How to see when a process was started

This article has last been updated at January 6, 2025.

When a process is started, the kernel does some fine accounting to document the related details, such as start time, command parameters, and environment variables. This information we can use when doing an investigation or learn more about a particular process.

Start time of a process

One option to query when a particular process was started, is using the ps command and the related process ID (PID). The PID can be seen when running this command with common options like -ef. Another option is using pidof or the pgrep commands.

When we have the PID, we can query the start time.

# ps -o cmd,lstart -p 1
CMD                                          STARTED
/sbin/init                  Wed May  8 23:56:05 2024

Start time of a systemd unit or service

If the system is using systemd as its service manager, then we can ask systemctl to provide these details. The show subcommand combined with a specific property ‘ExecMainStartTimestamp’ will reveal the date and time that the process was started.

# systemctl show --property ExecMainStartTimestamp --value ssh.service
Wed 2024-05-08 23:56:26 UTC

How long ago was a process started?

For shell scripting purposes it might be useful to learn how long ago a process was started, or the elapsed time in seconds. To get this number, we can use the ’etimes’ column.

# ps -o etimes= -p 1`
1159170

The outputted number will obviously increase if you repeat the command.

Got other useful commands to query when a process was started?