Learning Center
Linux

Using the ps aux Command in Linux

22 Jan 2026
Emmanuel Oyibo
Emmanuel Oyibo

Effective system administration in Linux requires constant awareness of running processes. Whether diagnosing performance bottlenecks, identifying unauthorized tasks, or ensuring critical services remain operational, the ps aux command is an indispensable tool. 

This guide provides a comprehensive exploration of ps aux, from foundational concepts to advanced filtering techniques, equipping you to extract actionable insights from process data.

And if you’re looking for a reliable, high-performance, and budget-friendly solution for your workflows, Hostman has you covered with Linux VPS Hosting options, including Debian VPS, Ubuntu VPS, and VPS CentOS.

Prerequisites
Copy link

To follow the tutorial:

Understanding Processes in Linux
Copy link

Before we explore the ps aux command, let's take a moment to understand what processes are in the context of a Linux system.

What are Processes?
Copy link

A process represents an active program or service running on your Linux system. Each time you execute a command, launch an application, or initiate a background service, you create a process.

Linux assigns a unique identifier, called a Process ID (PID), to each process. This PID allows the system to track and manage individual processes effectively.

Why are Processes Grouped in Linux?
Copy link

Linux employs a hierarchical structure to organize processes. This structure resembles a family tree, where the initial process, init (or systemd), acts as the parent or ancestor.

All other processes descend from this initial process, forming a parent-child relationship. This hierarchy facilitates efficient process management and resource allocation.

The ps Command
Copy link

The ps (process status) command provides a static snapshot of active processes at the moment of execution. Unlike dynamic tools such as top or htop, which update in real-time, ps is ideal for scripting, logging, or analyzing processes at a specific point in time.

The ps aux syntax merges three key options:

  • a: Displays processes from all users, not just the current user.
  • u: Formats output with user-oriented details like CPU and memory usage.
  • x: Includes processes without an attached terminal, such as daemons and background services.

This combination offers unparalleled visibility into system activity, making it a go-to tool for troubleshooting and analysis.

Decoding the ps aux Output
Copy link

Executing ps aux generates a table with 11 columns, each providing critical insights into process behavior. Below is a detailed explanation of these columns:

Image1

USER
Copy link

This column identifies the process owner. Entries range from standard users to system accounts like root, mysql, or www-data. Monitoring this field helps detect unauthorized processes or identify which users consume excessive resources.

PID
Copy link

The Process ID (PID) is a unique numerical identifier assigned to each task. Administrators use PIDs to manage processes—for example, terminating a misbehaving application with kill [PID] or adjusting its priority using renice.

%CPU and %MEM
Copy link

These columns display the percentage of CPU and RAM resources consumed by the process. Values above 50% in either column often indicate performance bottlenecks. For instance, a database process consuming 80% CPU might signal inefficient queries or insufficient hardware capacity.

VSZ and RSS
Copy link

VSZ (Virtual Memory Size) denotes the total virtual memory allocated to the process, including memory swapped to disk.

On the other hand, RSS (Resident Set Size) represents the physical memory actively used by the process.

A process with a high VSZ but low RSS might reserve memory without actively utilizing it, which is common in applications that preallocate resources.

TTY
Copy link

This field shows the terminal associated with the process. A ? indicates no terminal linkage, which is typical for background services like cron or systemd-managed tasks.

STAT
Copy link

The STAT column reveals process states through a primary character + optional attributes:

  1. Primary States:

    • R: Running or ready to execute.
    • S: Sleeping, waiting for an event or signal.
    • I: Idle kernel thread
    • D: Uninterruptible sleep (usually tied to I/O operations).
    • Z: Zombie—a terminated process awaiting removal by its parent.
  1. Key Attributes:

    • s: Session leader
    • N: Low priority
    • <: High priority

For example, a STAT value of Ss denotes a sleeping session leader, while l< indicates an idle kernel thread with high priority.

START and TIME
Copy link

START indicates the time or date the process began. Useful for identifying long-running tasks.

TIME represents the cumulative CPU time consumed since launch. A process running for days with minimal TIME is likely idle.

COMMAND
Copy link

This column displays the command or application that initiated the process. It helps identify the purpose of a task—for example, /usr/bin/python3 for a Python script or /usr/sbin/nginx for an Nginx web server.

Advanced Process Filtering Techniques
Copy link

While ps aux provides a wealth of data, its output can be overwhelming on busy systems. Below are methods to refine and analyze results effectively.

Isolating Specific Processes
Copy link

To focus on a particular service—such as SSH—pipe the output to grep:

ps aux | grep sshd

Example output:

root         579  0.0  0.5  15436  5512 ?        Ss    2024   9:35 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root     2090997  0.0  0.8  17456  8788 ?        Ss   11:26   0:00 sshd: root@pts/0
root     2092718  0.0  0.1   4024  1960 pts/0    S+   12:19   0:00 grep --color=auto sshd

This filters lines containing sshd, revealing all SSH-related processes. To exclude the grep command itself from results, use a regular expression:

ps aux | grep "[s]shd" 

Example output:

root         579  0.0  0.5  15436  5512 ?        Ss    2024   9:35 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root     2090997  0.0  0.8  17456  8788 ?        Ss   11:26   0:00 sshd: root@pts/0

Sorting by Resource Consumption
Copy link

Identify CPU-intensive processes by sorting the output in descending order:

ps aux --sort=-%cpu | head -n 10

Example output:


USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
mysql    1734280  0.4 36.4 1325172 357284 ?      Ssl  Jan30  87:39 /usr/sbin/mysqld
redis    1424968  0.3  0.6 136648  6240 ?        Ssl  Jan18 112:25 /usr/bin/redis-server 127.0.0.1:6379
root           1  0.0  0.6 165832  6824 ?        Ss    2024   5:51 /lib/systemd/systemd --system --deserialize 45
root           2  0.0  0.0      0     0 ?        S     2024   0:00 [kthreadd]
root           3  0.0  0.0      0     0 ?        I<    2024   0:00 [rcu_gp]
root           4  0.0  0.0      0     0 ?        I<    2024   0:00 [rcu_par_gp]
root           5  0.0  0.0      0     0 ?        I<    2024   0:00 [slub_flushwq]
root           6  0.0  0.0      0     0 ?        I<    2024   0:00 [netns]
root           8  0.0  0.0      0     0 ?        I<    2024   0:00 [kworker/0:0H-events_highpri]

Similarly, you can sort by memory usage to detect potential leaks:

ps aux --sort=-%mem | head -n 10

Example output:

USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
mysql    1734280  0.4 36.4 1325172 357284 ?      Ssl  Jan30  87:39 /usr/sbin/mysqld
root         330  0.0  4.4 269016 43900 ?        S<s   2024  22:43 /lib/systemd/systemd-journald
root         368  0.0  2.7 289316 27100 ?        SLsl  2024   8:19 /sbin/multipathd -d -s
root     1548462  0.0  2.5 1914688 25488 ?       Ssl  Jan23   2:08 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
root     1317247  0.0  1.8 1801036 17760 ?       Ssl  Jan14  22:24 /usr/bin/containerd
root         556  0.0  1.2  30104 11956 ?        Ss    2024   0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root         635  0.0  1.1 107224 11092 ?        Ssl   2024   0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
root     2090997  0.0  0.8  17456  8788 ?        Ss   11:26   0:00 sshd: root@pts/0
root     2091033  0.0  0.8   9936  8480 pts/0    Ss   11:26   0:00 bash --rcfile /dev/fd/63

Real-Time Monitoring
Copy link

Combine ps aux with the watch command to refresh output every 2 seconds:

watch -n 2 "ps aux --sort=-%cpu"

This provides a dynamic view of CPU usage trends.

Zombie Process Detection
Copy link

Zombie processes, though largely harmless, clutter the process list. Locate them with:

ps aux | grep 'Z'

Persistent zombies often indicate issues with parent processes failing to clean up child tasks.

Practical Use Cases
Copy link

Now, let’s explore some common use cases of the ps aux command in Linux:

Diagnosing High CPU Usage
Copy link

Follow the below steps:

  1. Execute this command to list processes by CPU consumption.
ps aux --sort=-%cpu
  1. Identify the culprit—for example, a malfunctioning script using 95% CPU.
  2. If unresponsive, terminate the process gracefully with:
kill [PID]

Or forcibly with:

kill -9 [PID]

Detecting Memory Leaks
Copy link

Simply do the following:

  1. Sort processes by memory usage:

ps aux --sort=-%mem
  1. Investigate tasks with abnormally high %MEM values.
  2. Restart the offending service or escalate to developers for code optimization.

Auditing User Activity
Copy link

List all processes owned by a specific user (e.g., Jenkins):

ps aux | grep ^jenkins

This helps enforce resource quotas or investigate suspicious activity.

Best Practices for Process Management
Copy link

Let’s now take a quick look at some best practices to keep in mind when managing Linux processes:

  • Graceful Termination: Prefer kill [PID] over kill -9 to allow processes to clean up resources.

  • Log Snapshots: Periodically save process lists for audits:

ps aux > /var/log/process_audit_$(date +%F).log
  • Contextual Analysis: A high %CPU value might be normal for a video encoder but alarming for a text editor. Hence, it’s essential to consider the context when making an analysis.

Common Pitfalls to Avoid
Copy link

Here are some pitfalls to look out for when using ps aux in Linux:

  • Misinterpreting VSZ: High virtual memory usage doesn’t always indicate a problem—it includes swapped-out data.
  • Overlooking Zombies: While mostly benign, recurring zombies warrant investigating parent processes.
  • Terminating Critical Services: Always verify the COMMAND field before using kill to avoid disrupting essential services.

Conclusion
Copy link

The ps aux command is a cornerstone of Linux system administration, offering deep insights into process behavior and resource utilization. You can diagnose performance issues, optimize resource allocation, and maintain system stability by mastering its output interpretation, filtering techniques, and real-world applications. 

For further exploration, consult the ps manual (man ps) or integrate process monitoring into automated scripts for proactive system management.

Frequently Asked Questions (FAQ)
Copy link

What is the ps aux command in Linux? 
Copy link

It is the most common command to view a snapshot of all running processes on the system. The flags break down as follows:

  • a: Shows processes for all users, not just the current user.

  • u: Displays the process's user/owner and provides detailed resource usage (CPU, RAM).

  • x: Shows processes not attached to a terminal (background daemons).

Why do we use the ps command in Linux?
Copy link

We use it to monitor system health and troubleshoot performance. It helps you identify which applications are consuming the most CPU or Memory, find the Process ID (PID) needed to stop a frozen program, and verify if background services are running correctly.

How do you use the ps aux command to find zombie processes?
Copy link

Zombie processes (defunct) appear with a Z in the STAT column. You can filter for them specifically by running: ps aux | grep 'Z' Alternatively, to get a cleaner list excluding the grep command itself:

ps aux | awk '$8=="Z" {print $0}'

How do I sort the output by Memory or CPU usage? 
Copy link

By default, ps aux does not sort by usage. You can use the --sort option:

  • Sort by Memory: ps aux --sort=-%mem

  • Sort by CPU: ps aux --sort=-%cpu (The minus sign sorts in descending order).

What do the VSZ and RSS columns mean?

  • VSZ (Virtual Memory Size): The total virtual memory available to the process (including swap and shared libraries).

  • RSS (Resident Set Size): The actual physical RAM the process is currently using. RSS is usually the more important number for checking memory usage.

How do I kill a process I found using ps aux? 
Copy link

First, locate the PID (Process ID) in the second column of the output. Then run: sudo kill [PID] If the process refuses to close, you can force kill it with sudo kill -9 [PID].