Finding work running under UID 0 and understanding what it is is important for security on z/OS.
Some UID 0 processes run for hours and are easy to find with tools like SDSF. Other work might only run for a fraction of a second, and is virtually impossible to catch “in the act”.
SMF data can help. SMF type 30 records have Unix Process sections for z/OS unix work. The Unix Process section includes the UID so you can use it to find UID 0 work.
Here is an example of the EasySMF Unix Work report:
The UID field allows you to filter the report to include only work with UID 0.
The report builds a tree using the parent process information so you can see the relationship between different tasks. Information from SMF about the running program is included, which can help to understand what the work is doing.
The Elapsed column shows how long these tasks were running. Most of these tasks were part of system startup and many ran for less than half a second, so it would be very difficult to catch them in real time.
You can download a 30 day trial to see what the data from your system looks like here: