341
116
Is there an easy way to check if a binary is 32 or 64 bit on Windows? I need to check before I move the program to a 32bit machine and experience a spectacular failure.
Septagram
Posted 2011-11-17T10:29:58.673
Reputation: 3 838
How to check if a binary is 32 or 64 bit on Windows?
Answers
377
After examining header values from Richard's answer, I came up with a solution which is fast, easy, and only requires a text editor. Even Windows' default notepad.exe would work.
Open the executable in text editor. You might have to drag-and-drop or use the editor's
Open...dialog, because Windows doesn't showOpen with...option in context menu for executables.Check the first printable characters after the first occurrence of
PE. This part is most likely to be surrounded by at least some whitespace (could be a lot of it), so it can be easily done visually.
Here is what you're going to find:
32-bit:
PE L
64-bit:
PE d†
A word of warning: using default Notepad on big files can be very slow, so better not use it for files larger than a megabyte or few. In my case in took about 30 seconds to display a 12 MiB file. Notepad++, however, was able to display a 120 MiB executable almost instantly.
This is solution might be useful in case you need to inspect a file on a machine you can't install any additional software on.
Additional info:
If you have a HEX-Editor available, the offset of PE Signature is located at offset 0x3C. The signature is PE\0\0 (letters "P" and "E" followed by two null bytes), followed by a two byte Machine Type in Little Endian.
The relevant values are 0x8664 for a 64-bit executable and 0x014c for a 32-bit one (64 86 and 4c 01 respectively when adjusted for endianness, but any decent hex editor will automatically handle endianness when you search for a hex value). There are a lot more possible values, but you probably won't ever encounter any of these, or be able to run such executables on your Windows PC.
Full list of machine types, along with the rest of .exe specifications, can be found in Microsoft PE and COFF Specification Machine Types section.
Alexander Revo
Posted 2011-11-17T10:29:58.673
Reputation: 4 208
23Hey, this is rather hacky. And for the better, since this actually appears to be the fastest and easiest solution for the vast majority of cases :) – Septagram – 2015-03-13T21:51:43.637
5Rare instance when notepad beat notepad++. Notepad shows this right, in notepad you have mess around with encoding to get it to show but it worked! – zar – 2015-12-08T20:01:10.727
@zadane that's interesting. In my experience, Notepad++ would always use ANSI encoding when opening executables.Though it definitely does make it somewhat more difficult to find the needed fragment by showing zero bytes as NUL instead of whitespace. – Alexander Revo – 2015-12-09T01:03:04.770
Here is Java code that does the check: http://stackoverflow.com/a/35418180/875305
– 11101101b – 2016-02-15T20:12:39.380I found PE ]_ÙV in a 32 bit WPF application. – rleelr – 2016-03-11T11:50:24.693
@AnotherDayAnotherRob that's interesting. Technically, machine type is the two bytes after PE\0\0, so, assuming space in your comment is the two \0 bytes the value would be 0x5F5D (5D 5F if you open in HEX-editor due to endianness). There is nothing resembling that value in Microsoft PE and COFF Specification (section 2.3.1. Machine Types). Are you sure you were looking in the right place?
@AlexanderRevo my bad, I had another look at the file and it's PE L ]_ÙV (whitespace is non printable chars) I didn't spot the L first time. Have an upvote. – rleelr – 2016-03-14T11:28:56.683
I have my own program compiled (with Delphi) as 32/64 bit and the header is identical !!! So, it this method is not working always! – Ultralisk – 2016-07-04T10:48:27.127
@SolarWind there's no such thing as 32/64 bit executable on Windows. You're probably compiling it as 32-bit, which would work on both 32 and 64 bit systems. 64-bit Windows can run 32-bit programs just fine. – Alexander Revo – 2016-07-04T10:50:25.203
@AlexanderRevo: There is a compile option AnyCPU in Visual Studio. If this was the same as compiling for 32bit, why would they add this third option? – CodeManX – 2016-08-01T11:22:53.083
2
@CoDEmanX this option means the IDE or JIT makes the choice for you. See this question or this blog post for more details.
– Alexander Revo – 2016-08-01T11:30:29.453This is a fairly brittle solution. If you understand PE images, you should immediately see, that the first clear-text PE you find in a file may not actually be the PE header. Besides, without a documented contract, nothing of this is reliable, not today and certainly not for the future. Sorry, -1. – IInspectable – 2017-01-20T18:41:54.287
2@IInspectable if you had actually bothered to read the whole post before downvoting it, you would have seen the link to Microsoft PE and COFF Specification, which is as much a documented contract as it can get, as well as instructions on how to find the exact address of PE header in any .exe file. If you have a more reliable source than Microsoft's official specification on Microsoft's own executable format, I would love to know what that is. – Alexander Revo – 2017-01-21T10:07:25.323
@AlexanderRevo: "Check the first printable characters after the first occurrence of PE" - That's blatantly wrong, no? The PE header can be anywhere in the file. And while the PE file format is documented, the PIMAGE_DOS_HEADER is not. Also, right on the first page of that so-called "specification" you'll find: *"This document is provided to aid in the development of tools and applications for Windows but is not guaranteed to be a complete specification in all respects. Microsoft reserves the right to alter this document without notice"*. The down-vote is well deserved, sorry. – IInspectable – 2017-01-21T19:51:52.880
Doesn't work for me on an exe created with C++ native code, visual studio 2013. Using this technique one can conclude it's 32bit, but in fact it's 64-bit, and can be verified by dumpbin and sigcheck – zumalifeguard – 2017-10-12T17:40:37.067
@zumalifeguard can I have a look at that exe? – Alexander Revo – 2017-10-12T17:45:40.940
Sure Alexander. Give me your e-mail address and I'll send it to you. if you can, you can DM me your e-mail address on Twitter. – zumalifeguard – 2017-10-12T20:55:27.090
@zumalifeguard I can't seem to contact you on Twitter, and I'm not really a fan of idea to giving my email to people on the Internet (no offence). Could you maybe upload it on some kind of file sharing service, like Google Drive, or something? Thanks. – Alexander Revo – 2017-10-16T18:13:45.703
@zumalifeguard Thanks for sending me the .exe. I checked it using my technique and it shows PE d†, which is 64-bit, which is exactly what my post says it is. I'm not sure why you thought that my posts suggests it's a 32-bit one. – Alexander Revo – 2017-10-20T11:19:00.320
2First file I check, there's no "PE", only "MZ" so I guess this solution is not foolproof – NaturalBornCamper – 2017-11-08T17:21:44.807
1@NaturalBornCamper try running an actual search with your editor. – Alexander Revo – 2017-11-08T17:38:33.470
Yeah I tried with Notepad++ ;) Found another way that works 100% anyways, so it's all good thanks! – NaturalBornCamper – 2017-11-08T19:37:52.680
@NaturalBornCamper I'd like to study that .exe so that I could make my answer more accurate, if you don't mind and have the time to upload it somewhere, of course. I do have to say, though, that I have yet to see a single .exe that my answer didn't work for (so far it was only people misinterpreting the results) so excuse me if I am a bit skeptical. Anyway, my goal is provide accurate information, so I'd appreciate it if you could help me get my hands on that .exe :) – Alexander Revo – 2017-11-09T13:58:10.433
6For files that start with "MZ", you need to look a bit further. I found PE..L at offset 0x110, just after "RichMQ_........". – jnnnnn – 2018-05-24T04:20:22.233
Opened with XVI32 hex editor without any problems. Thanks – Hrvoje T – 2018-12-28T23:45:59.377
Thanks for the technique! It works for me, but note that this statement in your answer "the offset of PE Signature is located at offset 0x3C" is not always correct. Doxygen 32-bit EXE for example has PE header @ 0x108. In case anyone's interested this command will help apply this technique on linux: hexdump -C <file> | grep 'PE' | head -n 5 (gives first 5 matches of 'PE' in the file) – codesniffer – 2019-11-17T00:52:00.217
@codesniffer you are correct, however it says in the answer that "the offset of PE signature is located at offset 0x3C", not the signature itself. – Alexander Revo – 2019-11-17T09:46:04.357
129
The SDK tool dumpbin.exe with the /headers option includes this information, compare these two (I've added bold for the key information)
PS [64] E:\ #4> dumpbin /headers C:\Windows\system32\cmd.exe
Microsoft (R) COFF/PE Dumper Version 10.00.40219.01
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file C:\Windows\system32\cmd.exe
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
8664 machine (x64)
6 number of sections
4CE798E5 time date stamp Sat Nov 20 09:46:13 2010
0 file pointer to symbol table
0 number of symbols
F0 size of optional header
22 characteristics
Executable
Application can handle large (>2GB) addresses
[...]
and
PS [64] E:\ #5> dumpbin /headers C:\Windows\syswow64\cmd.exe
Microsoft (R) COFF/PE Dumper Version 10.00.40219.01
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file C:\Windows\syswow64\cmd.exe
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (x86)
4 number of sections
4CE78E2B time date stamp Sat Nov 20 09:00:27 2010
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
102 characteristics
Executable
32 bit word machine
[...]
Richard
Posted 2011-11-17T10:29:58.673
Reputation: 8 152
3Dumpbin.exe is located here: C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\bin – Devid – 2014-07-30T11:12:02.490
3@David: not necessarily (different version of VS, not using the default install location, using version from the Windows SDK): that is why I didn't specify. – Richard – 2014-07-30T11:17:01.743
6
It's easiest to use dumpbin if you launch it from the visual studio command-line: http://stackoverflow.com/a/477389/1390430
– Ben – 2015-04-27T22:51:05.183It is kinda diffiicult for ppl who dont have visual studio installed. – Varad Mahashabde – 2017-06-01T05:49:41.857
system32 \cmd.exe shows x64 and syswow64 \cmd.exe shows x86.. So to confirm.. 8664 Machine is 64 bit. Right ? – Ashish Negi – 2017-10-07T12:26:26.067
1You could also see (IA64) for a 64bit Itanium exe. – Darryl Braaten – 2011-11-17T17:01:24.187
21as i read elsewhere on superuser, using dumpbin /headers | findstr "machine" greatly simplifies the presentation of what the QA is looking for... – user1055604 – 2013-03-17T14:10:16.880
50
If you don't have or want the whole Windows SDK or Visual Studio, you can use sigcheck.exe from SysInternals:
sigcheck.exe C:\Windows\Notepad.exe
Output:
Sigcheck v2.1 - File version and signature viewer
Copyright (C) 2004-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\windows\notepad.exe:
Verified: Signed
Signing date: 8:59 AM 8/22/2013
Publisher: Microsoft Windows
Description: Notepad
Product: Microsoft« Windows« Operating System
Prod version: 6.3.9600.16384
File version: 6.3.9600.16384 (winblue_rtm.130821-1623)
MachineType: 64-bit
briantist
Posted 2011-11-17T10:29:58.673
Reputation: 780
4Seems to be not always accurate: Try to use it with LinqPad.exe (AnyCPU-64bit version) and Sigcheck will tell you it's "32 bit" ... – Matt – 2017-10-18T13:55:38.337
@Matt interesting. LinqPad sounds like a .net app; I wonder if sigcheck only works correctly on native executables (for this purpose). – briantist – 2017-10-18T14:34:57.333
2Yes, it is a .NET app. In .NET, if it isn't precompiled, you can either target "x86" or "AnyCPU". "x86" will always run as 32 bit, but AnyCPU will run as 64bit on a 64 bit system, but as 32 bit on a 32 bit system. SigCheck should consider this and show at least ".NET 32 bit or 64 bit (AnyCPU)". ILSpy for example says in this case "Architecture: AnyCPU (64-bit preferred)" - but ILSpy will not work for non-.NET EXE's. – Matt – 2017-10-18T14:42:03.303
@Matt that makes a lot of sense then; the native "stub" is probably 32 bit and then it initiates the 64 bit runtime where appropriate? Good find. – briantist – 2017-10-18T14:43:26.660
1That might be the case, like the old "MZ" header which just is there for non-Windows ("DOS") OS saying "This application requires Microsoft Windows" ... ;-) – Matt – 2017-10-18T14:46:21.063
@Matt yesss it was actually a complete executable, and in visual studio you could set what you wanted it to be. You could literally support both DOS and Windows versions of the app in a single file, or the "DOS version" could do something completely different. I wrote an application for Windows, and then the DOS exe inside was its own menu system offering utilities to do things you had to do while Windows wasn't running (change start menu caption, etc.). – briantist – 2017-10-18T14:49:16.710
2Yeah, the good old times, where you had a DOS debugger in the shell and could disassemble the code (which just contained one single DOS call printing this message)... and replace the text by "The answer is 42." :-D – Matt – 2017-10-18T14:52:58.063
46
I can confirm that the file utility (e.g. from cygwin) will distinguish between 32- and 64-bit executables. They appear as follows:
32.exe: PE32 executable (GUI) Intel 80386, for MS Windows
64.exe: PE32+ executable (console) x86-64, for MS Windows
As you can see, it's very obvious which is which. Additionally it distinguishes between console and GUI executables, also obvious which is which.
wmassingham
Posted 2011-11-17T10:29:58.673
Reputation: 578
1This solution is pretty commonly available for any developers who have installed msysgit. – FrontierPsycho – 2017-02-06T15:59:56.907
Why executable files in windows have MZ instead of PE? – BattleTested – 2018-05-15T13:44:05.260
Worth noting that GNU utilities can be obtained as individual binaries if you otherwise don't need Cygwin. http://gnuwin32.sourceforge.net/packages/file.htm
– MJ Walsh – 2018-11-28T11:23:42.25033
A simple method is to run it (assuming you trust it) and take a look at the process tab in task manager. 32bit processes will show "* 32" at the end of the process name. If it's not something your willing to run on your computer you can try EXE Explorer. It will show a whole bunch of info on executables including if it's 32 or 64bit.
Dracs
Posted 2011-11-17T10:29:58.673
Reputation: 2 616
8How do you run a DLL? – user34660 – 2016-11-03T19:57:21.503
1@samusarin that should be in the post. – user34660 – 2017-12-15T01:22:48.820
@user34660 You're technically correct, a DLL doesn't have a main entry point and so will not execute as a stand alone process. There is an initialization function called when it is loaded but that isn't "main". – samis – 2017-12-18T19:21:05.050
9Unfortunately, this requires you to run the executable. Perhaps you need to check the architecture of the program as a troubleshooting method on why it is not running. – Mike Christiansen – 2012-10-02T16:20:11.017
28
Many people have the excellent 7-zip installed, and have added the 7-Zip folder to their PATH. 7-zip understands file formats other than ZIP and RAR, such as MSI files and PE executables. Simply use the command line 7z.exe on the PE file (Exe or DLL) in question:
7z l some.exe | more
7z l some.exe | findstr CPU
Output will include lines as follows, with the CPU line reading either x86 or x64, which is what is being asked here:
Path = C:\Extra\AV\neroAacEnc.exe
Type = PE
CPU = x86
Characteristics = Executable 32-bit
Path = C:\Extra\AV\LAME\lame_enc.dll
Type = PE
CPU = x86
Characteristics = Executable DLL 32-bit
Path = C:\Extra\AV\FFmpeg\bin\ffmpeg.exe
Type = PE
CPU = x64
64-bit = +
Characteristics = Executable LargeAddress NoRelocs NoLineNums NoLocalSyms NoDebugInfo
Path = C:\Extra\AV\FFmpeg\bin\avcodec-56.dll
Type = PE
CPU = x64
64-bit = +
Characteristics = Executable DLL LargeAddress NoLineNums NoLocalSyms NoDebugInfo
Lumi
Posted 2011-11-17T10:29:58.673
Reputation: 1 223
wow I've never known that 7z can do this. Probably it contains a file implementation inside? – phuclv – 2018-09-21T16:58:11.940
21
The 64-bit version of Process Explorer can tell you. Simply run the executable and open the process's properties window. On the main tab there's an entry which says "Image:32 Bit" or "Image:64 Bit".
Andrew Lambert
Posted 2011-11-17T10:29:58.673
Reputation: 7 136
This is the easiest method for me I think, unless the executable exits too fast. – starbeamrainbowlabs – 2015-01-27T11:00:03.853
11How do you run a DLL? – user34660 – 2016-11-03T19:58:54.580
25Simply run the executable And what if you don’t want to run the program? – Synetech – 2014-02-06T09:23:19.033
4@Synetech The original question doesn't imply that's the case. – Andrew Lambert – 2014-02-06T18:13:33.453
17
Most simple way (when the data aren't confidential)
I find that Virustotal File detail is the simplest way to find out if a binary is 32 bit or 64 bit.
The Additional information option provides in addition much helpful informations about the file.
marsh-wiggle
Posted 2011-11-17T10:29:58.673
Reputation: 2 357
14
The method of running an executable & then checking in process explorer or similar tool, has some obvious drawbacks:
- We have to execute the process.
- For the short lived processes (like echo hello world types.), process explorer might not even register that a new process has started.
Dumpbin.exe method can solve the purpose probably.
Another alternative would be to use cygwin's file command. However, I have not tested it on windows. It works well on Linuxes.
Usage: file program_under_test.exe
EDIT: Just tested file.exe on window. works fine. :)
anishsane
Posted 2011-11-17T10:29:58.673
Reputation: 845
@MarcH No, it told you it's a .NET assembly, which doesn't have bit-ness. It's neither win32 nor win64, it's .NET. – clacke – 2014-12-11T13:55:54.790
@clacke interesting thanks. Now here is something even more interesting: /cygdrive/c/Program Files/Syncplicity/Syncplicity.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows This one runs without any *32 in task manager. – MarcH – 2014-12-14T18:02:26.753
... and sigcheck.exe reports Syncplicity.exe as 32 bits. – MarcH – 2014-12-14T18:09:00.437
1@MarcH Ha! That is interesting. I'm guessing that means the .NET runtime stub is 32-bit. So it runs a 32-bit process for a fraction of a second, but all that process does is start the .NET runtime, which creates a native 64-bit process. – clacke – 2014-12-16T15:15:27.353
Makes me think that PE32+ .NET files make no sense, they should all be PE32 to make sure they run on both platforms. But maybe the stub code never runs -- it's possible that Windows discovers that it's a .NET binary and just runs .NET directly. Would be great to hear a comment from someone who actually knows. :-) – clacke – 2014-12-16T15:17:31.973
1
It seems that Windows 2000 ran the stub to initiate the .NET runtime, but XP and later detects a .NET binary and runs .NET itself. It doesn't create a new process though, it starts .NET in the existing process and if it's a PE32 on a 64-bit system, it converts it in-memory to PE32+ before proceeding. https://social.microsoft.com/Forums/ru-RU/14d2158d-9df7-448b-a2ac-adfcac2be6cb/how-does-the-clr-get-loaded
– clacke – 2014-12-16T15:28:20.267This adds nothing that wasn't said by Dracs or Richard. This still requires running the program which the author wanted to avoid. – Ramhound – 2012-10-19T10:45:37.270
1Just wanted to say, that there are some situations, where Dracs's method will not be much helpful. – anishsane – 2012-10-19T10:49:11.213
3ockquote>
This still requires running the program which the author wanted to avoid:
No.. we run it like: file.exe program_under_test.exe – anishsane – 2012-10-19T10:49:56.953
1
And those who wish to avoid installing the whole cygwin package can grab the gnuwin32 file package.
I just ran the cygwin "file" command and it says nothing about 32 versus 64 bits:
MS-DOS executable PE for MS Windows (console), Mono/.Net assembly – MarcH – 2013-09-04T12:14:23.477
Looks like your 'file' binary itself is 32 bit. Hence it will not be able to detect 32 vs 64 bit. You need 64 bit version of file utility. Check here: http://cygwin.com/ml/cygwin-announce/2013-07/msg00030.html
– anishsane – 2013-09-04T12:25:30.6476@anishsane Completely wrong. file simply reads data from the disk in binary format and checks for any magic numbers identifying them, comparing against a database. Windows' 32-bit programs come up as PE32, and both 64-bit and .NET programs come up as PE32+. The bitness of file itself makes absolutely zero difference - both 32-bit and 64-bit applications can read data from the disk, which is all it needs. – Bob – 2014-01-17T02:24:01.310
13
Here's a Powershell solution, no external dependencies or anything. Open Powershell, paste the function in there (hit Enter twice so that you return to the prompt), then use it as in my examples below the function:
function Test-is64Bit {
param($FilePath=“$env:windir\notepad.exe”)
[int32]$MACHINE_OFFSET = 4
[int32]$PE_POINTER_OFFSET = 60
[byte[]]$data = New-Object -TypeName System.Byte[] -ArgumentList 4096
$stream = New-Object -TypeName System.IO.FileStream -ArgumentList ($FilePath, 'Open', 'Read')
$stream.Read($data, 0, 4096) | Out-Null
[int32]$PE_HEADER_ADDR = [System.BitConverter]::ToInt32($data, $PE_POINTER_OFFSET)
[int32]$machineUint = [System.BitConverter]::ToUInt16($data, $PE_HEADER_ADDR + $MACHINE_OFFSET)
$stream.Close()
$result = "" | select FilePath, FileType, Is64Bit
$result.FilePath = $FilePath
$result.Is64Bit = $false
switch ($machineUint)
{
0 { $result.FileType = 'Native' }
0x014c { $result.FileType = 'x86' }
0x0200 { $result.FileType = 'Itanium' }
0x8664 { $result.FileType = 'x64'; $result.is64Bit = $true; }
}
$result
}
Here's example output:
D:\> Test-is64bit
FilePath FileType Is64Bit
-------- -------- -------
C:\Windows\notepad.exe x64 True
D:\> Test-is64bit 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
FilePath FileType Is64Bit
-------- -------- -------
C:\Program Files (x86)\Mozilla Firefox\firefox.exe x86 False
megamorf
Posted 2011-11-17T10:29:58.673
Reputation: 1 494
Slickness. The above script seems to leave a reference to the file open. Couldn't build until I first closed powershell (ran script to interrogate DLL in \bin). – samis – 2016-10-20T13:27:16.473
1Very cool. +1. Itanium is definitely 64bit though :) – Rich Homolka – 2017-07-13T21:24:01.287
@samusarin: maybe add $stream.dispose(); after the close? Should release file handles. ( https://stackoverflow.com/questions/1999858/how-bad-is-it-to-not-dispose-in-powershell )
9
Even an executable marked as 32-bit can run as 64-bit if, for example, it's a .NET executable that can run as 32- or 64-bit. For more information see https://stackoverflow.com/questions/3782191/how-do-i-determine-if-a-net-application-is-32-or-64-bit, which has an answer that says that the CORFLAGS utility can be used to determine how a .NET application will run.
CORFLAGS.EXE output
For 32-bit executable:
Version : v2.0.50727
CLR Header: 2.5
PE : PE32
CorFlags : 0x3
ILONLY : 1
32BITREQ : 1
32BITPREF : 0
Signed : 0
For 64-bit executable:
Version : v2.0.50727
CLR Header: 2.5
PE : PE32+
CorFlags : 0x1
ILONLY : 1
32BITREQ : 0
32BITPREF : 0
Signed : 0
For executable that can run as 32- or 64-bit and will run as 64-bit when possible:
Version : v2.0.50727
CLR Header: 2.5
PE : PE32
CorFlags : 0x1
ILONLY : 1
32BITREQ : 0
32BITPREF : 0
Signed : 0
For executable that can run as 32- or 64-bit, but will run as 32-bit unless loaded into a 64-bit process:
Version : v4.0.30319
CLR Header: 2.5
PE : PE32
CorFlags : 0x20003
ILONLY : 1
32BITREQ : 0
32BITPREF : 1
Signed : 0
BlueMonkMN
Posted 2011-11-17T10:29:58.673
Reputation: 385
Cool command, but it won't work for native (non-managed) executables / dlls. (corflags : error CF008 : The specified file does not have a valid managed header) – Tomasz Gandor – 2016-09-15T08:08:03.283
@TomaszGandor Yes, the context of this answer was managed code only. Unmanaged code is answered by the other answers. As far as I know, only managed code can switch between executing as both 32- and 64-bit. – BlueMonkMN – 2018-08-25T14:24:08.360
6
My two cents will be just download dependency walker and check what for architecture has been used in one of the executable file.
How to use it:
Just simply download app, start it up, click on open icon → find an *.exe file → select and on the bottom after reflection scan is done you see a grid with data where one column has "architecture" details in it (x86, x64)
Open executable and see the build architecture
stenly
Posted 2011-11-17T10:29:58.673
Reputation: 161
5
How to add 32/64 bit test to your context menu
Create a text file named exetest.reg and containing this code:
Windows Registry Editor Version 5.00
; What will appear in the contextual menu when right-clicking on a .exe file
[HKEY_CLASSES_ROOT\exefile\shell\command32_64]
@="32/64 bit test"
; What to do with it
; here, %1 is the file given as argument of the script
[HKEY_CLASSES_ROOT\exefile\shell\command32_64\command]
@="\"c:\\temp\\x86TestStart.bat\" \"%1\""
Create a text file named x86TestStart.bat containing just this line of code and save it in C:\temp:
c:\temp\x86or64.vbs %1
Create a text file named x86or64.vbs containing this code and save it in C:\temp:
rem Reading binary file in VBScript: http://stackoverflow.com/questions/21249440/modify-first-two-bytes-of-a-file-using-vbscript
rem Info on executables: https://dmoj.ca/problem/exe
rem x86/64 signature is located dinamycally; its position is addressed
rem from bytes in 0x3C-0x3D position.
rem Possible signatures;
rem "PE..L" (hex code: 50.45.00.00.4C) = 32 bit
rem "PE..d†" (hex code: 50.45.00.00.64.86) = 64 bit
' ------------------------------------
' Source code by Jumpkack 2015
' ------------------------------------
' Read all arguments from command line:
Set args = Wscript.Arguments
' Store first argument (full path to file)
FileName = args(0)
' Find address of executable signature:
FirstChars = readBinary(FileName)
FirstChars = FirstChars
Addr1 = asc(mid(FirstChars,61,1))
Addr2 = asc(mid(FirstChars,62,1))
AddrFinal = Addr2*256 + Addr1 + 1
' Check signature:
if ucase(hex(asc(mid(FirstChars,AddrFinal+4,2)))) = "4C" then Wscript.Echo Filename & " is a 32 bit executable."
if ucase(hex(asc(mid(FirstChars,AddrFinal+4,2)))) = "64" then Wscript.Echo Filename & " is a 64 bit executable."
Function readBinary(path)
Dim a, fso, file, i, ts
Set fso = CreateObject("Scripting.FileSystemObject")
Set file = fso.getFile(path)
If isNull(file) Then
wscript.echo "File not found: " & path
Exit Function
End If
Set ts = file.OpenAsTextStream()
'a = makeArray(file.size)
a=""
i = 0
While (Not ts.atEndOfStream) and (i<60000)
'a(i) = ts.read(1)
a = a + ts.read(1)
i = i + 1
Wend
ts.close
readBinary = a
End Function
Double click on exetest.reg file: a new key will be added in the windows registry:
[HKEY_CLASSES_ROOT\exefile\shell\command32_64\command]
It will appear as "32/64 bit test" in context menu upon right clicking on an executable file.
Clicking the item will result in starting batch file c:\\temp\\x86TestStart.bat\, which starts VBscript file x86or64.vbs , which reads exe signature and shows result.
If you cannot or don't want to tamper with registry, just copy the .vbs file in QuickLaunch bar, and drag executable over it.
jumpjack
Posted 2011-11-17T10:29:58.673
Reputation: 288
5
you can also use the file tool from within the msys bundle of mingw. It works like the unix command. Similar works the file tool from GNUwin32.
Bastian Ebeling
Posted 2011-11-17T10:29:58.673
Reputation: 211
5
If you are on Windows 7, on a Windows Explorer, right click on the executable and select Properties. At the properties window select the Compatibility tab. If under the Compatibility Mode section you see Windows XP, this is a 32 bit executable. If you see Windows Vista, it is 64 bit.
axxis
Posted 2011-11-17T10:29:58.673
Reputation: 179
-1 not true at all. Various 32 and 64 bit binaries are all shown an Compatibility Mode of Windows 8 – Peter Hahndorf – 2015-06-16T12:14:45.060
@Peter I've tried quite a few on Windows 7 and it always worked for me. Could you give an example of a binary where the default compatibility mode is Windows 8? Also what Windows are you on? Thanks. – axxis – 2015-06-16T18:46:01.573
I'm on Server 2012 R2 and tried a few random binaries. Some 32bit ones show as Windows XP SP2 but others show as Vista or Windows 8. So this method is not correct. – Peter Hahndorf – 2015-06-18T03:27:04.533
@PeterHahndorf their language is a bit off but what he meant is when you open up the compatibility drop-down, if XP is an option at all it is 32bit. Otherwise if the only options you have are Vista-onwards, it's x64 – Hashbrown – 2019-10-14T04:27:40.467
2
I haven't seen this mentioned. There is a PE viewer program called CFF Explorer by NTCore, which can provide you this information. It can be downloaded and run as portable, but you can install it as well, if you wish.
Right click on the binary (.exe, .dll etc.) and select "Open with CFF Explorer". Go to Nt Headers -> File Header -> On the "Characteristics" field click "Click here"
If it's a 32bit program, the checkbox "32 bit word machine" will be ticked. For instance, i have installed the 32bit version of Notepad++ as you can see in the image below. Otherwise, it's 64bit.
Nikos
Posted 2011-11-17T10:29:58.673
Reputation: 159
There is a quicker way with CFF explorer: immediately when loading a file, under "file type" you have "Portable Executable 64" or "Portable Executable 32" – Arthur.V – 2019-09-05T11:25:31.220
2
Yet, WSL's file command works greatly.
file /mnt/c/p/bin/rg.exe would output:
/mnt/c/p/bin/rg.exe: PE32+ executable (console) x86-64, for MS Windows
file /mnt/c/p/bin/u.exe would output:
/mnt/c/p/bin/u.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Bohr
Posted 2011-11-17T10:29:58.673
Reputation: 466
1
my two cents:
as a C++ developer, dependency walker (http://www.dependencywalker.com/) is very informative, not only displays 64/32 bits, but also every Dll involved:
You can see 64 on left of every file name...
ingconti
Posted 2011-11-17T10:29:58.673
Reputation: 111
1Screenshot does not display the answer - 32bit vs 64bit info... – TomEus – 2017-09-28T07:51:38.183
@TomEus there's "64" in the screenshot, but not in the file name but inside the file logo (on the right side) – phuclv – 2020-01-18T02:11:08.830
0
The platform column in the task manager of windows 10
Windows 7 doesn't have a platform column. So Windows 7 task manager won't show it.
In windows 10 choosing columns is not under 'view' anymore. In Windows 10, when in the details tab, you right click column header then 'select columns'. Then check the box for 'platform'.
barlop
Posted 2011-11-17T10:29:58.673
Reputation: 18 677
1This requires running the application, which might be undesirable. Also, you "cannot" run a DLL. – Andreas Rejbrand – 2019-11-12T09:26:23.167
@AndreasRejbrand fair point in a sense, though he didn't mention a dll, he just said application.. also, and the DLL will match the EXE in 'bitness' – barlop – 2019-11-12T19:42:16.963
0
- run the application
- open Task Manager
- right click and create dump file
- note down path
- go to path and open
.DMPdump in Visual Studio - there you get all the details
- check process architecture:
user429538
Posted 2011-11-17T10:29:58.673
Reputation: 9
4I feel obligated to underscore the fact that this answer requires running the application. Previous commenters suggested that this might be undesirable. Also, Visual Studio will not automatically be available on all Windows platforms. – G-Man Says 'Reinstate Monica' – 2015-03-19T13:46:05.477
This question is similar, however it requires some work to check it. – ST3 – 2014-08-08T11:42:49.493
4@Guillaume: Executable images are not processes. Task Manager only shows processes. – IInspectable – 2017-04-12T16:03:03.767
How do I determine whether an application I am installing is 32bit or 64bit? – phuclv – 2018-10-20T05:25:22.807