processes¶
All running processes on the host system.
Platform support¶
Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: processes
- Windows
- Linux
- Mac OSX
- Free BSD
Table schema¶
Name | Type | Description |
---|---|---|
pid | BIGINT | Process (or thread) ID |
name | TEXT | The process path or shorthand argv[0] |
path | TEXT | Path to executed binary |
cmdline | TEXT | Complete argv |
state | TEXT | Process state |
cwd | TEXT | Process current working directory |
root | TEXT | Process virtual root directory |
uid | BIGINT | Unsigned user ID |
gid | BIGINT | Unsigned group ID |
euid | BIGINT | Unsigned effective user ID |
egid | BIGINT | Unsigned effective group ID |
suid | BIGINT | Unsigned saved user ID |
sgid | BIGINT | Unsigned saved group ID |
on_disk | INTEGER | The process path exists yes=1, no=0, unknown=-1 |
wired_size | BIGINT | Bytes of unpagable memory used by process |
resident_size | BIGINT | Bytes of private memory used by process |
total_size | BIGINT | Total virtual memory size |
user_time | BIGINT | CPU time in milliseconds spent in user space |
system_time | BIGINT | CPU time in milliseconds spent in kernel space |
disk_bytes_read | BIGINT | Bytes read from disk |
disk_bytes_written | BIGINT | Bytes written to disk |
start_time | BIGINT | Process start in seconds since boot (non-sleeping) |
parent | BIGINT | Process parent’s PID |
pgroup | BIGINT | Process group |
threads | INTEGER | Number of threads used by process |
nice | INTEGER | Process nice level (-20 to 20, default 0) |
upid | BIGINT | A 64bit pid that is never reused. Returns -1 if we couldn’t gather them from the system. |
uppid | BIGINT | The 64bit parent pid that is never reused. Returns -1 if we couldn’t gather them from the system. |
cpu_type | INTEGER | A 64bit pid that is never reused. Returns -1 if we couldn’t gather them from the system. |
cpu_subtype | INTEGER | The 64bit parent pid that is never reused. Returns -1 if we couldn’t gather them from the system. |
Query examples¶
select * from processes where pid = 1