Can ps display only non kernel processes on Linux?

How can I ask ps to display only user processes and not kernel threads?

See this question to see what I mean…

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

This should do (under Linux):

ps --ppid 2 -p 2 --deselect

kthreadd (PID 2) has PPID 0 (on Linux 2.6+) but ps does not allow to filter for PPID 0; thus this work-around.

Method 2

In practice I found the following idiom enough:

ps auxf | grep -v ]$

It filters lines ending with brackets, which might result omitting unwanted entries but it’s very unlikely. In exchange it’s quite easy to remember and relatively quick to type.

Some processes like avahi-daemon add to their process name information in brackets (the hostname in the case of avahi-daemon) and will be filtered out by this command.

Method 3

One way to recognize kernel processes is that they don’t use any user memory, so the vsz field is 0. This also catches zombies (thanks to Stephane Chazelas for this observation), which can be eliminated based on their status.

ps axl | awk '$7 != 0 && $10 !~ "Z"'

To list just the PIDs:
ps -e -o pid= -o state= -o vsize= | awk '$2 != "Z" && $3 != 0 {print $1}'

Method 4

One of the particularity of those processes is that they are not backed by an executable file, so you could do (in zsh):

ps /proc/[0-9]*/exe(^<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="371a77">[email protected]</a>:h:t)

Or with any POSIX shell:
ps -p "$(find -L /proc/[0-9]*/exe ! -type l | cut -d / -f3 | paste -sd , -)"

That is check for processes whose /proc/<pid>/exe is a link to a file.

But that means you need to be superuser to be able to check the state of the /proc/<pid>/exe symlink.

Edit: As it happens the zombie processes (at least) satisfy the same condition, so if you don’t want them excluded, you’d have to add them back. Like:

ps -p "$(
  { find -L /proc/[0-9]*/exe ! -type l | cut -d / -f3
    ps -Ao pid=,state= | sed -n 's/ Z//p'
  } | paste -sd , -)"

Note that ps -f shows those process names in square brackets not because they’re kernel processes, but because they have an empty argv[] (so ps shows the process name instead of argv[0] there). You can have a user space process with an empty argv[] as well and you can have a process name with an argv[0] that’s of the form [some-string] so filtering the ps output based on those square brackets is not a foolproof option.

Method 5

You could also just parse the ps output and look for process names that are not in brackets:

ps aux | awk '$NF!~/^[.+]$/'

Method 6

For anyone trying this in busybox where ps is heavily simplified and the output is different, this variant of Gilles’ great answer works well:

ps -o pid,user,comm,vsz,stat | awk '$4 != 0 && $5 !~ "Z"'

As per Gilles’ answer, the methodology here is to find processes that don’t use any user memory (`vsz col == 0), and filter out zombie processes (status col is not ‘Z’).

Output columns can be adjusted easily, as long as the 1-based awk field numbers are adjusted accordingly. See the options your ps has available by putting in a bogus value and it will tell you. For example:

$ ps -o foo
ps: bad -o argument 'foo', supported arguments: user,group,comm,args,pid,ppid,pgid,tty,vsz,stat,rss

Method 7

What you are looking for, my friend, is not ps, but pstree.

First, identify the first kernel process. Its PID is commonly 1 on system without systemd and 2 with systemd.

Then use this command:

$ pstree -p <1 or 2> | grep -o '([0-9]+)' | grep -o '[0-9]+'

The selected answer (one with ✅) is using another command:
$ ps --ppid 2 -p 2 --deselect

The problem with this ps command is that it only includes direct children but not all descendants. The pstree command includes all descendants. You can compare and count the output of these two commands (an easy way is using | wc ) to verify.

Method 8

I’ve created psa script for that purpose. Note that it depends on the linechop tool.

Method 9

If you only need the counts …
I had a similar need to filter kernel vs. user processes, but I only needed the respective counts of each. This was my solution:

ps -eo vsz,state | grep -v Z | awk '{p[$1==0]++} END {printf "%-16s %6dn%-16s %6dn%-16s %6dn", "Kernel processes", p[1], "User processes", p[0], "Total processes", p[0]+p[1]}'

Sample output:
Kernel processes    353
User processes       52
Total processes     405

Explanation: I’m using the hack that VSZ=0 processes can be assumed to be kernel processes. So with awk, I evaluate a comparison on VSZ (from ps -eo vsize), whether it equals zero. The result of the comparison will be either a boolean 0 or 1. I make an array p[], and as I run down the list of processes, if it’s a kernel process, I increment p[1]++. Otherwise, as user process, I increment p[0]++. After all the incrementing, I label and print the values (i.e. counts) for p[0] and p[1] in the END { } block.

Edit: Updated to filter out processes in zombie (Z) state.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x