Tables
Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.
Apple
Linux
Windows
ChromeOS
processes
processes
All running processes on the host system.
| Column | Type | Description |
|---|---|---|
| cgroup_path | text | The full hierarchical path of the process's control group Only available on linux |
| cmdline | text | Complete argv |
| cpu_subtype | integer | Indicates the specific processor on which an entry may be used. Only available on macOS |
| cpu_type | integer | Indicates the specific processor designed for installation. Only available on macOS |
| cwd | text | Process current working directory |
| disk_bytes_read | bigint | Bytes read from disk |
| disk_bytes_written | bigint | Bytes written to disk |
| egid | bigint | Unsigned effective group ID |
| elapsed_time | bigint | Elapsed time in seconds this process has been running. Only available on Windows |
| elevated_token | integer | Process uses elevated token yes=1, no=0 Only available on Windows |
| euid | bigint | Unsigned effective user ID |
| gid | bigint | Unsigned group ID |
| handle_count | bigint | Total number of handles that the process has open. This number is the sum of the handles currently opened by each thread in the process. Only available on Windows |
| name | text | The process path or shorthand argv[0] |
| nice | integer | Process nice level (-20 to 20, default 0) |
| on_disk | integer | The process path exists yes=1, no=0, unknown=-1 |
| parent | bigint | Process parent's PID |
| path | text | Path to executed binary |
| percent_processor_time | bigint | Returns elapsed time that all of the threads of this process used the processor to execute instructions in 100 nanoseconds ticks. Only available on Windows |
| pgroup | bigint | Process group |
| pid | bigint | Process (or thread) ID |
| protection_type | text | The protection type of the process Only available on Windows |
| resident_size | bigint | Bytes of private memory used by process |
| root | text | Process virtual root directory |
| secure_process | integer | Process is secure (IUM) yes=1, no=0 Only available on Windows |
| sgid | bigint | Unsigned saved group ID |
| start_time | bigint | Process start time in seconds since Epoch, in case of error -1 |
| state | text | Process state |
| suid | bigint | Unsigned saved user ID |
| system_time | bigint | CPU time in milliseconds spent in kernel space |
| threads | integer | Number of threads used by process |
| total_size | bigint | Total virtual memory size (Linux, Windows) or 'footprint' (macOS) |
| translated | integer | Indicates whether the process is running under the Rosetta Translation Environment, yes=1, no=0, error=-1. Only available on macOS |
| uid | bigint | Unsigned user ID |
| upid | bigint | A 64bit pid that is never reused. Returns -1 if we couldn't gather them from the system. Only available on macOS |
| uppid | bigint | The 64bit parent pid that is never reused. Returns -1 if we couldn't gather them from the system. Only available on macOS |
| user_time | bigint | CPU time in milliseconds spent in user space |
| virtual_process | integer | Process is virtual (e.g. System, Registry, vmmem) yes=1, no=0 Only available on Windows |
| wired_size | bigint | Bytes of unpageable memory used by process |
Example
List executables listening on network ports.
SELECT l.port, l.pid, p.name, p.path FROM listening_ports l JOIN processes p USING (pid);
Edit page
Ask us anything
Questions?
SOC2 Type 2
© 2025 Fleet Inc.
Privacy
