Identify which processes belong to a logged-in user and follow his session from TTY to process tree. 21.01.2026 | reading time: 3 min Want to know exactly what a logged-in user is running? This short guide shows how to map a session from login to TTY and to process tree using common, reliable command-line tools. Live example Here is a concrete run that shows how to find a session for user frank and list his processes. ``` $ who frank pts/0 2026-01-21 09:15 (192.0.2.10) $ loginctl list-sessions SESSION UID USER SEAT TTY 2 1001 frank pts/0 $ loginctl session-status 2 2 - frank (1001) Since: Thu 2026-01-21 09:15:00 CGroup: user-1001.slice ├─2345 -bash ├─2399 vim /home/frank/todo.txt └─2410 ssh otherhost $ ps -u frank -o pid,ppid,tty,etime,cmd PID PPID TT ELAPSED CMD 2345 2321 pts/0 00:42:10 -bash 2399 2345 pts/0 00:05:12 vim /home/frank/todo.txt 2410 2345 pts/0 00:00:03 ssh otherhost ``` Narrow by TTY or owner Target the session quickly by TTY or by uid; short commands give focused lists so you can act fast. ``` $ ps -t pts/0 -o pid,ppid,user,etime,cmd PID PPID USER ELAPSED CMD 2345 2321 frank 00:42:10 -bash 2399 2345 frank 00:05:12 vim /home/frank/todo.txt $ pgrep -u frank -l 2345 bash 2399 vim 2410 ssh ``` Deeper inspection Once you have PIDs, inspect open files, sockets or activity to troubleshoot or confirm behavior; use `lsof` to see resources and `strace` to watch syscalls (needs sudo). ``` $ sudo lsof -u frank | head -n 8 bash 2345 frank cwd DIR 253,0 4096 /home/frank vim 2399 frank txt REG 253,0 123456 /usr/bin/vim $ sudo strace -p 2410 -s 80 -o /tmp/ssh-strace.log & ``` When systemd manages sessions Systemd exposes session metadata and cgroups: `loginctl` shows which unit and cgroup belong to the user, and `systemctl --user` reveals per-user services; combine those with `ps` or `pgrep` to trace background daemons started in the session. Other relevant angles Remember network shells, screen/tmux and sudo: a process owner might differ from the login user, and processes can be detached into different sessions; always check TTY, cgroup and parent PID to understand who started what. Wrap-up and next steps You can map a session from the login record to running processes in minutes, and then deep-dive with `lsof` or `strace` when needed; practice these steps on your lab machine and expand into auditing and containment workflows to level up your troubleshooting skills. Consider pursuing structured certificates like CompTIA Linux+ or LPIC-1 and intensive exam preparation at bitsandbytes.academy to formalize this knowledge. Join Bits & Bytes Academy First class LINUX exam preparation. processes utilities troubleshooting security
