Cracking IT Interview


Manage Processes in Unix

What is process?

A process is an instance of a running program. We can say it as -"a program in execution phase". Whenever we issue any command in Unix, it starts a new process. Unix Kernel is responsible for the management of processes. 

"ps command" is used to list out processes running in the system.

77016   8  Ss   0:00.06 -bash (bash)
77055   8  R+   0:00.00 ps

Process attributes are maintained by a kernel in separate structure in memory called Process table. These attributes include PID and PPID of the process.


Kernel identifies each and every process with its "Process Identification Number" (PID) which is assigned to it when the process is created. This is a unique identification number by which a process is uniquely identified. When we want to perform any action on a process we use its PID with Unix command.

When a process creates some other process, it's called Parent process for that newly created process. Newly created process can be called as child process for its parent process. We use the term "Parent Process ID" (PPID) for the parent process PID.

PID is stored in special variable "$$", as shell itself is a process its PID is stored in "$$". To print the PID of the login shell, give command "echo $$" at the prompt:

$echo $$

Init Process

All the processes are created by the login shell, question arises who is the parent process of login shell process? Answer is Init process. It's the first process created after the Unix system boot and other all the processes are created there after. So, PID of Init process is "1" and PPID is "0", indicates it has no parent process.

To display Init process:

$ps 1
    1  ??  SLs  0:12.04 /sbin/init --

How processes are created?

There are three key phases of process life cycle, briefly: A process is created with the "fork()" system call. Child process gets a new PID and PPID. System call "fork()" is responsible for multiplication of processes. Next step is "exec()", which replaces a currently running process with the new one. PID and PPID of the process remains same. The caller process vanishes and the new process takes it place.

Last, Parent process executes "wait()" system call to wait for its child process to complete its execution. It picks up the exit status of its child and the process entry is removed from the process table. Now process is dead completely.

Exit status:

Whenever process exit, it returns exit code by which we can know the status of the process run. It varies from 0 to 255. It returns "0" for successful execution of the process and "1" for failure, other all exit codes are for various types of errors.

we used "$?" variable to know the last exit status:

79530   4  Ss   0:00.09 -bash (bash)
79978   4  R+   0:00.00 ps

$echo "$?"

$ps -vikas
ps: illegal option -- i
usage: ps [-aCcdefHhjlmrSTuvwXxZ] [-O fmt | -o fmt] [-G gid[,gid...]]
          [-M core] [-N system]
          [-p pid[,pid...]] [-t tty[,tty...]] [-U user[,user...]]
       ps [-L]
$echo "$?"

Options to use with ps command:

(Note: There are different flavor of Unix so some command output may not match with the given output. Please try different set of options to get the desired result) 

  • ps -a : list out all the user processes but does not display the system generated processes.

$ps -a
 8858  v0  Is   0:00.01 login [pam] (login)
12529  v0  I<   0:00.01 -bash (bash)
12627  v0  I<   0:00.01 sudo su -
12673  v0  I<   0:00.00 su -
12674  v0  I+   0:00.05 bash
 8861  v1  Is+  0:00.00 /usr/libexec/getty Pc ttyv1
 8862  v2  Is+  0:00.00 /usr/libexec/getty Pc ttyv2
 8863  v3  Is+  0:00.00 /usr/libexec/getty Pc ttyv3
 8864  v4  Is+  0:00.00 /usr/libexec/getty Pc ttyv4
 8865  v5  Is+  0:00.00 /usr/libexec/getty Pc ttyv5
 8866  v6  Is+  0:00.00 /usr/libexec/getty Pc ttyv6
 8867  v7  Is+  0:00.00 /usr/libexec/getty Pc ttyv7
50740   0  Is+  0:00.01 -bash (bash)
80902   2  S<s+ 0:00.00 login
79530   4  Ss   0:00.10 -bash (bash)
80903   4  R+   0:00.00 ps -a
73225   1  Is+  0:00.07 -bash (bash)

  • ps -A : List out all the the system generated back ground running processes. 
  • ps -e : List out all the the system process with environment as well.

$ps -A
    0  ??  DLs      0:06.06 [kernel]
    1  ??  SLs      0:12.03 /sbin/init --
    2  ??  DL       0:00.00 [sctp_iterator]
    3  ??  DL       0:00.00 [xpt_thrd]
    4  ??  DL       0:06.98 [pagedaemon]
    5  ??  DL       0:00.00 [vmdaemon]
    6  ??  DL       0:00.06 [pagezero]
    7  ??  DL       0:20.96 [bufdaemon]
    8  ??  DL     129:56.95 [syncer]
    9  ??  DL       0:31.67 [vnlru]
   10  ??  DL       0:00.00 [audit]




$ps -e
79530   4  Ss   0:00.11 USER=pinku LOGNAME=pinku HOME=/home/pinku MAIL=/var/mail/pinku PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/home/pinku/bin TERM=xterm FTP_PASSIVE_MODE=YE
81693   4  R+   0:00.00 PW_SCAN_BIG_IDS=1 SHELL=/usr/local/bin/bash TERM=vt100 CLICOLOR=YES SSH_CLIENT= 51096 22 SSH_TTY=/dev/pts/4 USER=pinku ENV=/etc/kshrc FTP_PASSIVE_MODE=YES LSCOLORS=ExGxFxdx

Daemon Process: Other than User process there are number of processes wake up and sleep within a bit interval of time and keep running continuously, these process are called Daemons. These process are not created by users so not attached with any user terminal, this is the reason that we get "??" in TT (terminal) column. 

Daemons are the background processes and we can't terminate these process by pressing interrupt key "Ctrl c". But it is possible to terminate these process using kill command with signals, which we will see further.

  • ps -u : Display user processes with user name at the first column, most important it gives you CPU and memory utilization details.

$ps -u
pinku 79530   0.0  0.1   3912   2236   4  Ss    7:37AM 0:00.11 -bash (bash)
pinku 81552   0.0  0.0   9668    980   4  R+    8:48AM 0:00.00 ps -u

  • ps -f : Display the process status in full format output.
  • ps -l : Display the processes in long list format. By this option we are able to know the PPID of the process.

$ps -f
79530   4  Ss   0:00.11 -bash (bash)
81627   4  R+   0:00.00 ps -f
$ps -l
170368 79530 79529   0  20  0   3912   2236 wait   Ss     4  0:00.11 -bash (bash)
170368 81628 79530   0  20  0   9668    980 -      R+     4  0:00.00 ps -l

  • ps -j : Also display in ling list format little differently, includes PPID of the process in output.
  • ps -h : It is used for the header option, one header per page. Used when output consists of multiple pages.

$  ps -j
pinku 82307 82305 82307 82307    0 Ss     8  0:00.10 -bash (bash)
pinku 82713 82307 82713 82307    1 R+     8  0:00.00 ps -j

$ps -Ah

    0  ??  DLs      0:06.07 [kernel]
    1  ??  ILs      0:12.04 /sbin/init --
    2  ??  DL       0:00.00 [sctp_iterator]



82805  ??  Ss       0:00.02 sshd: [accepted] (sshd)
82806  ??  S        0:00.01 sshd: [net] (sshd)
 8858  v0  Is       0:00.01 login [pam] (login)

12529  v0  I<       0:00.01 -bash (bash)
12627  v0  I<       0:00.01 sudo su -
12673  v0  I<       0:00.00 su -



  • ps -v : another option which gives you CPU ​and memory utilization time.​

$ps -v
82935 R+   0:00.00 127   0      0   9668    980     -   28   0.0  0.0 ps -v
82307 Ss   0:00.11   0 127      0   3908   2232     -  744   0.0  0.1 -bash (bash)

Zombie process: A Zombie process is harmless child process which is waiting to be dead completely. It remains in this Zombie state unless its parent is going to pick up its exit status from process table.

A process becomes Zombie process when it exits but wait() system call is not executed by its parent process. After completing execution, child process is technically dead but its entry is still there in process table. It show the status "Z" in the process table for the process in this state. 

This is the reason that we cannot kill the zombie process.

Orphan Process:When the parent process die before the child process, the child becomes Orphan. Kernel take care of all the Orphan process by making "Init Process" parent of all the Orphans. When child dies, Init takes care of it and pick up its exit status from process table.

How to kill a process?

There are many circumstances when running process hangs or taking very long time than expected time of completion. In such cases, we kill the the process This is done by "kill" command.

Syntax : kill [option] PID of the process

Example: $kill 84598

We can use the option with the kill command as below:

1       HUP (Hang-up)
2       INT (Interrupt)
3       QUIT (Quit)
6       ABRT (Abort)
9       KILL (This kill can not be caught or ignored)
14     ALRM (Alarm clock)
15     TERM (Default termination signal)

If we did not give any singal with command, by default TERM signal is sent by the kill command. so, below both the commands are same:

$kill -15 84598

$kill 84598


Kill the process without having PID of the process: This is possible and can be done with "pkill" command. We need the process name to kill the process:

Syntax: pkill process-name 

Continue with process..