1. Introduction
Knowing when a process began might be tricky sometimes, especially if the process is an old one.
In this tutorial, we’re going to look at the ways we can extract this information from processes. Let’s dive right in.
2. Inspecting /proc
The best-known place to look out for any piece of information related to processes is the proc filesystem. proc is a pseudo-filesystem that gives us an interface to kernel-level data of processes. Hence we may expect that we can reach at least some form of data that could give us an insight into when a specific process began to run. Indeed, we can use ls -ld to get desired information on a particular process. Let’s run the command to see the form of the output data:
$ ls -ld /proc/1
dr-xr-xr-x 9 root root 0 Apr 20 12:27 /proc/1
We get the date information as shown above. Now that we can get date information on a particular process, let us look at a tool that can give such details more clearly.
3. Using ps
ps is the primary tool that displays several pieces of information about active processes. ps works by reading the virtual files in /proc pseudo-filesystem on Linux. As a matter of fact, under the /proc/[pid]/stat field, the desired time information is in jiffies, which is a time counter used in the Linux kernel. Fortunately, ps takes care of the jiffies to human-readable date & time conversion so that we can get useful insight from the data.
3.1. Getting the General Information
The most general way to use ps in order to get information about processes is with the option -ef. Basically, we can get start time data with other useful information like PID and command. Let’s execute the command to see the output:
$ ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 12:27 ? 00:00:08 /sbin/init splash
root 2 0 0 12:27 ? 00:00:00 [kthreadd]
root 3 2 0 12:27 ? 00:00:00 [rcu_gp]
root 4 2 0 12:27 ? 00:00:00 [rcu_par_gp]
root 6 2 0 12:27 ? 00:00:00 [kworker/0:0H-events_highpri
...
root 4450 2 0 16:42 ? 00:00:00 [kworker/1:1-events]
root 4466 2 0 16:59 ? 00:00:00 [kworker/u4:0-events_unbound
root 4470 1 0 17:02 ? 00:00:00 /usr/libexec/fprintd
baeldung 4488 3580 9 17:03 ? 00:00:00 /usr/bin/nautilus --gapplica
baeldung 4513 4191 0 17:03 pts/0 00:00:00 ps -ef
As we have stated, we can see the start time information under the stime column. However, time information is not exact and is shown in only “HH:MM” format. In this case, we cannot get access to long-running processes. This only displays the processes that start within the day the command is executed.
3.2. Displaying the Start Time Suitably
We want to manipulate ps to reach a more desired output, unlike the previous case. Luckily, ps also have a data column named lstart for us to get formatted information that also includes older long-running processes:
$ ps -eo user,pid,lstart,cmd
USER PID STARTED CMD
root 1 Wed Apr 20 12:27:33 2022 /sbin/init splash
root 2 Wed Apr 20 12:27:33 2022 [kthreadd]
root 3 Wed Apr 20 12:27:33 2022 [rcu_gp]
root 4 Wed Apr 20 12:27:33 2022 [rcu_par_gp]
root 6 Wed Apr 20 12:27:33 2022 [kworker/0:0H-events_highpri]
...
root 4547 Wed Apr 20 17:28:23 2022 [kworker/1:1-cgroup_destroy]
root 4551 Wed Apr 20 17:30:43 2022 [kworker/0:0-cgroup_destroy]
root 4599 Wed Apr 20 17:33:44 2022 [kworker/u4:2-events_power_efficient]
root 4604 Wed Apr 20 17:33:56 2022 [kworker/1:2-events]
baeldung 4613 Wed Apr 20 17:40:33 2022 ps -eo user,pid,lstart,cmd
We could get a thorough start time information by selecting columns to display with the option -o as we can see above.
Moreover, we can use this technique to get the information about a specific process with the option -p:
$ ps -p 1 -o cmd=,lstart=
/sbin/init splash Wed Apr 20 12:27:33 2022Additionally, please note that we put the signs “=” just to hide the unnecessary header line.
3.3. Difference Between start, stime, and lstart
So far, we saw the data columns like stime without scrutinizing the actual meaning of them. In order to clear things up, we need to point out the differences between these information sets.
start formats the start time data like “HH:MM:SS” if the process was created less than 24 hours ago. If the process is older, the format becomes “Mmm dd”.
stime, on the other hand, makes the format “HH:MM” if the process age is less than a day. If the process is not on the same day but in the same year: “MmmDD”. If the process is more than a year old, stime displays only the year.
Finally, the lstart shows the start time data with every detail in the format “Ddd Mmm dd HH:MM:SS YYYY”. Let’s take a look at all of them in one example:
$ ps -eo pid,start,stime,lstart
PID STARTED STIME STARTED
1 12:27:33 12:27 Wed Apr 20 12:27:33 2022
2 12:27:33 12:27 Wed Apr 20 12:27:33 2022
3 12:27:33 12:27 Wed Apr 20 12:27:33 2022
4 12:27:33 12:27 Wed Apr 20 12:27:33 2022
6 12:27:33 12:27 Wed Apr 20 12:27:33 2022
...4. Conclusion
In this article, we learned how to get start time information of a long-running Linux process in several formats.