Linux – How to determine if a process is a system process

androidlinuxprocess

I'm reading the /proc directory (or pseudo-fs) to find all processes. I'm getting the information I need from /proc/[pid]/status but there's something else I need. Is there any way to figure out which processes are critical to system? for example using parent-pid or UID of the process?

By system process, I mean processes that would otherwise exist on a fresh installation of the OS, and before installing any application or services. This might not mean kernel threads, or system processes at all, but to sum it up, I mean processes, that their termination, would disrupt the fundamental structure of the system.

PS. I'm working on an android app, but since this part is done using pure Linux file system I asked it here and I don't suppose that there would be any different.

Best Answer

If you have htop you can press Shift+k to toggle the display of kernel threads. If you press F5 for tree mode, they should all appear as children of kthreadd.

There are some visible differences between a kernel thread and a user-space thread:

  • /proc/$pid/cmdline is empty for kernel threads - this is the method used by ps and top to distinguish kernel threads.

  • The /proc/$pid/exe symbolic link has no target for kernel threads - which makes sense since they do not have a corresponding executable on the filesystem.

More specifically, the readlink() system call returns ENOENT ("No such file or directory"), despite the fact that the link itself exists, to denote the fact that the executable for this process does not exist (and never did).

Therefore, a reliable way to check for kernel threads should be to call readlink() on /proc/$pid/exe and check its return code. If it succeeds then $pid is a user process. If it fails with ENOENT, then an extra stat() on /proc/$pid/exe should tell apart the case of a kernel thread from a process that has just terminated.

  • /proc/$pid/status is missing several fields for most kernel threads - more specifically a few fields related to virtual memory.

The Above answer from Identifying kernel threads

Another way to distinguish kernel threads from other process is to run top -c. From the top manual:

3. COMMAND -- Command Name or Command Line
Display the command line used to start a task or the name of the associated program. You toggle between command line and name with 'c', which is both a command-line option and an interactive com‐ mand.

When you've chosen to display command lines, processes without a command line (like kernel threads) will be shown with only the program name in brackets, as in this example:
[ mdrecoveryd ]

Running ps aux also displays processes that were launched without a command in square brackets ( and will have an empty /proc/[pid]/cmdline file ).

Example: 

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root        19  0.0  0.0      0     0 ?        S<   Mar02   0:00 [kworker/1:0H]

See package procps-3.2.8 file /proc/readproc.h.

// Basic data structure which holds all information we can get about a process.
// (unless otherwise specified, fields are read from /proc/#/stat)
//
// Most of it comes from task_struct in linux/sched.h
Related Question