whatexec.d - Examine the type of files exec'd. Uses DTrace. whatexec.d This prints the first four chacacters of files that are executed. This traces the kernel function findexec_by_hdr(), which checks for a known magic number in the file's header. The idea came from a demo I heard about from the UK, where a "blue screen of death" was displayed for "MZ" files (although I haven't seen the script or the demo). Since this uses DTrace, only the root user or users with the dtrace_kernel privilege can run this command. Solaris unstable - this script uses fbt provider probes which may change for future updates of the OS, invalidating this script. Please read Docs/Notes/ALLfbt_notes.txt for further details about these fbt scripts.

Trace execs as they occur, # whatexec.d

PEXEC parent command name

EXEC pathname to file exec'd

OK is type runnable, Y/N

TYPE first four characters from file

See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with verbose descriptions explaining the output. whatexec.d will trace until Ctrl-C is hit. Brendan Gregg [Sydney, Australia] dtrace(1M)