On the origin of processes
On a typical system, there are only a few general methods by
which processes come into existence:
- Processes initiated directly by the OS kernel
- init, kernel threads like swapper or kswapd, usually with
low-numbered PIDs and parent process ID (PPID) of 0 or 1
- Processes managed directly by init
- getty processes, a few others, can be traced to
specific /etc/inittab entries or files under /etc/init,
also have PPID of 1
- Processes started by init scripts
- Usually have PPID of 1, no corresponding /etc/inittab entry
or /etc/init file, but are referred to in an init
script (/etc/init.d/* or /etc/rc*)
- Processes started by other processes
- PPID is not 1 and refers to PID of an existing process
ps alx (BSD) or ps -efl (SYSV) will show both
PID and PPID columns in the process listing.
Given a list of processes in the ps listing, it's then
fairly straightforward to identify how processes started:
- PID 1 is almost always init which was started by the
kernel
- Low-numbered PIDs that don't have /etc/inittab entries
or /etc/init files were probably also started by the kernel
- Processes with PPID 1 either have corresponding
/etc/inittab entries or files under /etc/init (or were
exec()ed by such a process, like user shells started from a
getty), or an init script contains a reference to that
program (try
grep process-name /etc/init.d/*,
grep process-name /etc/init/*, or
grep process-name /etc/rc*)
- Processes with a PPID that is not 1 were started by another
existing process which can be found with that PID in the ps listing
Next ->
Steve VanDevender
Last modified: Thu Jul 7 14:04:54 PDT 2011