Identifying kernel threads

Question

I\'d like to know how I can distinguish a kernel-thread from a user-thread for a process-scanner I\'m building. I\'m having a hard time finding a good definition of both typ

Answer 1

You can read thread flags value from /proc/[pid]/stat (see proc(5) manpage) and check if it has PF_KTHREAD bit flag set.

PF_KTHREAD constant itself has been available since 2.6.17, which is roughly for 10 years, and it's value hasn't changed since then:

#define PF_KTHREAD      0x00200000  /* I am a kernel thread */

Even through the header file containing this constant (include/linux/sched.h) is not exported to userspace, having a copy of this definition in your source code combined with kernel version check done from userspace at runtime (e.g. using uname(2) system call) should be pretty robust.