The init(1) process is the first process started after boot. It creates utmp entries in /etc/utmp and /var/adm/wtmp. Immediately after startup, init(1) generates an entry of type 2 (BOOT_TIME) and records the time of the boot. The character string “system boot” is stored in the ut_line field and the current time is recorded in the ut_time field:

# /usr/sbin/acct/fwtmp </etc/utmp | grep "  2 "
                        system boot   2     0 0000 0000 1641915478                                  Tue Jan 11 16:37:58 2022
#

This entry is displayed by who(1) when the command is started with the option ‘-b‘ (last boot time):

$ who -b
   .        system boot Jan 11 16:37                    
$

Next, init(1) records the run level to boot into. To do this, an entry of type 1 (RUN_LVL) with the character string “run-level N” (where N is the run level, usually 2) in the ut_line field is created :

# /usr/sbin/acct/fwtmp </etc/utmp | grep "  1 "
                        run-level 2   1     0 0062 0123 1641915478                                  Tue Jan 11 16:37:58 2022
# 

The entry is used by the ‘-r‘ (run level) option of the who command:

$ who -r
   .        run-level 2 Jan 11 16:37       2    0    S
$ 

Both entries are stored in /etc/utmp and /var/adm/wtmp.

Next, an entry of type 5 (INIT_PROCESS) is generated for each entry from /etc/inittab that is started. This is again recorded in /etc/utmp as well as /var/adm/wtmp:

# /usr/sbin/acct/fwtmp </etc/utmp | grep "  5 "
srcmstr  srcmstr                      5 4522192 0000 0000 1641915480                                  Tue Jan 11 16:38:00 2022
cron     cron                         5 6226138 0000 0000 1641915499                                  Tue Jan 11 16:38:19 2022
# 

For each of these entries, the two fields ut_user and ut_id contain the ID of the correpsonding inittab entry. In addition to the start time, the PID of the started process is also saved. The who(1) command displays these entries with the ‘-p‘ option:

$ who -p
srcmstr         .       Jan 11 16:38     0:13   4522192 id=srcmstr
cron            .       Jan 11 16:38     0:13   6226138 id=cron  
$

When a process started by init(1) is terminated, an entry of type 8 (DEAD_PROCESS) is generated. The ut_user field remains empty and the ID of the associated inittab entry is entered in ut_id. The time at which the process terminated is stored as a time stamp (ut_time):

# /usr/sbin/acct/fwtmp </etc/utmp | grep "  8 "
         securityboot                 8 4718738 0000 0000 1641915478                                  Tue Jan 11 16:37:58 2022
         mlsboot                      8 4718740 0000 0000 1641915478                                  Tue Jan 11 16:37:58 2022
         tunables                     8 4718742 0000 0000 1641915479                                  Tue Jan 11 16:37:59 2022
         rc                           8 4784308 0000 0000 1641915480                                  Tue Jan 11 16:38:00 2022
…
#

When logging the entry, the procedure differs for /etc/utmp and /var/adm/wtmp. While the entry is simply added at the end when logging to /var/adm/wtmp, the associated entry of type 5 (INIT_PROCESS) is overwritten in the case of /etc/utmp. This means that there are never 2 entries in /etc/utmp for a process started by init(1). As long as the process is still running there is a type 5 entry, when the process is finished there is a type 8 entry! In /var/adm/wtmp, however, you will find both entries, the type 5 entry for starting the process and the type 8 entry for terminating the process.

The who(1) command offers the ‘-d‘ option for displaying type 8 (DEAD_PROCESS) entries:

# who -d
   .            .       Jan 11 16:37     0:12   4718738 id=securit term=0 exit=0
   .            .       Jan 11 16:37     0:12   4718740 id=mlsboot term=0 exit=0
   .            .       Jan 11 16:37     0:12   4718742 id=tunable term=0 exit=0
   .            .       Jan 11 16:38     0:12   4784308 id=rc      term=0 exit=0
…
# 

For terminated processes (type 8 entries), the exit code of the process is also recorded in the ut_exit.e_exit field. If the process was terminated by a signal (e.g. kill command), the signal number is recorded in the ut_exit.e_termination field.

# /usr/sbin/acct/fwtmp </etc/utmp          
…
         clusterconf                  8 8192004 0000 0021 1641915536                                  Tue Jan 11 16:38:56 2022
…
         test                         8 6488164 0011 0000 1642003287                                  Wed Jan 12 17:01:27 2022
…
#

The clusterconf entry from /etc/inittab ended with exit status octal 0021 (decimal 17). The process started by the entry with ID test was terminated with the signal octal 0011 (decimal 9=KILL). The “who -d” command displays this information as “term=X” and “exit=X“:

$ who –d
…
   .            .       Jan 11 16:38      .     8192004 id=cluster term=0 exit=17
…
   .            .       Jan 12 17:01      .     6488164 id=test    term=9 exit=0
…
$

For entries that are started again and again by respawn, the corresponding entry in /etc/utmp is always overwritten. This means that you will generally not see a type 8 (DEAD_PROCESS) entry for entries started with respawn, since this is immediately replaced by a type 5 (INIT_PROCESS) entry when the respawn occurs. In /var/adm/wtmp, on the other hand, you will always find the complete history, since no entries are overwritten here, but are always appended.