Purpose of utmp, wtmp, and btmp files in Linux (with an Example)

Linux TLDR
Last Updated:
Reading time: 3 minutes

If you are aware of the Linux file structure, then you might already be aware of the “/var/log” directory that is responsible for keeping the system related logs.

You can easily list the content of this directory using the ls command.

$ ls /var/log/

Output:

Listing the content of the log directory

As you can see from the above picture, this directory contains various files and directories related to different services and applications.

However, within the same directory, we have utmp, wtmp, and btmp files (the primary objective of this article), on which we will be more focused.

What are utmp, wtmp, and btmp Files in Linux?

To understand the role of these files, you need to understand how the login (authentication) mechanism works in the Linux system.

So, whenever you log in to any Linux system, the information you provide is validated against the user database, and once you’ve successfully logged-in, the login program writes entries in two (log) files:

  • The “/var/run/utmp” file, which contains the record of users logged into the system.
  • The “/var/log/wtmp” file, which contains the historical record of the “utmp” file.

If the user is unable to login due to an incorrect login name or password, the login program writes the entry in:

  • The “/var/log/btmp” file, which contains the record of failed login attempts.

I hope this short description gives you a complete picture of the purpose of this log file, and for your note, some of the popular commands do utilize this file to show their output.

The following is a list of all the commands that make use of these log files.

Log FilesCommandsUsage
utmpw, whoTo show you the logged-in user on the target machine.
wtmplastTo show you the historical data of all the users logged into the target machine since the last reboot.
btmplastbTo show you the list of unsuccessful login attempts held on the target machine.

Note that these files are binary (or database) files, so you can’t read them using the cat command or pager programs like more and less.

However, you can use the above commands that utilize these files in their output, which is equivalent to reading these files.

Or you can take advantage of a specialized program like “utmpdump” that is used to dump and load utmp, wtmp, and btmp files.

How to Read utmp, wtmp, and btmp Files in Linux

As I’ve told you earlier, commands like w, who, last, and lastb utilize these files in their output, so let’s see how you can use them to read the content of these files.

Reading the utmp file using the w and who commands

The w and who commands utilize the “/var/run/utmp” files to show you the list of all the logged-in users on the target machine.

$ w
$ who

Output:

Reading the UTMP file using the w and who commands

Note that the w command is not solely using the utmp file; it is also pulling the data from the “/proc” directory to show you the running process in the “WHAT” field.

Reading the wtmp file using the last command

The last command uses the “/var/log/wtmp” file to tell you about all the users who have logged in to the target machine in the past.

$ last

Output:

Reading the wtmp file using the last command

Reading the btmp file using the lastb command

The lastb command utilizes the “/var/log/btmp” file to show you the record of failed login attempts on the target machine, but note that this command requires root or sudo privilege.

$ sudo lastb

Output:

Reading the btmp file using the lastb command

Note that all of the above commands use the utmp“, “wtmp“, and “btmp” log files but also utilize some other files, and they also show you certain information from the files unless you specify an option.

However, you can use the utmpdump command to read this in the raw format without any filter.

How to Read utmp, wtmp, and btmp Files Using the utmpdump Command

The utmpdump job is to only dump and load the utmp, wtmp, and btmp files in raw format, which sounds quite easy; let’s try it.

📝
We’re not going to go into much detail about the content of these files because they’re self-explanatory, and since you’re reading this, I assume you’re competent enough to understand them on your own.

1. Reading the utmp file using the utmpdump command

Execute the following command to read the “/var/run/utmp” file using the utmpdump command.

$ utmpdump /var/run/utmp

Output:

Reading the utmp file using the utmpdump command

2. Reading the wtmp file using the utmpdump command

Execute the following command to read the “/var/log/wtmp” file using the utmpdump command.

$ utmpdump /var/log/wtmp

Output:

Reading the wtmp file using the utmpdump command

3. Reading the btmp file using the utmpdump command

Execute the following command with root or sudo privileges to read the “/var/log/btmp” file using the utmpdump command.

$ sudo utmpdump /var/log/btmp

Output:

Reading the btmp file using the utmpdump command

Conclusion

I hope this article will fill you with curiosity, like so many things hidden in Linux. Also, don’t forget to follow us everywhere to keep yourself updated and sharpen your skills in Linux.

Also, if you have questions or queries related to this topic, feel free to ask them in the comment section.

Till then, sayanora!

Join The Conversation

Users are always welcome to leave comments about the articles, whether they are questions, comments, constructive criticism, old information, or notices of typos. Please keep in mind that all comments are moderated according to our comment policy.