To a user like us, launching an application is a singular atomic event.

We double-click the App icon, and App appears. Simple.

To a Windows kernel engineer, this makes perfect sense.

You call CreateProcess(). You pass it the path to the executable, some flags, and the OS allocates memory, loads the .exe file from the disk, and sets the instruction pointer to the entry point.

It creates a brand new thing from scratch. It is sane. It is logical.

To a Linux kernel engineer, this is boring.

In the Unix world, creating a new process is not an act of construction, it is an act of biological division followed by a brain transplant.

We don’t just “start” a program. We clone the current program, and then we lobotomize the clone.

Enter the fork() and execve() dance.

fork()

In Linux, there is (almost) only one way to create a new process, you have to duplicate an existing one.

When your shell (bash/zsh) wants to run ls, it calls the system call fork().
This function takes zero arguments.

pid_t pid = fork();

When the CPU executes this instruction, the kernel performs Mitosis. It creates an exact duplicate of the current process.

• Memory - It copies the Stack, the Heap, and the Global variables (Logically, via Copy-on-Write).

• File Descriptors - It copies the table of open files.

• CPU State - It copies the registers and, crucially, the Instruction Pointer.

The “Multiverse” Moment

This is the part that breaks the brain of every Computer Science 101 student.

When fork() returns, it returns twice.

• It returns once in the original process (the Parent).

• It returns simultaneously in the new process (the Child).

Both processes are now at the exact same line of code. They are identical.

The only way the code knows “Who am I?” is by checking the return value.

if (pid == 0) {
    // I am the Child (The Clone)
} else {
    // I am the Parent (The Shell)
    // 'pid' holds the ID of my new child
}

execve()

At this exact moment, we have two copies of the Shell running. We don’t want two shells, we want our App.

This is where the child process performs the sacrifice. It calls execve() (or one of its wrappers like execvp).

// Inside the Child process
execve("/usr/bin/app", args, env);

This syscall is destructive.

1. Wipe - The kernel discards the entire memory address space of the process. The stack, heap, and old code are annihilated.

2. Load - The kernel maps the new executable (app) into memory.

3. Reset - The Instruction Pointer is reset to the entry point of the new binary.

The Process ID (PID) remains the same.

The file descriptors (mostly) remain open. But the “soul” of the process has been swapped out.

The code that called execve creates its own executioner, it never executes the line after execve because it no longer exists.

Windows vs. Linux

Why does Linux do this weird two-step dance instead of the Windows one-shot approach?

The Monolith (CreateProcess)

Windows treats process creation as a massive configuration task.

The CreateProcess API takes 10 parameters.

If you want to customize how the new process starts (e.g., redirecting Standard Output to a file), you have to fill out complex STARTUPINFO structures and pass them in.

It is efficient for the OS, but it creates a rigid API surface.

The Primitives (fork + exec)

By splitting creation (fork) from execution (exec), Unix gave us a magical “Interim State.”

Between the fork() and the exec(), the Child process is running, but it’s still running the shell’s code.

This allows the child to configure itself before it turns into the new program.

This is how Redirection works.

When you run ls > output.txt, the shell

1. Forks.

2. Inside the child (before exec): It closes stdout and opens output.txt in its place.

3. Execs ls.

The ls program doesn’t know about output.txt. It just writes to file descriptor 1. It works because the “Clone” adjusted its own plumbing before the brain transplant.

The “Tree” Consequence

Because every process must be spawned by an existing process, Linux has a strict Process Tree.

• Process A spawns B.

• B spawns C.

• Trace it all the way back, and you find PID 1 (systemd or init).

If you want to view the Process tree use pstree -c in your linux terminal.

In Windows, processes act more like independent objects. In Linux, they are a family line, traceable to a single ancestor.

Why we engineers should care?

You might be thinking, “I write Python/Node/Go. Why do I care about syscalls?”

Because this mechanism explains bugs that high-level abstractions cannot.

The Redis Latency Spike

Redis uses fork() to create background snapshots (RDB).

It relies on “Copy-on-Write” (CoW) so it doesn’t actually double RAM usage instantly.

However, fork() must copy the Page Tables.

If your Redis instance uses 60GB of RAM, the kernel pauses the main thread just to clone the page table mapping.

This causes the infamous “latency spike” in large Redis instances. It’s not the data copying; it’s the fork overhead itself.

The Thread Safety Trap

If your application is multi-threaded and you call fork(), the kernel only copies the thread that called fork.

The other threads vanish in the child.

The Horror, if a vanished thread was holding a mutex (lock) when fork() happened, that mutex is now locked forever in the child process, owned by a ghost thread that doesn’t exist.

If the child tries to acquire that lock (e.g., calling malloc), it will deadlock instantly.

The Zombie Leak

If you spawn a child process but never read its exit code (via waitpid), the kernel keeps the process entry alive in the process table so you can read the status later.

If you forget to do this, your server fills up with “Zombie” processes (defunct), eventually hitting the system-wide process limit and crashing.

Conclusion

High-level languages try to hide this from you.

Python’s subprocess.run or Node’s child_process.spawn are just wrappers.

Even modern POSIX introduced posix_spawn to mimic the Windows style for performance reasons (avoiding the overhead of copying page tables for a fork that immediately execs).

But underneath your abstractions, the machine is still doing the dance.

• Windows treats processes as Objects to be instantiated.

• Linux treats processes as Life to be evolved.

Next time you see a “Zombie Process” in top, remember, it’s not a bug. It’s a child waiting for its parent to acknowledge its death.

That’s just nature.