Techniques for determining whether processes are running on a computing device are described. As an example, a detection process may create a virtual mapping of data to memory of the computing device. The detection process may access a file system storing special files including attributes of virtual memory mappings. The detection process may analyze the attributes of the virtual memory mapping, such as an amount of data stored or shared by the memory mapping, to determine that another process is sharing the memory mapping with the detection process. The detection process may send data to a server associated with the computing device indicating that a process other than the detection process is operating on the computing device.