Let's say we have a PID of a process and we know that it was started by init during startup. How do we find the script name that started it?
One way is to run grep $PROCESS_NAME /etc/init.d/*
, but that solution is neither bulletproof nor very elegant.
Another one would be to run service --status-all
and there is a good chance that the PID will be returned by one of the services, but that's even less elegant than the previous solution
EDIT:
The OS is RedHat/Ubuntu.
Let's suppose we have sshd running with PID 2083 like so:
UID PID PPID C STIME TTY TIME CMD
root 2083 1 0 2012 ? 00:00:00 /usr/sbin/sshd -D
The parent of it is init
and I guess that it was started with the command service sshd start
during bootup, but if we have something that cannot be easily guessed, for example a convoluted startup command or because of an obfuscated /etc/init.d/somedeamon
script – how do we find the somedeamon
script, knowing only the PID?
Best Answer
An easy way to follow the PPID chain backwards is with the
pstree
tool:This will show all the parent processes of the specified PID, for example: