Tracing system calls on Linux is straightforward. The ptrace API lets one process trace all system calls made by another process, and the command-line program strace uses ptrace to allow a user to do the same.

Mac OS X

Tracing system calls on Mac OS X is a little harder, but more powerful. The dtrace system ships with Macs starting with Mac OS X 10.5. Unlike strace, however, support for dtrace has to be built in to programs. Mac OS X ships with several thousand probes (the attachment points), and most normal monitoring is covered. Brendan Gregg’s blog has a Mac OS X-specific dtrace page, as an example, and there are other useful tutorials

Apple added ptrace to Mac OS X, maybe. There’s a man page for it, but no strace program for user-level use. I’ll have to try writing some code.

There are ways to hook/override program and system functions at runtime. These work but aren’t truly supported, so are of most use for debugging situations.

Amit Singh went the kernel extension approach to get access to system calls

While there are definitely nefarious uses for this stuff, it can be used for developers too. For example, this paper talks about rootkits, but the techniques also make for great developer tools.


The equivalent to ptrace on BSD is ktrace. Unfortunately, ktrace is not available on Mac OS X. That’s annoying, because it is complementary to DTrace, which is an awesome sysop-level tool, but does not give complete access to all system calls. Mac OS X had ktrace in 10.4 and earlier.


There is the amazing Process Monitor, which traces all file and registry actions. However, this is strictly a user-level program, you work with it through its GUI. It’s very useful, but does not give you system-call level access from your own source code.

There is a fairly new project called StraceNT. It comes with source code.

Dr. Memory comes with “strace for Windows” called drstrace.

Event Tracing for Windows (ETW) is the Microsoft official technique, and has several programs layered on top.

There is Logger and LogView, also Microsoft tools

There is NtTrace

An article


This is a python build tool that watches for files that have changed as a result of running a command. It uses strace on Linux but does filetime watching on Windows, so maybe look for how to get Python on Windows to use one of the other file monitoring solutions?


The tup build tool uses DLL injection on Windows to detect file I/O.


The ninja tool also does filesystem watching, I think.


Google “building in the cloud”

This is a FUSE-based approach, so not exactly tracing system calls.

Build in the Cloud: Accessing Source Code