Table of Contents
This guide provides an in-depth look at how to check and list running processes in Linux. We will explore a variety of powerful command-line tools, from the classic ps and top to the more modern and user-friendly htop. You’ll learn not just the commands themselves, but the concepts behind them, empowering you to diagnose problems and keep your system running smoothly.
Key Takeaways
- What is a Process? A process is simply an instance of a running program. Every time you launch an application or run a command, you create one or more processes.
- Essential Commands: The primary tools for listing processes are ps, top, htop, and pgrep. Each offers a different view into your system’s activity.
- ps is for Snapshots: The ps command provides a static snapshot of the current processes. Use ps aux or ps -ef for a detailed, comprehensive list.
- top and htop are for Real-Time Monitoring: The top and htop commands offer a dynamic, real-time view of your processes, continuously updating to show resource usage like CPU and memory. htop is an enhanced version of top with a more user-friendly interface and additional features.
- Process IDs (PID): Every process is assigned a unique Process ID (PID). This number is crucial for managing specific processes, such as stopping or prioritizing them.
- Understanding Output: Learning to read the output of these commands is key. Pay attention to columns like PID, USER, %CPU, %MEM, and STAT to understand what each process is doing and how it’s impacting your system.
- Managing Processes: Once you identify a process using these commands, you can use tools like kill and renice to manage it, for example, by stopping a misbehaving application or lowering the priority of a resource-intensive task.
The Fundamentals of Linux Processes
Before we dive into the commands, let’s establish a solid understanding of what a process is and how Linux handles them. In the simplest terms, a process is a program in execution. When you launch your web browser, a text editor, or even just run a simple command like ls in your terminal, the Linux kernel creates a process to carry out that task.
Each process is a self-contained environment with its own memory space, system resources, and a unique identifier. This isolation is a cornerstone of modern operating systems, ensuring that one faulty process doesn’t bring down the entire system.
The Process Lifecycle
A process goes through several states from its creation to its termination. It is “born” when a program is started, it “lives” while it’s running or waiting for resources, and it “dies” when it completes its task or is terminated. The kernel is responsible for managing this entire lifecycle, scheduling when processes get to use the CPU and allocating memory for them.
Parent and Child Processes
Linux has a hierarchical process structure. Every process in the system is created by another process, known as its parent. This creates a tree-like structure. The very first process, started by the kernel at boot time, is called init (or systemd on modern systems) and it always has a Process ID (PID) of 1. All other processes are descendants of this initial process.
For example, when you open a terminal, you are starting a shell process (like bash). When you run a command like grep inside that terminal, the shell process becomes the parent of the newly created grep process.
Process ID (PID) and Parent Process ID (PPID)
The kernel assigns a unique number to every single process, called the Process ID (PID). This is the primary identifier used to interact with a specific process. If you want to stop a running application, you need to know its PID.
Similarly, each process also has a Parent Process ID (PPID), which is simply the PID of the process that created it. This relationship is useful for tracing the lineage of processes and understanding how they are related.
Taking a Snapshot: The ps Command
The ps (process status) command is one of the oldest and most fundamental tools for viewing processes. It provides a static snapshot of the running processes at the moment you execute the command. It doesn’t update in real time. Think of it as taking a photograph of your system’s activity.
The ps command is incredibly versatile, but its sheer number of options can be intimidating. We’ll focus on the most common and useful combinations.
The Most Common Usage: ps aux
This is perhaps the most frequently used ps command. It provides a comprehensive and detailed list of every single process running on the system. Let’s break down what the aux options mean:
- a: Show processes for all users.
- u: Display the process’s user/owner and other detailed information.
- x: Also show processes not attached to a terminal. This is important for seeing system daemons and other background services.
Here’s an example of what the output might look like:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.1 167884 11624 ? Ss Oct18 0:09 /sbin/init
root 2 0.0 0.0 0 0 ? S Oct18 0:00 [kthreadd]
…
jdoe 1234 0.5 2.1 123456 87654 ? Sl 10:30 0:45 /usr/bin/firefox
jdoe 1289 0.0 0.5 54321 21098 pts/0 Ss 10:31 0:01 /bin/bash
jdoe 1567 0.0 0.1 23456 7890 pts/0 R+ 10:45 0:00 ps aux
Let’s dissect the most important columns:
- USER: The user who owns the process.
- PID: The unique Process ID.
- %CPU: The percentage of CPU time the process is currently using.
- %MEM: The percentage of physical memory (RAM) the process is using.
- VSZ: Virtual Memory Size. The total amount of memory the process has access to.
- RSS: Resident Set Size. The portion of the process’s memory that is currently held in RAM. This is often a more useful indicator of actual memory usage.
- TTY: The controlling terminal for the process. If it’s ?, it means the process is not attached to a terminal (e.g., a system service).
- STAT: The current process state. Common states include R (running), S (sleeping), Z (zombie), and T (stopped). The + indicates it’s a foreground process.
- START: The time the process was started.
- TIME: The total amount of CPU time the process has consumed.
- COMMAND: The command that was used to start the process.
An Alternative Syntax: ps -ef
Another very popular incantation of the ps command is ps -ef. This uses a different style of options but achieves a very similar result: a full listing of all processes.
- -e: Select all processes.
- -f: Do full-format listing.
The output is slightly different, but contains much of the same core information:
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Oct18 ? 00:00:09 /sbin/init
root 2 0 0 Oct18 ? 00:00:00 [kthreadd]
…
jdoe 1234 1100 0 10:30 ? 00:00:45 /usr/bin/firefox
jdoe 1289 1280 0 10:31 pts/0 00:00:01 /bin/bash
jdoe 1568 1289 0 10:46 pts/0 00:00:00 ps -ef
Key differences in this output include:
- UID: The User ID instead of the username.
- PPID: The Parent Process ID is displayed, which is very useful for seeing the process hierarchy.
- C: CPU utilization (a different way of measuring it than %CPU).
- STIME: The start time.
- CMD: The command (same as COMMAND).
Which one should you use? It’s largely a matter of personal preference. Both ps aux and ps -ef are standard on virtually all Linux systems. Try both and see which format you find more readable.
Viewing the Process Tree
Sometimes, just seeing a flat list of processes isn’t enough. You want to understand the parent-child relationships. The ps command can display this as a tree.
ps auxf
or
ps -ejH
The -ejH option is particularly good at showing the hierarchy clearly. This view is invaluable when you need to understand which process spawned another, which is often the case when debugging services.
Filtering ps Output with grep
A list of all processes can be overwhelming. Usually, you are looking for a specific process. The classic way to do this is by piping the output of ps to the grep command.
For example, to find all processes related to the Apache web server (httpd):
ps aux | grep httpd
This will filter the long list and show only the lines containing the string “httpd”. You’ll likely see one extra line in the output: the grep httpd command itself! You can easily ignore this.
This combination is a powerful and flexible way to quickly find the PID of a specific application you need to investigate or manage.
Real-Time Monitoring with top
While ps is great for a static snapshot, top provides a dynamic, real-time view of what’s happening on your system. It launches an interactive screen that continuously updates, showing you which processes are consuming the most resources. This makes it an indispensable tool for identifying performance bottlenecks.
To start it, simply type top in your terminal.
The top display is split into two main sections:
- The Summary Area (Top): This section provides a high-level overview of the system’s state.
- First line: Shows the current time, how long the system has been running (up), how many users are logged in, and the system load average over the last 1, 5, and 15 minutes. The load average is a key indicator of system business.
- Second line: A summary of tasks (processes), showing the total number and how many are in each state (running, sleeping, stopped, zombie).
- Third line: A breakdown of CPU usage, showing percentages for user processes (us), system processes (sy), nice processes (ni), idle time (id), and more.
- Fourth & Fifth lines: Information about memory (MiB Mem) and swap space (MiB Swap) usage, including total, free, and used amounts.
- The Process List (Bottom): This is a list of the currently running processes, sorted by CPU usage by default (the most CPU-intensive processes are at the top). The columns are similar to ps, including PID, USER, PR (Priority), NI (Nice value), VIRT, RES, SHR (Shared Memory), S (Status), %CPU, %MEM, TIME+, and COMMAND.
Interacting with top
top is interactive. You can use keyboard commands to change its behavior:
- q: Quit top.
- h: Display the help screen.
- k: Kill a process. It will prompt you for the PID of the process you want to kill.
- r: Renice a process (change its priority). It will prompt for a PID and a nice value.
- M: Sort the process list by memory usage.
- P: Sort the process list by CPU usage (the default).
- u: Filter by user. It will prompt you for a username.
- 1: Toggle between a single summary of all CPUs and a detailed view for each individual CPU core.
Spending time in top is one of the best ways to get a feel for your system’s normal operating state. By watching it regularly, you’ll start to recognize what “normal” looks like, making it much easier to spot when something is wrong.
An Enhanced Alternative: htop
htop is a third-party process viewer that can be seen as a more powerful and user-friendly successor to top. While top is a classic that’s available on almost any system, htop offers several significant improvements that make it the preferred tool for many sysadmins.
You may need to install htop first, as it’s not always included by default. On Debian/Ubuntu systems, you can install it with sudo apt-get install htop. On Red Hat/CentOS, use sudo yum install htop or sudo dnf install htop.
When you launch htop, the first things you’ll notice are the visual improvements:
- Color and Visual Meters: htop uses color to highlight information and provides clear, easy-to-read meters for CPU (per core), memory, and swap usage right at the top.
- Full Command Lines: It shows the full command for each process, not just the name.
- Scrolling: You can scroll both vertically and horizontally through the process list, which is a huge improvement over top.
- Mouse Support: In many terminal environments, you can use your mouse to click on processes and menu items.
Interacting with htop
Interaction is more intuitive than top. Instead of single-key commands, htop uses the function keys (F1, F2, etc.), with a helpful menu at the bottom of the screen reminding you what each key does.
- F1 (Help): Displays the help screen.
- F3 (Search): Search for a process by name.
- F4 (Filter): Filter the process list by name.
- F5 (Tree View): Toggle the process list into a tree view, showing parent-child relationships. This is one of htop’s best features.
- F6 (Sort): Opens a menu to sort by columns like CPU, memory, or PID.
- F7 / F8 (Nice): Decrease or increase the priority of a selected process.
- F9 (Kill): Opens a menu of signals to send to the selected process, allowing you to gracefully terminate (SIGTERM) or forcefully kill (SIGKILL) it.
- F10 (Quit): Exit htop.
The combination of a rich visual display, intuitive controls, and powerful features like the tree view makes htop an exceptional tool for both real-time monitoring and process management. If you have the ability to install it, it’s highly recommended.
Finding Processes by Name and Other Attributes with pgrep
What if you just want to find the PID of a process without all the extra information from ps? The pgrep command is designed for exactly this. It looks through the running processes and prints the PIDs of those that match the criteria you specify.
To find the PID of the sshd service:
pgrep sshd
The output will be one or more PIDs, one per line. This is incredibly useful for scripting.
pgrep can do more than just match by name:
- -u <username>: Find processes owned by a specific user. For example, pgrep -u jdoe.
- -l: List the process name along with the PID.
- -f: Match against the full command line, not just the process name.
For instance, to find the PID of a specific Firefox profile:
pgrep -f “firefox -P myprofile”
Advanced Process Management Concepts
Listing processes is the first step. The next is understanding what their state means and how to interact with them. As Linux expert Itamar Haim often says, “Understanding process management is not just about killing unresponsive applications. It’s about gaining a deep visibility into your system’s health and performance, allowing for proactive optimization and troubleshooting.”
Understanding Process States
In the STAT or S column of ps, top, and htop, you’ll see a letter representing the process’s current state. The most common ones are:
- R (Running or Runnable): The process is either currently using the CPU or it’s ready to run and waiting for the scheduler to give it a turn.
- S (Interruptible Sleep): The process is waiting for an event to complete, such as I/O from a disk or network. Most processes on a typical system will be in this state most of the time.
- D (Uninterruptible Sleep): Similar to S, but the process is in a state where it cannot be interrupted by signals. This is usually seen when a process is waiting for I/O from a slow or faulty device. Processes in this state can be difficult to kill.
- T (Stopped): The process has been stopped, usually by a user sending a SIGSTOP signal or during debugging.
- Z (Zombie): A zombie process is one that has completed its execution, but its entry still remains in the process table. This happens because its parent process has not yet “reaped” it by reading its exit status. A few zombies are normal, but a large number can indicate a problem with a parent application.
Controlling Processes with Signals
You don’t just “kill” a process in Linux. You send it a signal. A signal is a message sent to a process to notify it of an event. While some signals are for killing, others are for different purposes.
The kill command is used to send signals. The syntax is kill <signal> <PID>.
The most common signals are:
- SIGTERM (15): This is the default signal sent by kill. It’s a polite request for the process to terminate. A well-behaved application will catch this signal, clean up after itself (e.g., save open files), and then exit gracefully.
- SIGKILL (9): This is the “sledgehammer.” The SIGKILL signal cannot be caught or ignored by the process. It tells the kernel to terminate the process immediately. This should be used as a last resort, as the process gets no chance to clean up, which could lead to data corruption.
- SIGHUP (1): The “hang up” signal. This signal traditionally told a process that its controlling terminal has been closed. Many daemons and services are configured to reload their configuration files when they receive SIGHUP, without needing to be fully restarted.
To gracefully stop a process with PID 1234:
kill 1234
To forcefully kill it if it doesn’t respond:
kill -9 1234
or
kill -SIGKILL 1234
The pkill and killall commands work similarly but operate on process names instead of PIDs, which can be more convenient but also more dangerous if you’re not careful.
Building a powerful website requires not only a well-managed backend but also a robust frontend. Tools like the Elementor Website Builder are often used to design and create the user-facing parts of a web application running on these Linux servers. Managing the server processes ensures that the website, perhaps built on WordPress, has the resources it needs to run smoothly. For those looking to get started quickly, integrated solutions that bundle the builder with hosting, like Elementor Hosting, can simplify the entire process from server setup to site launch.
Frequently Asked Questions (FAQ)
1. What is the difference between ps aux and ps -ef?
Both commands show all running processes. The main differences are in the output format. ps aux uses BSD-style syntax and shows columns like %CPU, %MEM, and the user who started the process. ps -ef uses System V-style syntax and shows the Parent Process ID (PPID) and User ID (UID). It’s mostly a matter of personal preference.
2. What is a “zombie” process and should I be worried?
A zombie process is a terminated process that still has an entry in the process table because its parent hasn’t acknowledged its death. A few zombies are completely normal and harmless. However, if you see a large and growing number of them, it indicates a bug in a parent application that is failing to clean up its child processes.
3. How can I see which process is using a specific file or network port?
Commands like lsof (list open files) and fuser are perfect for this. For example, to see which process is using port 80, you can run sudo lsof -i :80.
4. What is the “load average” shown in top and htop?
The load average is a measure of the system’s workload. It represents the average number of processes that were in a running or uninterruptible state over the last 1, 5, and 15 minutes. A general rule of thumb is that the load average should not consistently exceed the number of CPU cores in your system.
5. Why can’t I kill a process that is in the “D” (uninterruptible sleep) state?
A process in state D is stuck waiting for I/O (usually from a disk) and cannot be interrupted by signals, including SIGKILL. Trying to kill it will have no effect until the I/O operation completes. If a process is stuck in this state for a long time, it usually points to a problem with the storage hardware or drivers. A reboot is often the only way to clear it.
6. What is the difference between virtual memory (VSZ) and resident memory (RSS)?
VSZ (Virtual Size) is the total amount of memory a process can access. This includes memory that has been allocated but not necessarily used, as well as shared libraries. RSS (Resident Set Size) is the portion of that memory that is currently being held in physical RAM. RSS is a more accurate representation of a process’s actual, current memory consumption.
7. How do I sort the output of top by memory usage?
While top is running, simply press the uppercase M key. This will re-sort the process list to show the processes consuming the most physical memory at the top.
8. What does the “nice” value mean?
The “nice” value (NI column in top/htop) is a way to influence the kernel’s process scheduler. It ranges from -20 (highest priority) to +19 (lowest priority). A process with a lower nice value is “less nice” to other processes and will be given more CPU time. You can change the nice value of a running process with the renice command.
9. Can I customize the columns shown in top or htop?
Yes. htop makes this very easy: press F2 to enter the setup screen, where you can add, remove, and reorder columns. In top, you can use the f key to enter the fields management screen to customize the display.
10. Is there a graphical tool for viewing processes?
Yes, most desktop environments for Linux come with a graphical system monitor application (like GNOME System Monitor or KSysGuard). These tools provide much of the same information as top and htop but in a point-and-click graphical interface, which can be easier for new users. They often include graphs of CPU, memory, and network usage over time.
Looking for fresh content?
By entering your email, you agree to receive Elementor emails, including marketing emails,
and agree to our Terms & Conditions and Privacy Policy.