Simpler Navigation coming for Servers and Operating Systems
Coming soon: a much simpler Servers and Operating Systems section of the Community. We will combine many of the older boards, and you won't have to click through so many levels to get at the information you need. If you are looking for an older board and do not find it, check the consolidated boards, as the posts are still there.
Showing results for 
Search instead for 
Did you mean: 


Go to solution
James Odak
Valued Contributor


a bit perplexed here

# who
root pts/0 Feb 10 15:18
root pts/1 Feb 6 11:52
hpcss pts/tg Jan 9 10:55
hpcss pts/tl Dec 31 20:40
# ps -efa|grep "pts/t"
root 28953 28716 1 15:19:20 pts/0 0:00 grep pts/t

note the old hpcss entries under who, yet there are no processes for them ..i can not (short of rebooting) seem to find a way to get the hpcss entries out of the who report

any ideas?
Michael Tully
Honored Contributor

Re: who


This should help from the from the technical knowledge base:


who shows logins but no PID after a PC that was connected crashed and existed
The utmp file can be manipulated with the fwtmp command.

1.check the last modification time of the /etc/utmp file
ls -l /etc/utmp
-rw-r--r-- 1 root root 1620 Jun 28 09:22 /etc/utmp

2.convert the binary /etc/utmp file to ascii :
/usr/sbin/acct/fwtmp /tmp/utmp.ascii

3.edit the /tmp/utmp.ascii file to remove the old entries
Note : the entries are sorted by date, simply use the login time reported
who(1) to find the lines to remove.

4.convert the file back to binary format :
/usr/sbin/acct/fwtmp -ic /tmp/utmp.binary

5.verify that all unwanted entries have been removed from the new file :
who /tmp/utmp.binary

6.verify that the /etc/utmp file has not been modified since the beginning of
this procedure :
ls -l /etc/utmp
-rw-r--r-- 1 root root 1620 Jun 28 09:22 /etc/utmp
If the file has been updated do all the steps again.

7.replace the existing /etc/utmp file with the new one :
mv /tmp/utmp.binary /etc/utmp

8.verify that the file still has the same ownership and permissions :
ls -l /etc/utmp
-rw-r--r-- 1 root root 1600 Jun 28 09:30 /etc/utmp

The who command will now report the correct information.

Anyone for a Mutiny ?
James Odak
Valued Contributor

Re: who

ahh thanks, this worked with the exception of step 4

/usr/sbin/acct/fwtmp -ic /tmp/utmp.binary

i changed to
/usr/sbin/acct/fwtmp -ic < /tmp/utmp.ascii > /tmp/utmp.binary

and the rest worked fine