osquery-1/specs/processes.table

table_name("processes")
description("All running processes on the host system.")
schema([
    Column("pid", INTEGER, "Process (or thread) ID", index=True),
    Column("name", TEXT, "The process path or shorthand argv[0]"),
    Column("path", TEXT, "Path to executed binary"),
    Column("cmdline", TEXT, "Complete argv"),
    Column("cwd", TEXT, "Process current working directory"),
    Column("root", TEXT, "Process virtual root directory"),
    Column("uid", BIGINT, "Unsigned user ID"),
    Column("gid", BIGINT, "Unsgiend groud ID"),
    Column("euid", BIGINT, "Unsigned effective user ID"),
    Column("egid", BIGINT, "Unsigned effective group ID"),
    Column("on_disk", TEXT, "The process path exists yes=1, no=0, unknown=-1"),
    Column("wired_size", TEXT, "Bytes of unpagable memory used by process"),
    Column("resident_size", TEXT, "Bytes of private memory used by process"),
    Column("phys_footprint", TEXT, "Bytes of total physical memory used"),
    Column("user_time", TEXT, "CPU time spent in user space"),
    Column("system_time", TEXT, "CPU time spent in kernel space"),
    Column("start_time", TEXT, "Unix timestamp of process start"),
    Column("parent", INTEGER, "Process parent's PID"),
])
implementation("system/processes@genProcesses")
examples([
  "select * from processes where pid = 1",
])