Using the ps aux Command in Linux
Effective system administration in Linux requires constant awareness of running processes. Whether diagnosing performance bottlenecks, identifying unauthorized tasks, or ensuring critical services remain operational, the ps aux command is an indispensable tool.
This guide provides a comprehensive exploration of ps aux, from foundational concepts to advanced filtering techniques, equipping you to extract actionable insights from process data.
And if you’re looking for a reliable, high-performance, and budget-friendly solution for your workflows, Hostman has you covered with Linux VPS Hosting options, including Debian VPS, Ubuntu VPS, and VPS CentOS.
Prerequisites Copy link
To follow the tutorial:
- Deploy a Linux cloud server instance at Hostman
- SSH into the server instance
Understanding Processes in Linux Copy link
Before we explore the ps aux command, let's take a moment to understand what processes are in the context of a Linux system.
What are Processes? Copy link
A process represents an active program or service running on your Linux system. Each time you execute a command, launch an application, or initiate a background service, you create a process.
Linux assigns a unique identifier, called a Process ID (PID), to each process. This PID allows the system to track and manage individual processes effectively.
Why are Processes Grouped in Linux? Copy link
Linux employs a hierarchical structure to organize processes. This structure resembles a family tree, where the initial process, init (or systemd), acts as the parent or ancestor.
All other processes descend from this initial process, forming a parent-child relationship. This hierarchy facilitates efficient process management and resource allocation.
The ps Command Copy link
The ps (process status) command provides a static snapshot of active processes at the moment of execution. Unlike dynamic tools such as top or htop, which update in real-time, ps is ideal for scripting, logging, or analyzing processes at a specific point in time.
The ps aux syntax merges three key options:
a: Displays processes from all users, not just the current user.u: Formats output with user-oriented details like CPU and memory usage.x: Includes processes without an attached terminal, such as daemons and background services.
This combination offers unparalleled visibility into system activity, making it a go-to tool for troubleshooting and analysis.
Decoding the ps aux Output Copy link
Executing ps aux generates a table with 11 columns, each providing critical insights into process behavior. Below is a detailed explanation of these columns:

USER Copy link
This column identifies the process owner. Entries range from standard users to system accounts like root, mysql, or www-data. Monitoring this field helps detect unauthorized processes or identify which users consume excessive resources.
PID Copy link
The Process ID (PID) is a unique numerical identifier assigned to each task. Administrators use PIDs to manage processes—for example, terminating a misbehaving application with kill [PID] or adjusting its priority using renice.
%CPU and %MEM Copy link
These columns display the percentage of CPU and RAM resources consumed by the process. Values above 50% in either column often indicate performance bottlenecks. For instance, a database process consuming 80% CPU might signal inefficient queries or insufficient hardware capacity.
VSZ and RSS Copy link
VSZ (Virtual Memory Size) denotes the total virtual memory allocated to the process, including memory swapped to disk.
On the other hand, RSS (Resident Set Size) represents the physical memory actively used by the process.
A process with a high VSZ but low RSS might reserve memory without actively utilizing it, which is common in applications that preallocate resources.
TTY Copy link
This field shows the terminal associated with the process. A ? indicates no terminal linkage, which is typical for background services like cron or systemd-managed tasks.
STAT Copy link
The STAT column reveals process states through a primary character + optional attributes:
-
Primary States:
-
- R: Running or ready to execute.
- S: Sleeping, waiting for an event or signal.
- I: Idle kernel thread
- D: Uninterruptible sleep (usually tied to I/O operations).
- Z: Zombie—a terminated process awaiting removal by its parent.
-
Key Attributes:
-
- s: Session leader
- N: Low priority
- <: High priority
For example, a STAT value of Ss denotes a sleeping session leader, while l< indicates an idle kernel thread with high priority.
START and TIME Copy link
START indicates the time or date the process began. Useful for identifying long-running tasks.
TIME represents the cumulative CPU time consumed since launch. A process running for days with minimal TIME is likely idle.
COMMAND Copy link
This column displays the command or application that initiated the process. It helps identify the purpose of a task—for example, /usr/bin/python3 for a Python script or /usr/sbin/nginx for an Nginx web server.
Advanced Process Filtering Techniques Copy link
While ps aux provides a wealth of data, its output can be overwhelming on busy systems. Below are methods to refine and analyze results effectively.
Isolating Specific Processes Copy link
To focus on a particular service—such as SSH—pipe the output to grep:
ps aux | grep sshdExample output:
root 579 0.0 0.5 15436 5512 ? Ss 2024 9:35 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root 2090997 0.0 0.8 17456 8788 ? Ss 11:26 0:00 sshd: root@pts/0
root 2092718 0.0 0.1 4024 1960 pts/0 S+ 12:19 0:00 grep --color=auto sshd
This filters lines containing sshd, revealing all SSH-related processes. To exclude the grep command itself from results, use a regular expression:
ps aux | grep "[s]shd" Example output:
root 579 0.0 0.5 15436 5512 ? Ss 2024 9:35 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root 2090997 0.0 0.8 17456 8788 ? Ss 11:26 0:00 sshd: root@pts/0
Sorting by Resource Consumption Copy link
Identify CPU-intensive processes by sorting the output in descending order:
ps aux --sort=-%cpu | head -n 10Example output:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
mysql 1734280 0.4 36.4 1325172 357284 ? Ssl Jan30 87:39 /usr/sbin/mysqld
redis 1424968 0.3 0.6 136648 6240 ? Ssl Jan18 112:25 /usr/bin/redis-server 127.0.0.1:6379
root 1 0.0 0.6 165832 6824 ? Ss 2024 5:51 /lib/systemd/systemd --system --deserialize 45
root 2 0.0 0.0 0 0 ? S 2024 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? I< 2024 0:00 [rcu_gp]
root 4 0.0 0.0 0 0 ? I< 2024 0:00 [rcu_par_gp]
root 5 0.0 0.0 0 0 ? I< 2024 0:00 [slub_flushwq]
root 6 0.0 0.0 0 0 ? I< 2024 0:00 [netns]
root 8 0.0 0.0 0 0 ? I< 2024 0:00 [kworker/0:0H-events_highpri]
Similarly, you can sort by memory usage to detect potential leaks:
ps aux --sort=-%mem | head -n 10Example output:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
mysql 1734280 0.4 36.4 1325172 357284 ? Ssl Jan30 87:39 /usr/sbin/mysqld
root 330 0.0 4.4 269016 43900 ? S<s 2024 22:43 /lib/systemd/systemd-journald
root 368 0.0 2.7 289316 27100 ? SLsl 2024 8:19 /sbin/multipathd -d -s
root 1548462 0.0 2.5 1914688 25488 ? Ssl Jan23 2:08 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
root 1317247 0.0 1.8 1801036 17760 ? Ssl Jan14 22:24 /usr/bin/containerd
root 556 0.0 1.2 30104 11956 ? Ss 2024 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root 635 0.0 1.1 107224 11092 ? Ssl 2024 0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
root 2090997 0.0 0.8 17456 8788 ? Ss 11:26 0:00 sshd: root@pts/0
root 2091033 0.0 0.8 9936 8480 pts/0 Ss 11:26 0:00 bash --rcfile /dev/fd/63
Real-Time Monitoring Copy link
Combine ps aux with the watch command to refresh output every 2 seconds:
watch -n 2 "ps aux --sort=-%cpu"This provides a dynamic view of CPU usage trends.
Zombie Process Detection Copy link
Zombie processes, though largely harmless, clutter the process list. Locate them with:
ps aux | grep 'Z'Persistent zombies often indicate issues with parent processes failing to clean up child tasks.
Practical Use Cases Copy link
Now, let’s explore some common use cases of the ps aux command in Linux:
Diagnosing High CPU Usage Copy link
Follow the below steps:
- Execute this command to list processes by CPU consumption.
ps aux --sort=-%cpu- Identify the culprit—for example, a malfunctioning script using 95% CPU.
- If unresponsive, terminate the process gracefully with:
kill [PID]Or forcibly with:
kill -9 [PID]Detecting Memory Leaks Copy link
Simply do the following:
-
Sort processes by memory usage:
ps aux --sort=-%mem- Investigate tasks with abnormally high
%MEMvalues. - Restart the offending service or escalate to developers for code optimization.
Auditing User Activity Copy link
List all processes owned by a specific user (e.g., Jenkins):
ps aux | grep ^jenkinsThis helps enforce resource quotas or investigate suspicious activity.
Best Practices for Process Management Copy link
Let’s now take a quick look at some best practices to keep in mind when managing Linux processes:
-
Graceful Termination: Prefer
kill [PID]overkill -9to allow processes to clean up resources. -
Log Snapshots: Periodically save process lists for audits:
ps aux > /var/log/process_audit_$(date +%F).log-
Contextual Analysis: A high
%CPUvalue might be normal for a video encoder but alarming for a text editor. Hence, it’s essential to consider the context when making an analysis.
Common Pitfalls to Avoid Copy link
Here are some pitfalls to look out for when using ps aux in Linux:
- Misinterpreting VSZ: High virtual memory usage doesn’t always indicate a problem—it includes swapped-out data.
- Overlooking Zombies: While mostly benign, recurring zombies warrant investigating parent processes.
- Terminating Critical Services: Always verify the
COMMANDfield before using kill to avoid disrupting essential services.
Conclusion Copy link
The ps aux command is a cornerstone of Linux system administration, offering deep insights into process behavior and resource utilization. You can diagnose performance issues, optimize resource allocation, and maintain system stability by mastering its output interpretation, filtering techniques, and real-world applications.
For further exploration, consult the ps manual (man ps) or integrate process monitoring into automated scripts for proactive system management.
Frequently Asked Questions (FAQ) Copy link
What is the ps aux command in Linux? Copy link
It is the most common command to view a snapshot of all running processes on the system. The flags break down as follows:
-
a: Shows processes for all users, not just the current user.
-
u: Displays the process's user/owner and provides detailed resource usage (CPU, RAM).
-
x: Shows processes not attached to a terminal (background daemons).
Why do we use the ps command in Linux? Copy link
We use it to monitor system health and troubleshoot performance. It helps you identify which applications are consuming the most CPU or Memory, find the Process ID (PID) needed to stop a frozen program, and verify if background services are running correctly.
How do you use the ps aux command to find zombie processes? Copy link
Zombie processes (defunct) appear with a Z in the STAT column. You can filter for them specifically by running: ps aux | grep 'Z' Alternatively, to get a cleaner list excluding the grep command itself:
ps aux | awk '$8=="Z" {print $0}'
How do I sort the output by Memory or CPU usage? Copy link
By default, ps aux does not sort by usage. You can use the --sort option:
-
Sort by Memory:
ps aux --sort=-%mem -
Sort by CPU:
ps aux --sort=-%cpu(The minus sign sorts in descending order).
What do the VSZ and RSS columns mean?
-
VSZ (Virtual Memory Size): The total virtual memory available to the process (including swap and shared libraries).
-
RSS (Resident Set Size): The actual physical RAM the process is currently using. RSS is usually the more important number for checking memory usage.
How do I kill a process I found using ps aux? Copy link
First, locate the PID (Process ID) in the second column of the output. Then run: sudo kill [PID] If the process refuses to close, you can force kill it with sudo kill -9 [PID].