The โWhy Is This Running?โ Rabbit Hole โ Every Tool The Pros Use To See Whatโs REALLY Happening On Your Machine
The โWhy Is This Running?โ Rabbit Hole โ Every Tool The Pros Use To See Whatโs REALLY Happening On Your MachineOne question changed everything: โWhat if I could ask my computer WHY something is running โ not just WHAT?โ
The Full Excavation โ 40+ Tools Across Every Platform, Ranked By Rarity
Someone dropped
witr(Why Is This Running) in conversation. We went digging. Five tiers deep. Found tools security researchers gatekeep. Tools that donโt show up on page 1. Tools where you ask โwhere tf did you find this?โ
Why this matters to YOU:
Malware hides as โsvchost.exeโ or โsystemโ โ these tools expose the family tree
Your slow computer? Somethingโs eating resources. Find it in seconds.
Pentesters, CTF players, sysadmins โ this is your cheat sheet
What youโre getting:
Every platform covered (Linux, Windows, macOS, Android)- TIER rankings (S/A/B) โ skip the mid tools
- โWhy Itโs a Gemโ breakdown for each
- Comparison matrix so you pick the right one
- Strategic recommendations from actual usage
- Project ideas nobodyโs built yet (free alpha)
LINUX
TIER S โ The Hidden Gems
โญ witr (Why Is This Running) โ THE GOLD STANDARD
Link: https://github.com/pranshuparmar/witr
What it does: Give it a PID, port, or process name โ get a human-readable explanation of the ENTIRE causal chain.
Why itโs a gem:
- Instead of seeing
nodeyou see:systemd โ pm2 โ node (running /home/you/app) - Shows git repo, working directory, warnings
- Synthesizes information into actual sentences โ no other tool does this
- Works on Linux + basic macOS support
The magic: Every other tool gives you RAW DATA. witr gives you an EXPLANATION.
Example output:
Process: node (PID 12847)
Started by: pm2 (process manager)
Which was started by: systemd (system service)
Working directory: /home/user/myproject
Git repo: https://github.com/user/myproject
No other tool talks to you like this.
โญ tracexec โ The Power User's Weapon
Link: https://github.com/kxxt/tracexec
What it does: Traces every execve syscall (program launch) with a beautiful TUI.
Why itโs a gem:
- Written in Rust โ fast af, single binary
- TUI mode โ watch exec events + interact with pseudo-terminal
- eBPF mode (kernel 5.17+) โ ultra-low overhead
- ptrace fallback โ works on older kernels, handles setuid binaries
- Shows environment variable diffs between parent/child
- Shows file descriptor changes
- Can launch a debugger (gdb) attached to spawned processes mid-execution
- Built by a practitioner debugging build systems
Use case: Trace what a shell script ACTUALLY executes. Attach debugger to subprocess in complex pipeline.
Installation:
cargo install tracexec
# OR download binary from releases
โญ extrace โ Minimalist Perfection
Link: https://github.com/leahneukirchen/extrace
What it does: Traces ALL exec() calls system-wide using Netlink connector.
Why itโs a gem:
- Written by Void Linux maintainer (leahneukirchen) โ practitioner credibility
- Hierarchy indentation shows parent-child relationships visually
- Pure C, minimal dependencies
- Options:
-d(cwd),-e(env),-t(exit status + duration),-u(user),-l(full path) - Can trace descendants of specific PID only
Example:
sudo extrace -d -t
# Shows every exec with working directory and how long it ran
Requires: CAP_NET_ADMIN or root
โญ pspy โ NO ROOT REQUIRED
Link: https://github.com/DominicBreuker/pspy
What it does: Monitors processes WITHOUT root access using inotify + procfs scanning.
Why itโs a gem:
- CTF and pentest favorite โ works when you canโt get root
- Catches short-lived processes that
psmisses - Shows commands run by OTHER USERS
- Catches cron jobs and scheduled tasks
- Single binary โ just download and run
Flags:
-pprint commands-ffilesystem events-iscan interval
Binary releases: pspy32, pspy64 โ no compilation needed
Use case: Youโre on a box with limited privs. Whatโs running? Whoโs running it? pspy knows.
โญ execsnoop (BCC/bpftrace) โ Brendan Gregg's Classic
Link: https://github.com/iovisor/bcc (execsnoop.py) | https://github.com/bpftrace/bpftrace (execsnoop.bt)
What it does: eBPF-powered tracing of execve() syscall.
Why itโs a gem:
- Created by Brendan Gregg โ the observability god
- <1% overhead โ safe for production
- Part of
bcc-toolspackage - Shows PID, PPID, return value, full command + args
- Can filter by process name or failed execs
Installation:
apt install bpfcc-tools # Debian/Ubuntu
# Then run:
execsnoop-bpfcc
TIER A โ Solid Complements
๐ง forkstat
What it does: Netlink-based tracker for fork/exec/exit/clone/comm/uid/sid events.
Why itโs useful:
- Shows parent PID โ child PID with process names
- Logs process duration on exit
- Maintained by Colin Ian King (Ubuntu kernel team)
Installation:
apt install forkstat # Debian/Ubuntu
yum install forkstat # RHEL/CentOS
Requires: root or CAP_NET_ADMIN
๐ง strace-process-tree
Link: https://github.com/mgedmin/strace-process-tree
What it does: Reads strace -f output and produces a visual process tree.
Why itโs useful:
- Post-mortem analysis โ run strace, analyze later
- Beautiful ASCII tree output showing fork/exec relationships
- Pipe-friendly
Usage:
strace -f -e trace=process -s 1024 -o /tmp/trace.out make build
strace-process-tree /tmp/trace.out
Output example:
25510 make binary-package
โโ25511 /bin/sh -c 'dpkg-parsechangelog...'
โ โโ25512 dpkg-parsechangelog
โ โ โโ25514 tail -n 40 debian/changelog
โ โโ25513 awk '$1 == "Source:" { print $2 }'
๐ง visual-strace โ Browser-Based Visualization
Link: https://github.com/lhoursquentin/visual-strace
What it does: In-browser visual representation of strace output using cytoscape.js graphs.
Why itโs useful:
- Visual graph โ not just text
- Shows forks, execves, pipes, exit status
- Color-coded: green (success), red (non-zero exit), purple (signal death)
- Orange arrows show read/write relationships between processes
๐ง Microsoft ProcMon-for-Linux
Link: https://github.com/microsoft/ProcMon-for-Linux
What it does: Official Linux port of Sysinternals Process Monitor.
Why itโs useful:
- Familiar interface for Windows users
- TUI included
- Traces syscall activity
- Can output to file for later analysis
Usage:
sudo procmon # TUI mode
sudo procmon -c /tmp/trace.db # Headless mode
๐ง strace-parser (GitLab)
Link: https://gitlab.com/gitlab-com/support/toolbox/strace-parser
What it does: Summarizes strace output with per-PID statistics.
Why itโs useful:
- Built by GitLab Support for debugging Gitaly/Unicorn
- More detailed than
strace -c - Shows parent/child process breakdown
- Practitioner tool โ battle-tested
TIER B โ Specialized/Forensics
๐ฌ opentelemetry-ebpf-profiler
Link: https://github.com/open-telemetry/opentelemetry-ebpf-profiler
What it does: Whole-system cross-language profiler.
Why itโs useful:
- Profiles C/C++, Go, Rust, Python, Java, Node, .NET, PHP, Ruby, Perl
- 1% CPU overhead, ~250MB memory
- Mixed stacktraces from kernel โ system libs โ high-level language
- No debug symbols required
- CO-RE (works across kernel versions)
๐ฌ redcanary-ebpf-sensor
Link: https://github.com/redcanaryco/redcanary-ebpf-sensor
What it does: Security-focused BPF programs for kernel event collection.
Why itโs useful:
- Gathers process lineage, network connections, file access
- Selectively loads probes based on kernel version
- Made by Red Canary (legit security company)
๐ฌ dockerfileview
Link: https://github.com/remore/dockerfileview
What it does: Traces Docker image ancestry.
Why itโs useful:
- See the full Dockerfile chain from base image to current
dockerfileview nginx:1.9.2reveals all FROM layers
WINDOWS
TIER S โ The Hidden Gems
โญ wuanzhuan/system_monitor โ Rust ETW Procmon Replacement
Link: https://github.com/wuanzhuan/system_monitor
What it does: Windows kernel event monitoring via ETW, written in Rust.
Why itโs a gem:
- Literal procmon replacement โ the description says it
- More events and better filtering than original
- Handle leak detection โ can run for WEEKS tracking leaks
- Rust = memory safe, fast, modern
Use case: Debug handle leaks that only manifest after days of runtime. Original ProcMon canโt do this reliably.
โญ wtrace โ Single Binary CLI Power
Link: https://github.com/lowleveldesign/wtrace
What it does: Command-line ETW tracing tool.
Why itโs a gem:
- Single .exe file โ no install
- Traces file I/O, registry, network, RPC calls
- Process tree in summary โ shows hierarchy at end of session
- Can trace specific process + all children with
-c - Resolves RPC procedure names
- Works on Windows 8.1+
Installation:
choco install wtrace
# OR download from GitHub releases
Usage:
wtrace notepad c:\temp\test.txt # Start and trace
wtrace -c 1234 # Trace PID and children
wtrace --handlers file -f 'eventname=FileIO/Write' # Filter
โญ ferrisetw โ Rust KrabsETW
Link: https://github.com/n4r1b/ferrisetw
What it does: Rust library for ETW consumption.
Why itโs a gem:
- Started as KrabsETW port, now diverging with Rust idioms
- Full ETW provider support
- Proper Rust error handling
- Actively maintained
- Credits Microsoftโs KrabsETW team
Use case: Building your own Rust-based monitoring tools on Windows.
TIER A โ Solid Alternatives
๐ง krabsetw (Microsoft Official)
Link: https://github.com/microsoft/krabsetw
What it does: Modern C++ and .NET wrapper for ETW.
Why itโs useful:
- Made by Microsoft (Office 365 Security team)
- Production-proven
- Called โLobstersโ internally
- NuGet packages available
Use case: Building enterprise monitoring tools in C++ or .NET.
๐ง ProcMonX / ProcMonXv2
Link: https://github.com/zodiacon/ProcMonX | https://github.com/zodiacon/ProcMonXv2
What it does: Extended Process Monitor using ETW instead of kernel driver.
Why itโs useful:
- No kernel driver needed โ ETW only
- Made by Pavel Yosifovich (Windows Internals expert)
- GUI interface
- v2 is the newer version
๐ง PowerKrabsEtw
Link: https://github.com/zacbrown/PowerKrabsEtw
What it does: PowerShell interface for real-time ETW tracing.
Why itโs useful:
Trace-KrabsEtwProcessโ like ProcMon for specific process- Create custom providers, filters, traces
- PowerShell-native (no compiled binaries needed for basic use)
Note: Start PowerShell with -MTA flag.
๐ง UIforETW (Google)
Link: https://github.com/google/UIforETW
What it does: User interface for recording and managing ETW traces.
Why itโs useful:
- Made by Google โ used for Chrome performance
- Works around bugs in Windows Performance Toolkit
- Records additional context (user input, CPU temp)
- Fixes symbol loading issues
- Categorizes Chrome processes automatically
Tutorials: https://tinyurl.com/etwcentral
๐ง VISION-ProcMon
Link: https://github.com/forensicxlab/VISION-ProcMon
What it does: Rust + Tauri visualization for ProcMon output.
Why itโs useful:
- Malware analysis focused
- Beautiful web-based visualization
- Cross-platform (Tauri)
- Designed for behavioral analysis
TIER B โ Built-in / Reference
๐ฌ Built-in Windows Commands
Hidden gems most people donโt know:
# Quick process tree with parent info
wmic process get processid,parentprocessid,commandline
# ETW providers list
logman query providers
# ETW provider details
logman query providers Microsoft-Windows-Kernel-Process
Event Log: Event ID 4688 (Process Creation) โ requires Audit Process Creation policy enabled.
๐ฌ ETWExplorer
Use for deep provider inspection โ see what events and data each provider offers.
Referenced in multiple red team resources for understanding ETW capabilities.
macOS
TIER S โ The Hidden Gems
โญ mac-monitor โ 'The Missing ProcMon for macOS'
Link: https://github.com/redcanaryco/mac-monitor
What it does: Full Endpoint Security event monitoring with GUI.
Why itโs a gem:
- Made by Red Canary โ real security company
- Process lineage subtree โ click any event, see the family tree
- Event correlation โ related events grouped together
- Dynamic event subscriptions โ modify what youโre watching on the fly
- Path muting at API level
- High fidelity ES events with enrichment (File Quarantine, code signing certs)
- Exports to ESLogger-compatible JSON
Requirements:
- Apple Silicon recommended (Intel works)
- Full Disk Access permission
- System Extension approval
Installation: Download from https://github.com/Brandon7CC/mac-monitor/releases
โญ eslogger โ Already On Your Mac
What it does: Built-in Endpoint Security framework logger (macOS 13+).
Why itโs a gem:
- No SIP disable needed
- No extra software
- JSON output โ pipe to
jqfor filtering - Works with Full Disk Access permission
Usage:
# List all executables launched
sudo eslogger exec | jq -r '.event.exec.target.executable.path'
# Monitor files accessed by git
sudo eslogger stat | jq -r 'select(.process.executable.path | test("/git$")) | .event.stat.target.path'
Note: Apple doesnโt guarantee stable API โ but it works great for research.
โญ strace-macos
Link: https://github.com/Mic92/strace-macos
What it does: strace clone for macOS.
Why itโs a gem:
- Finally, actual strace on Mac
- Install via pipx:
env PIPX_DEFAULT_PYTHON='/usr/bin/python3' pipx install git+https://github.com/Mic92/strace-macos
TIER A โ Solid Alternatives
๐ง esl
Link: https://github.com/tstromberg/esl
What it does: Go library for consuming EndpointSecurity events via eslogger.
Why itโs useful:
- Programmatic access to eslogger
- Example CLI included
- Experimental but functional
๐ง esfriend
Link: https://github.com/mcarmanize/esfriend
What it does: Minimal malware analysis sandbox for macOS.
Why itโs useful:
- Uses eslogger for event collection
- Designed for physical Mac as sandbox
- Uses Faronics Deep Freeze for cleanup
- Split exec/close events for accuracy
๐ง DTraceToolkit
Link: https://www.brendangregg.com/dtrace.html
What it does: 200+ DTrace scripts by Brendan Gregg.
Why itโs useful:
- The OG observability toolkit
- Scripts for process, I/O, network, everything
- Many included in macOS by default
Key scripts:
# New processes with arguments
sudo dtrace -n 'proc:::exec-success { trace(curpsinfo->pr_psargs); }'
# Files opened by process
sudo dtrace -n 'syscall::open*:entry { printf("%s %s",execname,copyinstr(arg0)); }'
Note: Requires SIP disabled for full functionality. Or use eslogger instead.
๐ง fs_usage โ Built-in
What it does: File system usage monitor.
Usage:
sudo fs_usage -w -f exec # Trace all exec calls
Already installed on every Mac.
TIER B โ Reference
๐ฌ Endpoint Security Framework Deep Dive
Wiki: https://github.com/redcanaryco/mac-monitor/wiki
Covers:
- ES API internals
- Client initialization
- Event subscriptions
- endpointsecurityd daemon analysis
- Frida instrumentation techniques
Required reading if building ES-based tools.
ANDROID
TIER A โ The Main Tools
๐ง Frida โ The Swiss Army Knife
Link: https://frida.re/
What it does: Dynamic instrumentation toolkit โ inject scripts into running apps.
Why itโs the standard:
- Works on Android, iOS, Windows, macOS, Linux
frida-ps -Uโ list processes on USB devicefrida-trace -U -i open -N com.appโ trace function calls- Bypass root detection, SSL pinning
- Massive community + script library: https://codeshare.frida.re/
Setup:
# On computer
pip install frida-tools
# On rooted Android device
adb push frida-server /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"
# Test
frida-ps -U
Note: Requires rooted device OR Frida Gadget injection for non-rooted.
๐ง android-trace
Link: https://github.com/HayesGordon/android-trace
What it does: Frida-node CLI wrapper for class/method tracing.
Why itโs useful:
- Easier than raw Frida for class enumeration
- Filter by regex
- JSON config for batch tracing
Usage:
node index.js -U -n com.app.package -F "com.app.package"
๐ง strace for Android
Links:
- https://github.com/hnw/strace-android-ndk (NDK build)
- https://github.com/xdbob/strace (with Binder support)
Why the Binder fork matters: Android IPC uses Binder protocol. Stock strace doesnโt decode it. xdbobโs fork does.
TIER B โ Built-in Tools
๐ฌ ADB Built-in Commands
# See app launches (events log)
adb logcat -b events | grep am_proc_start
# Process hierarchy and who started what
adb shell dumpsys activity processes
# Basic parent-child relationships
adb shell ps -A -o PID,PPID,NAME
# Get APK path
adb shell pm path com.app.package
# Send input events
adb shell input tap 500 500
CROSS-PLATFORM / BONUS
๐จ r-top โ Rust TUI with Shaders
Link: https://github.com/asian-mario/r-top
What it does: Process monitor/manager with visual effects.
Platform: Unix-like systems
Why itโs cool: Uses ratatui + tachyonfx for shader effects. Looks amazing.
๐จ rustnet-monitor
Link: https://docs.rs/crate/rustnet-monitor/latest
What it does: Cross-platform network monitoring TUI.
Platforms: Linux (eBPF), macOS (getifaddrs), Windows (GetIfTable2)
Features:
- Real-time TCP/UDP/ICMP/ARP monitoring
- Connection state tracking
- Deep packet inspection
- eBPF on Linux for low overhead
FULL COMPARISON MATRIX
| Tool | Platform | Explains WHY | Real-time | No-root | eBPF/ETW | TUI/GUI | Process Tree | Debugger |
|---|---|---|---|---|---|---|---|---|
| witr | Linux/macOS | BEST |
 |
|
|
|
text |
|
| tracexec | Linux |  raw |
|
|
|
TUI |
|
|
| extrace | Linux | raw |
|
|
|
|
indent |
|
| execsnoop | Linux | |
|
|
|
|
|
|
| pspy | Linux | |
|
|
|
|
|
|
| forkstat | Linux | |
|
|
|
|
|
|
| strace-process-tree | Linux | |
post |
|
|
|
|
|
| visual-strace | Linux | |
post |
|
|
web |
graph |
|
| system_monitor | Windows | raw |
|
|
ETW |
|
|
|
| wtrace | Windows | raw |
|
|
ETW |
|
summary |
|
| ProcMonX | Windows | raw |
|
|
ETW |
GUI |
|
|
| mac-monitor | macOS | raw |
|
|
ES API | GUI |
|
|
| eslogger | macOS | |
|
|
ES API | |
|
|
| Frida | All | |
|
|
|
|
|
|
Legend:
- = Yes
- = No
- raw = Shows data but YOU interpret it (vs witr which explains)
STRATEGIC RECOMMENDATIONS
Quick Reference: Which Tool For Which Job
| Situation | Linux | Windows | macOS | Android |
|---|---|---|---|---|
| โExplain this processโ | witr | โ | witr | โ |
| Watch everything live | tracexec | wtrace | mac-monitor | Frida |
| No admin/root access | pspy | โ | โ | โ |
| Production monitoring | execsnoop | system_monitor | eslogger | โ |
| Post-mortem analysis | strace-process-tree | VISION-ProcMon | โ | โ |
| Visual graphs | visual-strace | ProcMonX | mac-monitor | โ |
| Build custom tools | bcc/bpftrace | krabsetw | esl | Frida |
Upgrade Path (Code Block)
QUICK CHECK: witr (Linux/Mac) โ still the best for explanation synthesis
DEEP DEBUGGING: tracexec (Linux) | mac-monitor (macOS) | wtrace (Windows)
PRODUCTION: execsnoop (Linux eBPF) | system_monitor (Windows ETW)
NO ROOT: pspy (Linux) | eslogger (macOS)
VISUALIZATION: visual-strace (browser) | strace-process-tree (CLI)
MOBILE: Frida (Android/iOS)
WHAT DOESNโT EXIST YET (Project Ideas)
These tools would complete the ecosystem but nobodyโs built them:
| Gap | Description | Difficulty |
|---|---|---|
| Cross-platform witr | Same โexplain whyโ synthesis on Windows/macOS | Medium |
| Historical explainer | โWhy was this running at 3am?โ using audit logs | Hard |
| Package-aware identifier | โThis is nginx from aptโ or โnode from nvmโ | Medium |
| AI process explainer | LLM summarizing process chains into plain English | Easy-Medium |
| Unified timeline | Merge events from multiple tools into single view | Hard |
Free startup ideas. Youโre welcome.
VALIDATION: Why This List Is Different
How we know these are real gems:
- Not page-1 Google results
- Posted by practitioners (kxxt, leahneukirchen, Brendan Gregg, Colin Ian King, Pavel Yosifovich)
- All have working binaries/packages
- Provides actual leverage (debugging, security, forensics)
- โWhere tf did you find this?โ factor
- Beginners donโt stumble on these accidentally
Failed search paths (so you donโt waste time):
- โprocess ancestryโ โ returns genealogy software (Gramps, GEDCOM)
- โLinux process monitorโ โ returns top/htop tutorials
- โsystemd process originโ โ returns GitHub issues, not tools
- Generic Rust/Go process spawn searches โ language stdlib issues
MASTER LINK LIST
Linux
| Tool | Link |
|---|---|
| witr | https://github.com/pranshuparmar/witr |
| tracexec | https://github.com/kxxt/tracexec |
| extrace | https://github.com/leahneukirchen/extrace |
| pspy | https://github.com/DominicBreuker/pspy |
| execsnoop (bcc) | https://github.com/iovisor/bcc |
| execsnoop (bpftrace) | https://github.com/bpftrace/bpftrace |
| forkstat | apt install forkstat |
| strace-process-tree | https://github.com/mgedmin/strace-process-tree |
| visual-strace | https://github.com/lhoursquentin/visual-strace |
| ProcMon-for-Linux | https://github.com/microsoft/ProcMon-for-Linux |
| strace-parser | https://gitlab.com/gitlab-com/support/toolbox/strace-parser |
| opentelemetry-ebpf-profiler | https://github.com/open-telemetry/opentelemetry-ebpf-profiler |
| redcanary-ebpf-sensor | https://github.com/redcanaryco/redcanary-ebpf-sensor |
| dockerfileview | https://github.com/remore/dockerfileview |
Windows
| Tool | Link |
|---|---|
| system_monitor | https://github.com/wuanzhuan/system_monitor |
| wtrace | https://github.com/lowleveldesign/wtrace |
| ferrisetw | https://github.com/n4r1b/ferrisetw |
| krabsetw | https://github.com/microsoft/krabsetw |
| ProcMonX | https://github.com/zodiacon/ProcMonX |
| ProcMonXv2 | https://github.com/zodiacon/ProcMonXv2 |
| PowerKrabsEtw | https://github.com/zacbrown/PowerKrabsEtw |
| UIforETW | https://github.com/google/UIforETW |
| VISION-ProcMon | https://github.com/forensicxlab/VISION-ProcMon |
macOS
| Tool | Link |
|---|---|
| mac-monitor | https://github.com/redcanaryco/mac-monitor |
| eslogger | Built-in (macOS 13+) |
| strace-macos | https://github.com/Mic92/strace-macos |
| esl | https://github.com/tstromberg/esl |
| esfriend | https://github.com/mcarmanize/esfriend |
| DTraceToolkit | https://www.brendangregg.com/dtrace.html |
Android
| Tool | Link |
|---|---|
| Frida | https://frida.re/ |
| android-trace | https://github.com/HayesGordon/android-trace |
| strace-android-ndk | https://github.com/hnw/strace-android-ndk |
| strace (Binder) | https://github.com/xdbob/strace |
Cross-Platform
| Tool | Link |
|---|---|
| r-top | https://github.com/asian-mario/r-top |
| rustnet-monitor | https://docs.rs/crate/rustnet-monitor/latest |
Your computerโs been keeping secrets. Now you have the tools to read its diary.
!