31

I know there are two "levels" of programs: User space and kernel space.

My question is: I want to see only kernel programs,or better: programs on kernel space.

Is this approach correct?

ps -ef|grep "\["

root         1     0  0 20:23 ?        00:00:00 init [4]
root         2     0  0 20:23 ?        00:00:00 [kthreadd]
root         3     2  0 20:23 ?        00:00:00 [ksoftirqd/0]
root         5     2  0 20:23 ?        00:00:00 [kworker/0:0H]
root         7     2  0 20:23 ?        00:00:06 [rcu_sched]
root         8     2  0 20:23 ?        00:00:00 [rcu_bh]
root         9     2  0 20:23 ?        00:00:00 [migration/0]
root        10     2  0 20:23 ?        00:00:00 [migration/1]
root        11     2  0 20:23 ?        00:00:00 [ksoftirqd/1]
root        13     2  0 20:23 ?        00:00:00 [kworker/1:0H]
root        14     2  0 20:23 ?        00:00:00 [migration/2]
....
elbarna
  • 12,050
  • 22
  • 92
  • 170
  • 5
    >is possible to see kernel space programs? ... Yes! You simply need the correct astronomical filter on your CCD... ;-) – RubberStamp Dec 15 '17 at 22:27
  • 2
    lsmod ? https://en.wikipedia.org/wiki/Lsmod – steve Dec 15 '17 at 22:40
  • 5
    @steve Kernel space programs are really strictly tangential to modules. Not all modules have processes, and not all processes are modules. – Chris Down Dec 15 '17 at 23:50
  • 3
    The question is wrong: you want to see kernel processes (or kernel threads, or kernel tasks) not kernel programs.... There is only one *program* involved: the *kernel* (and kernel modules are *added* into the kernel). – Basile Starynkevitch Dec 16 '17 at 13:26
  • I will correct now – elbarna Dec 17 '17 at 20:09
  • All process switch into kernel space when they make a syscall – 炸鱼薯条德里克 Sep 15 '19 at 12:08
  • 1
    Good answer on stackoverflow: [Identifying kernel threads](https://stackoverflow.com/a/56369641/427158) - turned into bash code: [How to identify a thread is a kernel thread or not through `bash`?](https://stackoverflow.com/a/61940790/427158) – maxschlepzig Nov 09 '20 at 11:45

3 Answers3

50

Kernel processes (or "kernel threads") are children of PID 2 (kthreadd), so this might be more accurate:

ps --ppid 2 -p 2 -o uname,pid,ppid,cmd,cls

Add --deselect to invert the selection and see only user-space processes.

(This question was pretty much an exact inverse of this one.)

In 2.4.* and older kernels, this PID 2 convention did not exist yet.

telcoM
  • 87,318
  • 3
  • 112
  • 232
  • Is it always true ? See the fourth comment in this question: https://stackoverflow.com/q/12213445/1971003 – Guy Avraham Aug 19 '18 at 12:52
  • 1
    It is possible that in early 2.6.* kernels the conversion to the "child of PID 2" convention was not quite complete. As HighKing indicates there, the name of PID 2 had also not fully stabilized to `kthreadd` by 2.6.18. If you're interested in exact details, go to kernel.org and use the git browser interface to drill down into the early history of `kernel/kthread.c` file. – telcoM Aug 19 '18 at 13:13
4

Kernel threads do not use RAM at all (or at least are displayed not to use any):

ps -eo cmd,vsize,rss | grep -E ' 0 +0$'
Patrick Mevzek
  • 3,130
  • 2
  • 20
  • 30
1

If you have tuna installed you can list all kernel threads like this:

$ tuna -U -P
                      thread       ctxt_switches
    pid SCHED_ rtpri affinity voluntary nonvoluntary             cmd 
  2      OTHER     0     0xff       290            1        kthreadd  
  3      OTHER     0     0xff         2            0          rcu_gp  
  4      OTHER     0     0xff         2            0      rcu_par_gp  
  6      OTHER     0        0        13            0 kworker/0:0H-kblockd  
  9      OTHER     0     0xff         2            0    mm_percpu_wq  
  10     OTHER     0        0       448            0     ksoftirqd/0
[..]
maxschlepzig
  • 56,316
  • 50
  • 205
  • 279