Buffl
Buffl
LFCA: Linux Fundamentals

Viewing and Terminating Processes

as
by abdullah S.

Linux Process Management - Viewing and Terminating Processes

Overview


This lesson covers essential Linux commands for monitoring and managing system processes: ps, kill, and top. These tools allow you to view running processes, understand their relationships, and terminate them when necessary.

Detailed Explanations


1. The ps Command (Process Status)

What it does: Displays a snapshot of currently running processes.

Default behavior: Shows only processes owned by the current user and associated with the current terminal.

Key Options:

  • ps (no options): Shows basic info about your processes

    • PID (Process ID): Unique number identifying each process

    • TTY (Terminal): Which terminal the process is associated with

    • TIME: CPU time used by the process

    • CMD: Command that started the process

  • ps -f (full format): Adds more columns:

    • UID: User ID who owns the process

    • PPID: Parent Process ID (which process started this one)

    • C: CPU utilization percentage

    • STIME: Start time when process began

  • ps -e: Shows ALL processes on the system (all users)

  • ps -ef: Combines both - shows all processes with full details

  • ps -u username: Shows processes for a specific user

Important Concepts:

  • Process ID (PID): Every process gets a unique number

  • Parent Process ID (PPID): Shows which process created this one

  • PID 1 (systemd): The first process that starts all others

  • Orphaned processes: When a parent process dies, children are adopted by PID 1

Option Styles:

  1. UNIX style: Uses dash before options (e.g., -ef) - FOCUS OF THIS LESSON

  2. BSD style: No dash (e.g., aux)

  3. GNU long style: Double dash (e.g., --help)

2. The kill Command

What it does: Sends signals to processes to terminate or control them.

Default behavior: Sends SIGTERM (signal 15) - a "polite" termination request.

Key Signals:

  • SIGTERM (15): Default signal

    • Asks process to terminate gracefully

    • Allows cleanup (saving files, closing connections)

    • Process can refuse (but usually doesn't)

    • Command: kill PID or kill -15 PID

  • SIGKILL (9): Forceful termination

    • Immediately kills the process

    • NO cleanup allowed

    • Cannot be ignored by process

    • Like unplugging a computer

    • Command: kill -9 PID

Syntax: kill [signal] PID

Example:

kill 1234 # Sends SIGTERM to process 1234 kill -9 1234 # Force kills process 1234 kill -15 1234 # Explicitly sends SIGTERM

Important Notes:

  • Killing a parent doesn't automatically kill children

  • Child processes may become orphaned (adopted by PID 1)

  • Use SIGTERM first; only use SIGKILL if necessary

3. The top Command

What it does: Provides a real-time, dynamic view of running processes and system resources.

Interface Components:

Header Section:

  • Uptime: How long system has been running

  • Users: Number of logged-in users

  • Load Average: System load over 1, 5, and 15 minutes

  • Tasks: Total processes and their states (running, sleeping, stopped, zombie)

  • CPU %: CPU usage breakdown

  • Memory (Mem): RAM usage

  • Swap: Swap space usage

Process List:

  • Sorted by CPU usage by default

  • Shows: PID, USER, PR (priority), NI (nice value), VIRT, RES, SHR, S (state), %CPU, %MEM, TIME+, COMMAND

Interactive Keys:

  • h: Help menu (shows all options)

  • k: Kill a process (prompts for PID and signal)

  • q: Quit top

  • l: Toggle load average display

  • t: Toggle/cycle CPU display format

  • m: Toggle/cycle memory display format

  • w: Write current configuration to file

Killing Processes in top:

  1. Press k

  2. Enter PID (default is top process)

  3. Enter signal number (default is 15/SIGTERM)

  4. Process is terminated


Practical Examples Explained


Example 1: Understanding Process Relationships


ps -f

Shows:

  • Bash shell (your terminal session)

  • Script running under Bash (PPID points to Bash)

  • Sleep command (child of the script)


Example 2: Orphaned Process


When you kill a parent process but not its children:

  • Child's PPID changes from parent's PID to 1 (systemd)

  • Child continues running under systemd


Example 3: CPU Load Generation


cat /dev/urandom | gzip > /dev/null

  • /dev/urandom: Generates random data

  • gzip: Compresses it (CPU intensive)

  • /dev/null: Discards output

  • Purpose: Creates CPU load for testing


What is a Process ID (PID)?

A unique numerical identifier assigned to each running process on a Linux system. PID 1 is always the init system (systemd on modern systems) which starts all other processes.

What is a Parent Process ID (PPID)?

The PID of the process that created/spawned the current process. Every process except PID 1 has a parent. If a parent dies, orphaned children are adopted by PID 1.

What happens when a process becomes orphaned?

When a parent process terminates but its child processes continue running, those children become orphaned and are automatically adopted by PID 1 (systemd), which becomes their new parent.

What does the ps command do by default (no options)?

Shows a snapshot of processes belonging to the current user that are associated with the current terminal. Displays PID, TTY, TIME, and CMD.

What is the difference between ps and ps -f?

  • ps: Basic format with PID, TTY, TIME, CMD

  • ps -f: Full format adding UID, PPID, C (CPU %), STIME (start time), and full command with arguments


What does ps -e display?

Shows ALL processes running on the system from all users, not just the current user's processes.

What does ps -ef do?

Combines -e (all processes) and -f (full format) to show all processes system-wide with detailed information including parent-child relationships.

How do you view processes for a specific user with ps?

Use ps -u username (e.g., ps -u cloud_user) to display all processes started by that specific user.

What are the three option styles that ps accepts?

  1. UNIX style: Preceded by single dash (e.g., -ef)

  2. BSD style: No dash, can be grouped (e.g., aux)

  3. GNU long style: Preceded by double dash (e.g., --help)


In ps output, what does the TIME column represent?

The cumulative CPU time that the process has consumed (not how long it's been running), displayed in format MM:SS or HH:MM:SS.

What does the kill command do by default?

Sends the SIGTERM signal (signal 15) to a specified process, requesting it to terminate gracefully while allowing cleanup operations.

What is SIGTERM (signal 15)?

A termination signal that politely requests a process to stop. It allows the process to perform cleanup tasks (save files, close connections, free resources) before exiting. Processes can technically ignore it but usually don't.

What is SIGKILL (signal 9)?

A forceful termination signal that immediately kills a process without allowing any cleanup. Cannot be caught or ignored by the process. Similar to unplugging a computer.

What is the syntax for the kill command?

kill [options] PID or kill -signal PID Examples:

  • kill 1234 (sends SIGTERM)

  • kill -9 1234 (sends SIGKILL)

  • kill -15 1234 (explicitly sends SIGTERM)


When should you use SIGKILL (-9) instead of SIGTERM (-15)?

Use SIGKILL only when:

  • SIGTERM fails to terminate the process

  • The process is frozen/unresponsive

  • Immediate termination is critical Always try SIGTERM first as it's safer and allows proper cleanup.


What happens to child processes when you kill their parent?

Child processes do NOT automatically terminate. They become orphaned and are adopted by PID 1 (systemd). You must explicitly kill child processes if needed.

How do you send a SIGTERM signal explicitly?

Either kill PID (SIGTERM is default) or kill -15 PID or kill -SIGTERM PID

What does the top command display?

A dynamic, real-time view of running processes and system resources (CPU, memory, swap). Updates continuously and sorts processes by CPU usage by default.

What information is shown in the top command header?

  • System uptime

  • Number of logged-in users

  • Load average (1, 5, 15 minutes)

  • Tasks (total, running, sleeping, stopped, zombie)

  • CPU usage percentage

  • Memory (RAM) usage

  • Swap usage


How do you access the help menu in top?

Press the h key while in the top interface. This displays all available commands and options.

How do you kill a process from within the top interface?

  1. Press k

  2. Enter the PID (defaults to highest CPU process)

  3. Enter signal number (default is 15 for SIGTERM)

  4. Press Enter to confirm


How do you quit/exit the top command?

Press the q key to quit and return to the command prompt.

What do the toggle keys do in top?

  • l: Toggle load average display on/off

  • t: Cycle through different CPU display formats or hide

  • m: Cycle through different memory display formats or hide

  • w: Write current configuration to file


What does the load average represent in top?

The average system load over the last 1, 5, and 15 minutes. Represents the number of processes waiting for CPU time. Values equal to or less than the number of CPU cores indicate healthy load.

How are processes sorted by default in top?

By CPU usage (%CPU column) in descending order - processes using the most CPU appear at the top.

Command to see all processes with full details including parent-child relationships?

ps -ef - Shows all processes system-wide with full format including PPID to trace parent-child relationships.

You want to terminate process 5678 gracefully. What command?

kill 5678 or kill -15 5678 - Sends SIGTERM allowing cleanup.

Process 5678 won't terminate with SIGTERM. What next?

kill -9 5678 - Force kills with SIGKILL for immediate termination.

How to find and kill all processes owned by user "bob"?

ps -u bob # Find Bob's processes and note PIDs

kill PID1 PID2... # Kill each PID



Or use: pkill -u bob (advanced)

In top, you see a process consuming 99% CPU. How to kill it?

Press k, press Enter (accepts default top process), enter signal (15 or 9), press Enter to confirm.

What is PID 1 and why is it important?

PID 1 is the first process started by the kernel (systemd on modern Linux). It:

  • Starts all other processes

  • Adopts orphaned processes

  • Cannot be killed (system would crash)

  • Is the ultimate parent of all processes


What columns does ps -f add compared to basic ps?

Adds:

  • UID (User ID)

  • PPID (Parent Process ID)

  • C (CPU utilization %)

  • STIME (start time)

  • Full command with arguments


Why might you pipe ps output to head or tail?

  • ps -ef | head: Show first 10 lines (system processes, PID 1)

  • ps -ef | tail: Show last 10 lines (recent processes)


  • Useful when output is too long to view at once.


What is the difference between terminating and killing a process?

  • Terminating (SIGTERM): Graceful shutdown with cleanup

  • Killing (SIGKILL): Immediate forced shutdown without cleanup


    Both achieve the same end (stopped process) but differ in how they get there.


Can a process ignore SIGKILL (-9)?

No. SIGKILL cannot be caught, blocked, or ignored by any process. The kernel forcibly terminates the process immediately. This is why it's the "last resort" signal.

What are the most important ps command combinations for LFCA?

  • ps - Your processes

  • ps -f - Your processes, full format

  • ps -e - All processes

  • ps -ef - All processes, full format

  • ps -u username - Specific user's processes


What signals should you memorize for LFCA?

  • 15 (SIGTERM): Default, graceful termination with cleanup

  • 9 (SIGKILL): Force kill, immediate termination, no cleanup


    Remember: Try 15 first, use 9 only if needed.


Key top commands to remember for LFCA?

  • h - Help

  • k - Kill process

  • q - Quit

  • l, t, m - Toggle displays

  • Understand the header information (load, CPU, memory)


How to remember the difference between PID and PPID?

  • PID: "Process ID" - THIS process's unique number

  • PPID: "Parent Process ID" - The process that CREATED this one


    Think: "PPID points to my parent"


What's the safest way to terminate a process?

  1. First try: kill PID (SIGTERM, allows cleanup)

  2. Wait a few seconds

  3. Check if still running: ps -p PID

  4. If still running: kill -9 PID (SIGKILL, force)


    Always attempt graceful termination before forcing.


You killed a parent process but children are still running. Why?

Killing a parent does NOT automatically kill children. Children become orphaned and adopted by PID 1. You must explicitly kill each child process by its PID.

Why doesn't ps show all processes when you run it?

By default, ps without options only shows processes:

  • Owned by the current user

  • Associated with the current terminal


    Use ps -e or ps -ef to see all processes.


What's wrong with always using kill -9?

Problems:

  • No cleanup (data loss, corruption risk)

  • No graceful shutdown (connections dropped)

  • No chance to save work

  • Considered bad practice Always try SIGTERM first.


In top, process CPU % exceeds 100%. Error?

no error! On multi-core systems, each core contributes 100%. A process using 200% means it's using 2 full cores. This is normal on systems with multiple CPUs/cores.

You see zombie processes in top. What are they?

Zombie (defunct) processes have finished executing but still have an entry in the process table because their parent hasn't read their exit status. Usually harmless and cleaned up automatically. If many zombies persist, the parent process may have issues.

What's the recommended order for terminating processes?

  1. Use ps to identify the correct PID

  2. Send SIGTERM: kill PID

  3. Wait 5-10 seconds

  4. Verify with ps -p PID

  5. If still running, send SIGKILL: kill -9 PID

  6. Check for orphaned child processes


How to monitor a specific process continuously?

Use top and:

  • Press k and enter the PID to focus on it

  • Or use top -p PID to monitor specific process

  • Or use watch "ps -p PID -o pid,ppid,%cpu,%mem,cmd" for custom monitoring


When should you use top vs ps?

  • ps: Quick snapshot, scripting, specific queries, historical data

  • top: Real-time monitoring, interactive management, troubleshooting active issues, seeing system load Use ps for quick checks, top for ongoing monitoring.


What should you check before killing a process?

  1. Verify it's the correct PID (typos kill wrong processes!)

  2. Check what user owns it (permissions)

  3. Check if it has children that need killing

  4. Consider if it's a system process (could break system)

  5. Understand what the process does


How to find processes using high CPU/memory?

  • CPU: top (sorts by CPU by default) or ps -eo pid,ppid,cmd,%cpu --sort=-%cpu | head

  • Memory: Press M in top to sort by memory or ps -eo pid,ppid,cmd,%mem --sort=-%mem | head


Essential Commands:

  • ps - View current user's processes

  • ps -ef - View all processes with details

  • ps -u user - View specific user's processes

  • kill PID - Terminate gracefully (SIGTERM)

  • kill -9 PID - Force terminate (SIGKILL)

  • top - Real-time process monitor

  • h in top - Help menu

  • k in top - Kill process

  • q in top - Quit


Remember:

  • PID 1 = systemd (parent of all)

  • SIGTERM (15) = graceful (DEFAULT)

  • SIGKILL (9) = forceful (LAST RESORT)

  • Always check before killing!


Join Course
Preview

Author

abdullah S.

Information

Last changed

Report course
© 2023 Buffl GmbH