18

If I can see a process running using ps -e, how can I find the file which launched it?

Improve this question
2
  • 2
    What OS is this? Linux, BSD, Solaris... Commented Dec 29, 2011 at 12:59
  • linux ... but cross-unix solutions welcome. Commented Dec 29, 2011 at 16:33

3 Answers 3

Reset to default
21

On Linux: if you know the PID, you can cat the cmdline file for that file. E.g.:

cat /proc/PID/cmdline

This will probably fail if the binary was moved after the program was started.

And of course:

lsof -n | grep PID | grep ' txt '

and:

ls -la /proc/PID/exe

which is a symbolic link to the executable.

Improve this answer
2
  • 1
    Note that /proc/PID/cmdline doesn't have a newline character, so you'll probably want to do something like cat /proc/PID/cmdline ; echo ''. Commented Dec 30, 2011 at 0:56
  • 1
    Actually, it has NUL characters separating the arguments, so you might want something even more elaborate like tr '\0' ' ' < /proc/PID/cmdline ; echo '' Commented Dec 30, 2011 at 1:00
2

Copy the process id from ps -e command and then run the following:

ps x | grep <process-id>
Improve this answer
2
  • Won't that fail if an application edits argv[0]? iirc sendmail does that. Commented Dec 29, 2011 at 13:14
  • Yes, it is a probability. None the less this comes handy almost every time. Commented Dec 29, 2011 at 13:22
0

None of the methods (ls, lsof or cat) in the other answers work for me. If I do:

$ nano test.txt

This is my winner,:

$ pgrep -f -l test
3074 nano test.txt

Or, in order to obtain only the PID to use it in programming:

$ pgrep -f test
3074

Tested on Kali Linux v1.0.6 (Debian based).
Compared to a simple ls, I must admit it is not a so portable solution, but at least it works.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.