ps -eo pid,ppid,user,command

Use ps without cpu time to perform a diff between ps runs.  This allows you to find processes started or stopped between runs.

To run dd or ddrescue on an encrypted APFS drive you should remember that APFS volumes first have to be unlocked and then decrypted.  Unlocking them automatically mounts them.  Once mounted then you need to decrypt them.

Boot the mac from an external drive (use an SSD for speed).  I used a SABRENT USB3 enclosure.

Once booted up with the external MacOS instance, identify the internal drive which needs to be decrypted with the following command:

diskutil apfs list

Container disk1 45DA114F-7418-41B9-ACF0-F965CC48E8B4

|   ====================================================

|   APFS Container Reference:     disk1

|   Size (Capacity Ceiling):      500068036608 B (500.1 GB)

|   Capacity In Use By Volumes:   249342025728 B (249.3 GB) (49.9% used)

|   Capacity Not Allocated:       250726010880 B (250.7 GB) (50.1% free)

|   |

|   +-< Physical Store disk0s2 76998992-D9B0-4CAF-AF06-8E44EBF91F5B

|   |   -----------------------------------------------------------

|   |   APFS Physical Store Disk:   disk0s2

|   |   Size:                       500068036608 B (500.1 GB)

|   |

|   +-> Volume disk1s1 035E01AA-7321-3A41-9479-22DF47E45B7E

|   |   ---------------------------------------------------

|   |   APFS Volume Disk (Role):   disk1s1 (No specific role)

|   |   Name:                      APPLE SSD SM512E Media (Case-insensitive)

|   |   Mount Point:               /Volumes/APPLE SSD SM512E Media

|   |   Capacity Consumed:         247547052032 B (247.5 GB)

|   |   FileVault:                 Yes (locked)

sh-3.2# diskutil apfs unlockVolume /dev/disk1s1 

Passphrase:

Unlocking any cryptographic user on APFS Volume disk1s1

Unlocked and mounted APFS Volume

Find out valid users

sh-3.2# diskutil apfs listkeys disk1s1

Cryptographic users for disk1s1 (4 found)

|

+-- EC1C2AD9-B618-4ED6-BD8D-50F361C27507

|   Type: iCloud Recovery User

|

+-- 64C0C6EB-0000-11AA-AA11-00306543ECAC

|   Type: iCloud Recovery External Key

|

+-- 6AAC510E-AE1F-417A-B739-8687BD5D2023

|   Type: Local Open Directory User

|

+-- 223300DE-012D-4D48-A458-102F94617E62

    Type: Local Open Directory User

Pick a user and use the UUID as the argument for -user:

sh-3.2# diskutil apfs decryptVolume /dev/disk1s1 -user 6AAC510E-AE1F-417A-B739-8687BD5D2023 

Passphrase for existing user 6AAC510E-AE1F-417A-B739-8687BD5D2023: ****************

Starting background decryption of disk1s1 using crypto user 6AAC510E-AE1F-417A-B739-8687BD5D2023 as authorization

Background decryption is ongoing; see "diskutil apfs list" to see progress

sh-3.2# diskutil apfs list |grep Unlocked

|   |   Decryption Progress:       44.0% (Unlocked)

Notes:

ddrescue seems to be faster than dd

If you are examining a SDCARD, use a USB3 adapter and not the native Flashcard reader.  The native reader seems to be USB2.0

• In OS X 10.15 "Catalina" tokend-s are disabled and need to be enabled explicitly:

sudo defaults write /Library/Preferences/com.apple.security.smartcard Legacy -bool true

Add Borders to Windows on Ubuntu



1. Confirm your ubuntu version and codename with lsb_release

user@ubuntu:~$ lsb_release -a
No LSB modules are available.
Distributor ID:    Ubuntu
Description:    Ubuntu 16.04.6 LTS
Release:    16.04
Codename:    xenial

 

2. Make edits to unity.css 

sudo gedit /usr/share/themes/Ambiance/gtk-3.0/apps/unity.css

 -UnityDecoration-extents: 28px 0 0 0;

 -UnityDecoration-extents: 28px 2px 2px 2px; 

 

a8df1e58626','the string I'm looking for');">

pcregrep  -o \'[\\w\\d\\s]+\'\\\)\; source-strings.txt > programs.txt

How to burn a Blu-Ray disk of Win10

growisofs -dvd-compat -speed=8 -Z /dev/sr0=/home/user/Win10_1809Oct_English_x64.iso

user@ubuntu-desktop:/media/user/CCCOMA_X64FRE_EN-US_DV9$ ls -altr
total 1928
-r-xr-xr-x   1 user  user      128 Oct 29 19:32 autorun.inf
-r-xr-xr-x   1 user  user    82440 Oct 29 19:32 setup.exe
-r-xr-xr-x   1 user  user  1452856 Oct 29 19:32 bootmgr.efi
-r-xr-xr-x   1 user  user   408074 Oct 29 19:32 bootmgr
dr-xr-xr-x   4 user  user      148 Oct 29 19:47 efi
dr-xr-xr-x   5 user  user      564 Oct 29 19:47 boot
dr-xr-xr-x   3 user  user       96 Oct 29 19:48 support
dr-xr-xr-x   6 user  user      492 Oct 29 19:48 .
dr-xr-xr-x  12 user  user    12264 Oct 29 19:48 sources
drwxr-x---+  3 root root    4096 Mar 27 19:37 ..
user@ubuntu-desktop:/media/user/CCCOMA_X64FRE_EN-US_DV9$

Where are my crash dumps?
Windows 10 puts crash dumps in different locations as compared to Windows XP

Kernel Dumps are here:
%SystemRoot%\LiveKernelReports

Userland Dumps are here:
%ProgramData%\Microsoft\Windows\WER\ReportArchive

One directory up in WER you will see:
Report Archive
Report Queue
Temp

One could assume that Windows Error Reporting (WER) will put initial dump files and other telemetry in the Queue and once they are transmitted to the Microsoft team moved to Archive.  Perhaps you don't want your crashes reported.  How does one turn off WER but still maintain the ability to see what has crashed?