perhaps you meant to use one of these?
# dtrace -ln sysinfo::writech:
ID PROVIDER MODULE FUNCTION NAME
dtrace: failed to match sysinfo::writech:: No probe matches description
# dtrace -ln sysinfo:::
ID PROVIDER MODULE FUNCTION NAME
dtrace: failed to match sysinfo:::: No probe matches description
# dtrace -ln 'syscall::write*:'
ID PROVIDER MODULE FUNCTION NAME
147 syscall write entry
148 syscall write return
381 syscall writev entry
382 syscall writev return
933 syscall write_nocancel entry
934 syscall write_nocancel return
963 syscall writev_nocancel entry
964 syscall writev_nocancel return
The following script works for me:
# dtrace -n 'syscall::write:entry {#dist[execname] = quantize(arg0)}'
dtrace: description 'syscall::write:entry ' matched 1 probe
^C
activitymonitor
value ------------- Distribution ------------- count
2 | 0
4 |######################################## 4
8 | 0
Activity Monito
value ------------- Distribution ------------- count
2 | 0
4 |######################################## 6
8 | 0
...