processes

All running processes on the host system.

Platform support

Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: processes

  • Windows

  • Linux

  • Mac OSX

  • Free BSD

Table schema

Name

Type

Description

pid

BIGINT

Process (or thread) ID

name

TEXT

The process path or shorthand argv[0]

path

TEXT

Path to executed binary

cmdline

TEXT

Complete argv

state

TEXT

Process state

cwd

TEXT

Process current working directory

root

TEXT

Process virtual root directory

uid

BIGINT

Unsigned user ID

gid

BIGINT

Unsigned group ID

euid

BIGINT

Unsigned effective user ID

egid

BIGINT

Unsigned effective group ID

suid

BIGINT

Unsigned saved user ID

sgid

BIGINT

Unsigned saved group ID

on_disk

INTEGER

The process path exists yes=1, no=0, unknown=-1

wired_size

BIGINT

Bytes of unpagable memory used by process

resident_size

BIGINT

Bytes of private memory used by process

total_size

BIGINT

Total virtual memory size

user_time

BIGINT

CPU time in milliseconds spent in user space

system_time

BIGINT

CPU time in milliseconds spent in kernel space

disk_bytes_read

BIGINT

Bytes read from disk

disk_bytes_written

BIGINT

Bytes written to disk

start_time

BIGINT

Process start time in seconds since Epoch, in case of error -1

parent

BIGINT

Process parent’s PID

pgroup

BIGINT

Process group

threads

INTEGER

Number of threads used by process

nice

INTEGER

Process nice level (-20 to 20, default 0)

upid

BIGINT

A 64bit pid that is never reused. Returns -1 if we couldn’t gather them from the system.

uppid

BIGINT

The 64bit parent pid that is never reused. Returns -1 if we couldn’t gather them from the system.

cpu_type

INTEGER

A 64bit pid that is never reused. Returns -1 if we couldn’t gather them from the system.

cpu_subtype

INTEGER

The 64bit parent pid that is never reused. Returns -1 if we couldn’t gather them from the system.

Query examples

select * from processes where pid = 1