TrueTree

The tool produces a hierarchical view of macOS processes that mirrors the output of traditional pstree utilities, but it is tailored to the quirks of Apple’s launchd‑centric process model. By extracting information from `launchctl procinfo`, it reconstructs the true ancestry of each process, revealing the intermediate XPC‑based relationships that standard `ps` or Activity Monitor listings hide. This gives analysts a clearer picture of how applications were launched and which parent processes are actually responsible for a given child.

It is aimed at security professionals, incident‑response teams, and forensic investigators who need to trace execution paths on macOS systems. The command‑line interface allows quick integration into scripts or manual investigations, enabling users to identify suspicious process chains without relying on graphical tools.

What distinguishes it is the focus on macOS’s launchd and XPC mechanisms, providing a more accurate process tree than generic utilities. The output highlights “responsible pids” and extra identifiers that are otherwise omitted, helping users differentiate between superficial parent links and the underlying causal relationships that matter for threat hunting.