Linux Commands

How to Find and Kill a Zombie Process on Linux

A zombie is a creature that was a human and died but somehow due to a virus or any reason it woke up again. It is already dead but is walking and moving. This is the concept of a zombie described in movies and novels. In the same way in Linux, a zombie process is a process that was removed from the system as “defunct” but still somehow runs in the system memory is called zombie process. Until a child process is eliminated from a process table, it turns into a zombie first.

A process in the terminated state is another name for it. It is cleaned from the memory using its parent process. When the parent process is not notified of the change, the child process becomes the zombie process and it does not get any signal of termination so that it can leave the memory. In Linux, whenever a process is removed from the memory, its parent process is informed about the removal. This process stays in the memory until it notifies its parent process.

This means that the dead process is not removed from the memory immediately and it continues in the system memory thus becoming a zombie process. To remove a zombie process, the parent process calls the wait() function. Once the wait() function is called into play, the zombie process is completely removed from the system.

Killing a Zombie Process

Before moving to kill the zombie process, we will first discuss the zombie process risks and the causes of the zombie process taking place. Also, we will learn more about the zombie process to make it easy to understand the killing process.

What is the Cause of the Zombie Process

There can be two major causes of the zombie process. The first one is the one in which the parent process is unable to call the wait() function when the child creation process is running which leads to ignoring the SIGCHLD. This may cause the zombie process. The second is the one in which the other application may affect the parent process execution due to bad coding or malicious content in it.

In other words, we can say that the zombie process is caused when the parent process ignores the child process state changes or it cannot check the state of the child process, when the child process ends the PCB is not cleared.

Does the Zombie Process Pose a Risk

The zombie process does not pose any risk, they just use some part of memory in the system. The process table is of small size but the id of the table where the zombie process is stored cannot be used until it is released by the zombie process. But in case there are a lot of zombie processes reserving the memory location and no memory space left for other processes to take place, it becomes difficult for other processes to run.

Finding a Zombie Process

Before killing the zombie process it is necessary to find them. To find the zombie process we will run the following command in the terminal:

linux@linux-VirtualBox:~$ ps aux | egrep "Z|defunct"

In the command above, “ps” stands for the process state it is used to view the state of the process that is running in the system along with the ps command. We passed the flag aux in which “a” indicates the details of all associated processes in the terminal, “u” indicates the processes that are in the user list and the “x” indicates the processes that are not executed from the terminal. In combination, we can say that it is used to print all of the running processes that are stored in the memory.

The second option passed “egrep” is a processing tool that is used to fetch the expressions or patterns in a specified location. Lastly, we passed the “Z|defunct” keyword which denotes the zombie process that is to be fetched in the memory. When we execute the command, we will get the following output, which shows the zombie process in the system along with its “PID”.

Output:

USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
linux      33819  0.0  0.0  18008   724 pts/0    S+   20:22   0:00 grep -E --color=auto Z|defunct

Zombie processes are already dead processes but the parent process is unable to read its status and cannot be released from memory. So, the dead process cannot be killed. We can only do for them to enable the parent process to read the child state so it can be executed and removed from the process table. For this, we will run the command mentioned below.

linux@linux-VirtualBox:~$ ps –o ppid= -p 33819

In the above command, we tried to get the parent id of the zombie process. After getting the parent id, we will run the following command to kill the zombie process by sending the SIGCHLD to the parent process which enables the parent process to read the child state:

linux@linux-VirtualBox:~$ kill –s SIGCHLD  Parent_PID

In the command above, we pass the signal to the parent id to kill the zombie process of the parent id passed to it. After the above command is executed, it will simply move to the next line without printing any output on the terminal in case no parent id exists. To check for the process whether the zombie process is killed or not, you can run the command that we already executed to find the zombie process.

Let us try another way to kill the zombie process which is done by killing the parent process itself. This is the more efficient way to kill the zombie process because it will completely remove the whole process and won’t allow the zombie to arise again. For that, we will run the below-shown command:

linux@linux-VirtualBox:~$ kill -9 Parent_PID

After running the above command, we allow the system to kill the parent process.

Conclusion

We have briefly discussed the zombie process and also the causes and the procedure to kill these processes. Before heading to our killing process, we tried to explain the reasons for their cause and also the ways to identify them using simple commands.

About the author

Kalsoom Bibi

Hello, I am a freelance writer and usually write for Linux and other technology related content