Skip to main content
Explain

What are utmp, wtmp, and btmp Files in Linux?

The utmp, wtmp and btmp files has nothing to do with time. They store records of login related activities. Learn more about them.

Sagar Sharma

Warp Terminal

So you were deep diving into the Linux filesystem and found these 3 files utmp, wtmp, and btmp. Looks odd. Right?

These files are used to store the log-in information of the user, but each file does that differently and are stored inside the /var/run and /var/log directory:

In this tutorial, I will walk you through what are the utmp, wtmp, and btmp Files on Linux and also share how you can display the content of those files.

All they do is store user log-ins

If you don't know, Linux keeps a record of each time you log in with your user credentials and there comes the use of these 3 files.

  • utmp: It keeps track of currently logged-in users.
  • wtmp: It keeps track of historical data of every log-in and logout activity.
  • btmp: It maintains the record of invalid log-in attempts.

Remember, these are the binary files and you can not use the cat command or open it in the text editor. They have different commands assigned for that purpose.

Sounds good? Now, let's address each file individually and in a detailed manner.

The utmp file

The utmp file keeps track of the user session in real time. In simple terms, by displaying the content of the utmp file, you can list the currently logged-in users.

It is available in the /var/run directory and you can use the ls command to list the contents of that directory:

ls /var/run

But as I mentioned earlier, you can not use the cat command to display the file contents of the utmp file and you have to use specific commands for that purpose.

To display the content of the utmp file, you can use the w or the who command:

who

A simple output indicating there's only one user who is currently logged in!

The wtmp file

Unlike the utmp file, the wtmp file keeps the historical data of users who logged-in and logged out of the system.

In simple terms, it contains the historic data of the utmp file.

You will find the wtmp located inside the /var/log directory and here's how you can find the wtmp file using the ls command:

ls /var/log 

To display the content of the wtmp file, you will have to use the last command:

last

As you can see, it will list the past log-in records as well as the user who is currently logged in to the system.

Additionally, it also shows the time of logging in and when the user logged out of the system.

The btmp file

📋
To display the content of the btmp file, you need to have super user privileges.

Think of a scenario when you enter the wrong password to log into your system and it won't let you log in saying "Incorrect password".

Yes, it gets recorded too, and for that, there's a btmp file in Linux.

The btmp file is located in the /var/log directory and you can use the ls command with the grep command to get the exact match:

ls /var/log | grep "btmp"

You may ask what is the btmp.1 file from the above output? Well, you may find this in multiple log files and it is known as log relocation.

Log relocation is used to create an archive of old log files in order to create a single oversized log file which may turn out to be too large to handle.

To display the content of the btmp file, you can use the lastb command:

lastb

The above image suggests that there were two attempts to log in to my system. One using the sagar username and one was using the incorrect username.

Bonus: Display data of utmp, wtmp, and btmp files using utmpdump command

While I won't recommend using the utmpdump command as it does not offer much compared to those specific commands that I explained earlier it is always good to know the alternative.

To use the utmpdump command, all you have to do is append the file path to it and it will work just fine.

For example, here's how you display the content of the btmp file using the utmpdump command:

utmpdump /var/log/btmp

Similarly, if you want to display the content of the utmp file, then you use the following:

utmpdump /var/run/utmp

And to print the content of the wtmp file, you can use the following:

utmpdump /var/log/wtmp

That's it!

More on different files of Linux

Want to learn what is the /dev/null file in a detailed manner? Here's a detailed guide on what is /dev/null in Linux:

What is /dev/null in Linux?
/dev/null is the blackhole equivalent of Linux systems. What is it and why it used?

Similarly, here's a detailed guide explaining /dev/zero in Linux:

What is /dev/zero in Linux?
One of the special device files in Linux, /dev/zero is used for creating files filled with zeroes.

I hope you will find this guide helpful.

Sagar Sharma