start time of a process on linux
How to find a process start time on ubuntu linux machine using c language. In linux there is /proc/[pid]/stat file which give information starttime %lu /*The time in jiffies the process started after system boot*/
and file /proc/stat that gives
btime %lu /*measurement of system boot time since Epoch in seconds*/ For adding both these values how can I convert former value into seconds because it is in jiffies unit.
1 Answer 1
Jiffies per second is configurable when one compiles the Linux kernel.
The following program uses the number of jiffies per second on the kernel you’re running. It takes an optional command line parameter, which is the process number. The default is the process number of the running program itself. Each second, it outputs the start time of the specified process, both as local time and UTC. The only reason for the repeat loop is to demonstrate that the value doesn’t change.
#include #include #include #include #include #include #include #include int find_nth_space(char *search_buffer, int space_ordinality ) < int jndex; int space_count; space_count=0; for(jndex=0; search_buffer[jndex]; jndex++ ) < if(search_buffer[jndex]==' ') < space_count++; if(space_count>=space_ordinality) < return jndex; >> > fprintf(stderr,"looking for too many spaces\n"); exit(1); > /* find_nth_space() */ int main(int argc, char **argv ) < int field_begin; int stat_fd; char proc_buf[80]; char stat_buf[2048]; long jiffies_per_second; long long boot_time_since_epoch; long long process_start_time_since_boot; time_t process_start_time_since_epoch; ssize_t read_result; struct tm gm_buf; struct tm local_buf; jiffies_per_second=sysconf(_SC_CLK_TCK); if(argc<2) < strcpy(proc_buf,"/proc/self/stat"); >else < sprintf(proc_buf,"/proc/%ld/stat",strtol(argv[1],NULL,0)); >for(;;) < stat_fd=open(proc_buf,O_RDONLY); if(stat_fd<0) < fprintf(stderr,"open() fail\n"); exit(1); >read_result=read(stat_fd,stat_buf,sizeof(stat_buf)); if(read_result <0) < fprintf(stderr,"read() fail\n"); exit(1); >if(read_result>=sizeof(stat_buf)) < fprintf(stderr,"stat_buf is too small\n"); exit(1); >field_begin=find_nth_space(stat_buf,21)+1; stat_buf[find_nth_space(stat_buf,22)]=0; sscanf(stat_buf+field_begin,"%llu",&process_start_time_since_boot); close(stat_fd); stat_fd=open("/proc/stat",O_RDONLY); if(stat_fd <0) < fprintf(stderr,"open() fail\n"); exit(1); >read_result=read(stat_fd,stat_buf,sizeof(stat_buf)); if(read_result <0) < fprintf(stderr,"read() fail\n"); exit(1); >if(read_result>=sizeof(stat_buf)) < fprintf(stderr,"stat_buf is too small\n"); exit(1); >close(stat_fd); field_begin=strstr(stat_buf,"btime ")-stat_buf+6; sscanf(stat_buf+field_begin,"%llu",&boot_time_since_epoch); process_start_time_since_epoch = boot_time_since_epoch+process_start_time_since_boot/jiffies_per_second; localtime_r(&process_start_time_since_epoch,&local_buf); gmtime_r (&process_start_time_since_epoch,&gm_buf ); printf("local time: %02d:%02d:%02d\n", local_buf.tm_hour, local_buf.tm_min, local_buf.tm_sec ); printf("UTC: %02d:%02d:%02d\n", gm_buf.tm_hour, gm_buf.tm_min, gm_buf.tm_sec ); sleep(1); > return 0; > /* main() */ Linux — How do I see when a process started?
If you want only the start time, you can select the field and suppress the header by doing this:
the output will look like this:
which is ctime(3) format and you can parse it to split out the relevant parts.
Other start fields such as start , stime , bsdstart and start_time age the time (after 24 hours only the date is shown, for example).
You can, however, use them directly for recently started processes without further parsing:
which would output something like:
awk » /proc/$pid/stat — gives you the start time in jiffies after boot
Riddle me this. A system with an uptime of ’17:57′ has a process with a start time of ‘727975’. Looks like the process started 8 days from now?
Way too obscure! And besides, now you have to look up the boot time and do the math to convert jiffies to seconds and calculate the offset to get clock time. Easy, but too many steps. See Chopper3’s answer.
The amount of jiffies per second is stored in system variable HZ. It is mostly 100. To calculate it in shell you might use this: stackoverflow.com/a/44524937/1950345
«ps -f» — it’s in the man pages
Actually this works if the process was started the same day, but if it was started another day you only get the day, but not the time of day as on @DennisWilliamson answer
If there’s a single process with a given name (e.g. openvpn ) on the host, you can do:
ps -p `pgrep openvpn` -o lstart= Following Dennis Williamson’s excellent answer, the ps command also has the -O option which, according to the man page: is «Like -o, but preloaded with some default columns.» This allows you to grep for the command (program) associated with the PID, if you don’t know the PID itself.
Example: finding when an apt-get process hanging on Debian/Ubuntu started:
ps -A -O lstart= | grep apt-get | grep -v grep Piping to grep -v grep filters out lines containing the string «grep», which removes the command we just typed in (since we don’t want it).
On my system right now, this gives:
1461407 Apr 15 06:00:00 2021 S ? 00:05:09 apt-get autoremove -y How to get the start time of a long-running Linux process?
Is it possible to get the start time of an old running process? It seems that ps will report the date (not the time) if it wasn’t started today, and only the year if it wasn’t started this year. Is the precision lost forever for old processes?
Is there anything wrong with using ps -p
@ajwood It would be better to use ps -p
Is there anything wrong with using ps -p -o lstart ? Maybe the fact there’s no lstart neither in 2004 Edition nor in 2013 Edition of POSIX 1003.1 standard?
@PiotrDobrogost, that would be a problem if the question asked about POSIX, but it’s asking about Linux.
Mods — techraf, Makyen, David Rawson, Tsyvarev, Paul Roub — why don’t you move it to a more appropriate site such as StackExchange or Superuser instead of closing the question? This is a good and useful question
8 Answers 8
You can specify a formatter and use lstart , like this command:
The above command will output all processes, with formatters to get PID, command run, and date+time started.
Example (from Debian/Jessie command line)
$ ps -eo pid,lstart,cmd PID CMD STARTED 1 Tue Jun 7 01:29:38 2016 /sbin/init 2 Tue Jun 7 01:29:38 2016 [kthreadd] 3 Tue Jun 7 01:29:38 2016 [ksoftirqd/0] 5 Tue Jun 7 01:29:38 2016 [kworker/0:0H] 7 Tue Jun 7 01:29:38 2016 [rcu_sched] 8 Tue Jun 7 01:29:38 2016 [rcu_bh] 9 Tue Jun 7 01:29:38 2016 [migration/0] 10 Tue Jun 7 01:29:38 2016 [kdevtmpfs] 11 Tue Jun 7 01:29:38 2016 [netns] 277 Tue Jun 7 01:29:38 2016 [writeback] 279 Tue Jun 7 01:29:38 2016 [crypto] . You can read ps ‘s manpage or check Opengroup’s page for the other formatters.
Be aware that lstart time can change, the stat methods below are safer — unix.stackexchange.com/questions/274610/….
The ps command (at least the procps version used by many Linux distributions) has a number of format fields that relate to the process start time, including lstart which always gives the full date and time the process started:
# ps -p 1 -wo pid,lstart,cmd PID STARTED CMD 1 Mon Dec 23 00:31:43 2013 /sbin/init # ps -p 1 -p $$ -wo user,pid,%cpu,%mem,vsz,rss,tty,stat,lstart,cmd USER PID %CPU %MEM VSZ RSS TT STAT STARTED CMD root 1 0.0 0.1 2800 1152 ? Ss Mon Dec 23 00:31:44 2013 /sbin/init root 5151 0.3 0.1 4732 1980 pts/2 S Sat Mar 8 16:50:47 2014 bash (In my experience under Linux, the time stamp on the /proc/ directories seem to be related to a moment when the virtual directory was recently accessed rather than the start time of the processes:
# date; ls -ld /proc/1 /proc/$$ Sat Mar 8 17:14:21 EST 2014 dr-xr-xr-x 7 root root 0 2014-03-08 16:50 /proc/1 dr-xr-xr-x 7 root root 0 2014-03-08 16:51 /proc/5151 Note that in this case I ran a «ps -p 1» command at about 16:50, then spawned a new bash shell, then ran the «ps -p 1 -p $$» command within that shell shortly afterward. )
Linux: How to know where a process was started and how it was started?
I was checking a Linux box and found a perl process running and taking a good share of cpu usage. With top, i could only perl in process name. When i pressed c, to view the command-line, it showed /var/spool/mail. Which does not make sense, since this is directory. My questions are: 1) Why did this happen? How this perl process could mask its command-line? 2) What is the most reliable way of finding out where and how a process was started? Thanks!
9 Answers 9
In most cases just running ps is usually sufficient, along with your favorite flags to enable wide output. I lean towards ps -feww , but the other suggestions here will work. Note that if a program was started out of someone’s $PATH , you’re only going to see the executable name, not the full path. For example, try this:
$ lftp & $ ps -feww | grep ftp lars 9600 9504 0 11:30 pts/10 00:00:00 lftp lars 9620 9504 0 11:31 pts/10 00:00:00 grep ftp It’s important to note that the information visible in ps can be completely overwritten by the running program. For example, this code:
int main (int argc, char **argv)
If I compile this into a file called «myprogram» and run it:
$ gcc -o myprogram myprogram.c $ ./myprogram & [1] 10201 And then run ps , I’ll see a different process name:
$ ps -f -p 10201 UID PID PPID C STIME TTY TIME CMD lars 10201 9734 0 11:37 pts/10 00:00:00 foobar You can also look directly at /proc//exe , which may be a symlink to the appropriate executable. In the above example, this gives you much more useful information than ps :
$ls -l /proc/9600/exe lrwxrwxrwx. 1 lars lars 0 Feb 8 11:31 /proc/9600/exe -> /usr/bin/lftp