A system administrator is troubleshooting a running application with PID 4815. To ensure the application has not been tampered with or replaced by a malicious binary on the filesystem, the administrator needs to identify the absolute path of the original executable file that the kernel loaded for this process. Which of the following pseudo-files within the /proc directory should the administrator inspect?
The correct answer is /proc/4815/exe. This is a symbolic link that points to the actual pathname of the executed command. By resolving this link, an administrator can find the full path to the executable file associated with the process, even if the file has been deleted or replaced on disk after being loaded into memory.
/proc/4815/cmdline is incorrect because it contains the full command line used to invoke the process, including arguments, with null characters separating each item. While it often starts with the command name, it may not be an absolute path and can be manipulated by the process itself.
/proc/4815/status is incorrect. This file provides human-readable information about the process's state, memory usage, UID, GID, and other metadata, but it does not contain the full path to the executable.
/proc/4815/cwd is also incorrect. This is a symbolic link that points to the current working directory of the process, not to the executable file itself.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of `/proc/4815/exe`?
Open an interactive chat with Bash
How is `/proc/4815/cmdline` different from `/proc/4815/exe`?
Open an interactive chat with Bash
What role does `/proc/4815/status` play in process monitoring?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Services and User Management
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access