Getting execution path of a command using ps

[hadisinaee]

This is the updated version 2 introduced in up to this commit 964f37f

{
  "pid": "61754",
  "proc": "Code Helper (Plugin",
  "exec_path": "",
  "events": [
    {
      "fname": "[[UNKNOWN]]",
      "open": "",
      "close": "23:18:42.569602",
      "mode": 3
    },
    {
      "fname": "[[UNKNOWN]]",
      "open": "",
      "close": "23:18:42.569618",
      "mode": 0
    },
    {
      "fname": "[[UNKNOWN]]",
      "open": "",
      "close": "23:18:42.569622",
      "mode": 0
    },
    {
      "fname": "[[UNKNOWN]]",
      "open": "",
      "close": "",
      "mode": 3
    }
  ]
}

The issue here is locating the exec_path of the running process with a specific pid.

To find the execution path for a specific command, I used ps -A -o pid,command. This only shows the pid and the command part of all running processes. If we have a specific process id, we're interested in its command part for our data. However, I couldn't retrieve the full command using this method. The problems were:

• For most processes, the command part was empty. Only a few processes occasionally showed the command part. So, I left the field empty in the compressed data. I couldn't pinpoint the exact issue as I didn't have much time to investigate further. My guess is there might be a flag in ps that allows us to see all processes, even those from other users. I tried running the command with sudo, but it didn't help. It's possible that the process finished running just before I could capture it.
• Even for the few processes where I could get the command part, there were discrepancies between what I saw in my compressed data and what sudo and ps showed. I'm not sure why this happened since I only used fs_usage for file system calls.