Something is still wrong with your Mac. You have browsed its logs, watched Activity Monitor, and restarted in Safe mode. There are no good clues from any of those, but it is not working as sweetly as it should. If you can face being the ultimate Mac geek, your next trick is to use sysdiagnose, the command shell tool to end all performance monitors.

What is it?

Intended for use by Apple engineers, sysdiagnose can overwhelm with information. It runs almost every performance and problem tracing tool that OS X has – and there are a lot of them – and generates several megabytes of output, which can make logs look like a child’s story book. But if you want to do something before resigning yourself to an appointment at the Genius Bar, it is the ultimate assessment. And the good thing is that it is non-destructive, and will not make anything worse.

Use

Standard use is along the lines of
sudo sysdiagnose -f ~/Documents
then entering your admin password at the prompt, which will generate its copious output into a compressed archive in your Documents folder.

Next you will see a privacy message, intended for when you are sending its output to someone else:

This tool generates files that allow Apple to investigate issues with your
computer and help improve Apple products. The files might contain personal
information found on your device or associated with your iCloud accounts,
including but not limited to your name, serial numbers of your device, your
device name, your user name, your email address and email settings, file paths,
file names, your computer’s IP addresses, and network connection information.

This information is used by Apple in accordance with its privacy policy
(www.apple.com/privacy) and is not shared with any other company. By using
this tool and sending the results to Apple, you consent to Apple using the
contents of these files to improve Apple products.

Press ‘Enter’ to continue.

Once you have pressed Enter, it will take a good couple of minutes to accumulate all the information, during which you will see a sequence of announcements telling you each of the tasks and tools which it is busy with:

sysdiagnose version 3.0 (56)
Starting time sensitive tasks...
Running ps
Running thread-aware ps
Running fs_usage, spindump, vm_stat, and top
Running powermetrics
Starting graphics tasks...
Gathering Quartz Compositor information
Starting memory tasks...
Running lsof
Running footprint
Collecting file coordination status
Running vmmap and heap on pid 405 due to high memory use.
Starting disk tasks...
Running diskutil
Running gpt
Running hdiutil
Running BootCacheControl
Running df
Running mount
Starting kernel tasks...
Starting networking tasks...
Getting Wi-Fi info
Getting opendirectory info
Getting NFS info
Running netstat
Running ifconfig
Running ipconfig
Running scutil
Running dig
Running get-network-info
Starting power tasks...
Running pmset
Starting configuration tasks...
Running system_profiler
Running ioreg
Gathering loginwindow logs
Gathering logs...
Generating microstackshot reports...

On completion, a Finder window is opened, showing the location of its output archive, which can then be decompressed using Archive Utility.

What do you get?

Among the tools which have been run, and whose output has been collected for you, are:

• ps, which lists information about all processes running at present, and its thread-aware variant
• fs_usage, which reports system calls and page faults related to filesystem activity
• spindump, which profiles your entire system for a period
• vm_stat, which shows Mach virtual memory statistics
• top, which displays sorted information about all processes running at present
• powermetrics, which shows CPU usage statistics
• lsof, which lists details of all open files
• footprint, which gives memory information about processes
• vmmap and heap on process(es) using large amounts of memory, showing their virtual memory and heap allocations
• diskutil, checking mounted drives
• gpt, detailing GUID partition tables
• hdiutil, checking mounted disk images
• BootCacheControl, checking caches used during startup
• df, checking disk free space
• mount, checking mounted file systems
• netstat, giving detailed network status
• ifconfig, detailing network interfaces
• ipconfig, detailing IP configuration
• scutil, checking system configuration
• dig, checking name service (DNS) lookup
• pmset, detailing power management settings
• system_profiler, which compiles a full system profile just as the System Profiler app does
• ioreg, gives details of all input and output devices registered with I/O Kit.

Decompressed, its reports will typically occupy over 200 MB with more than 1500 files and folders. The skill is now in knowing where to look, and how to interpret its output.