How to check if a binary is 32 or 64 bit on Windows?

Question

Is there an easy way to check if a binary is 32 or 64 bit on Windows? I need to check before I move the program to a 32bit machine and experience a spectacular failure.

Answer 1

After examining header values from Richard's answer, I came up with a solution which is fast, easy, and only requires a text editor. Even Windows' default notepad.exe would work.

1. Open the executable in a text editor. You might have to drag-and-drop or use the editor's Open... dialog, because Windows doesn't show Open with... option in the context menu for executables.

2. Check the first printable characters after the first occurrence of PE. This part is most likely to be surrounded by at least some whitespace (could be a lot of it), so it can be easily done visually.

Here is what you're going to find:

32-bit:

PE  L

64-bit:

PE  d†

A word of warning: using default Notepad on big files can be very slow, so better not use it for files larger than a megabyte or a few. In my case, it took about 30 seconds to display a 12 MiB file. Notepad++, however, was able to display a 120 MiB executable almost instantly.

This is solution might be useful in case you need to inspect a file on a machine you can't install any additional software on.

Additional info:

If you have a HEX-Editor available, the offset of PE Signature is located at offset 0x3C. The signature is PE\0\0 (letters "P" and "E" followed by two null bytes), followed by a two-byte Machine Type in Little Endian.

The relevant values are 0x8664 for a 64-bit executable and 0x014c for a 32-bit one (64 86 and 4c 01 respectively when adjusted for endianness, but any decent hex editor will automatically handle endianness when you search for a hex value). There are a lot more possible values, but you probably won't ever encounter any of these, or be able to run such executables on your Windows PC.

Full list of machine types, along with the rest of .exe specifications, can be found in Microsoft PE and COFF Specification Machine Types section.

Answer 2

The SDK tool dumpbin.exe with the /headers option includes this information, compare these two (I've added bold for the key information)

PS [64] E:\ #4> dumpbin /headers C:\Windows\system32\cmd.exe
Microsoft (R) COFF/PE Dumper Version 10.00.40219.01
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file C:\Windows\system32\cmd.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
            8664 machine (x64)
               6 number of sections
        4CE798E5 time date stamp Sat Nov 20 09:46:13 2010
               0 file pointer to symbol table
               0 number of symbols
              F0 size of optional header
              22 characteristics
                   Executable
                   Application can handle large (>2GB) addresses
[...]

and

PS [64] E:\ #5> dumpbin /headers C:\Windows\syswow64\cmd.exe
Microsoft (R) COFF/PE Dumper Version 10.00.40219.01
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file C:\Windows\syswow64\cmd.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
             14C machine (x86)
               4 number of sections
        4CE78E2B time date stamp Sat Nov 20 09:00:27 2010
               0 file pointer to symbol table
               0 number of symbols
              E0 size of optional header
             102 characteristics
                   Executable
                   32 bit word machine
[...]

Answer 3

If you don't have or want the whole Windows SDK or Visual Studio, you can use sigcheck.exe from SysInternals:

sigcheck.exe C:\Windows\Notepad.exe

Output:

Sigcheck v2.1 - File version and signature viewer
Copyright (C) 2004-2014 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\windows\notepad.exe:
    Verified:       Signed
    Signing date:   8:59 AM 8/22/2013
    Publisher:      Microsoft Windows
    Description:    Notepad
    Product:        Microsoft« Windows« Operating System
    Prod version:   6.3.9600.16384
    File version:   6.3.9600.16384 (winblue_rtm.130821-1623)
    MachineType:    64-bit

Answer 4

I can confirm that the file utility (e.g. from cygwin) will distinguish between 32- and 64-bit executables. They appear as follows:

32.exe: PE32 executable (GUI) Intel 80386, for MS Windows
64.exe: PE32+ executable (console) x86-64, for MS Windows

As you can see, it's very obvious which is which. Additionally it distinguishes between console and GUI executables, also obvious which is which.

Answer 5

Many people have the excellent 7-zip installed, and have added the 7-Zip folder to their PATH. 7-zip understands file formats other than ZIP and RAR, such as MSI files and PE executables. Simply use the command line 7z.exe on the PE file (Exe or DLL) in question:

7z l some.exe | more
7z l some.exe | findstr CPU

Output will include lines as follows, with the CPU line reading either x86 or x64, which is what is being asked here:

Path = C:\Extra\AV\neroAacEnc.exe
Type = PE
CPU = x86
Characteristics = Executable 32-bit

Path = C:\Extra\AV\LAME\lame_enc.dll
Type = PE
CPU = x86
Characteristics = Executable DLL 32-bit

Path = C:\Extra\AV\FFmpeg\bin\ffmpeg.exe
Type = PE
CPU = x64
64-bit = +
Characteristics = Executable LargeAddress NoRelocs NoLineNums NoLocalSyms NoDebugInfo

Path = C:\Extra\AV\FFmpeg\bin\avcodec-56.dll
Type = PE
CPU = x64
64-bit = +
Characteristics = Executable DLL LargeAddress NoLineNums NoLocalSyms NoDebugInfo

Answer 6

A simple method is to run it (assuming you trust it) and take a look at the process tab in task manager. 32bit processes will show "* 32" at the end of the process name. If it's not something your willing to run on your computer you can try EXE Explorer. It will show a whole bunch of info on executables including if it's 32 or 64bit.

Answer 7

Here's a Powershell solution, no external dependencies or anything. Open Powershell, paste the function in there (hit Enter twice so that you return to the prompt), then use it as in my examples below the function:

function Test-is64Bit {
    param($FilePath=“$env:windir\notepad.exe”)

    [int32]$MACHINE_OFFSET = 4
    [int32]$PE_POINTER_OFFSET = 60

    [byte[]]$data = New-Object -TypeName System.Byte[] -ArgumentList 4096
    $stream = New-Object -TypeName System.IO.FileStream -ArgumentList ($FilePath, 'Open', 'Read')
    $stream.Read($data, 0, 4096) | Out-Null

    [int32]$PE_HEADER_ADDR = [System.BitConverter]::ToInt32($data, $PE_POINTER_OFFSET)
    [int32]$machineUint = [System.BitConverter]::ToUInt16($data, $PE_HEADER_ADDR + $MACHINE_OFFSET)
    $stream.Close()

    $result = "" | select FilePath, FileType, Is64Bit
    $result.FilePath = $FilePath
    $result.Is64Bit = $false

    switch ($machineUint) 
    {
        0      { $result.FileType = 'Native' }
        0x014c { $result.FileType = 'x86' }
        0x0200 { $result.FileType = 'Itanium' }
        0x8664 { $result.FileType = 'x64'; $result.is64Bit = $true; }
    }

    $result
}

Here's example output:

D:\> Test-is64bit

FilePath               FileType Is64Bit
--------               -------- -------
C:\Windows\notepad.exe x64         True


D:\> Test-is64bit 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'

FilePath                                           FileType Is64Bit
--------                                           -------- -------
C:\Program Files (x86)\Mozilla Firefox\firefox.exe x86        False

Answer 8

The 64-bit version of Process Explorer can tell you. Simply run the executable and open the process's properties window. On the main tab there's an entry which says "Image:32 Bit" or "Image:64 Bit".

Answer 9

Most simple way (when the data aren't confidential)

I find that Virustotal File detail is the simplest way to find out if a binary is 32 bit or 64 bit.

The Additional information option provides in addition much helpful informations about the file.

---

Answer 10

The method of running an executable & then checking in process explorer or similar tool, has some obvious drawbacks:

1. We have to execute the process.
2. For the short lived processes (like echo hello world types.), process explorer might not even register that a new process has started.

Dumpbin.exe method can solve the purpose probably.

Another alternative would be to use cygwin's file command. However, I have not tested it on windows. It works well on Linuxes.

Usage: file program_under_test.exe

EDIT: Just tested file.exe on window. works fine. :)

Answer 11

My two cents will be just download dependency walker and check what for architecture has been used in one of the executable file.

How to use it:

Just simply download app, start it up, click on open icon → find an *.exe file → select and on the bottom after reflection scan is done you see a grid with data where one column has "architecture" details in it (x86, x64)

Open executable and see the build architecture

Answer 12

Even an executable marked as 32-bit can run as 64-bit if, for example, it's a .NET executable that can run as 32- or 64-bit. For more information see https://stackoverflow.com/questions/3782191/how-do-i-determine-if-a-net-application-is-32-or-64-bit, which has an answer that says that the CORFLAGS utility can be used to determine how a .NET application will run.

CORFLAGS.EXE output

For 32-bit executable:

Version   : v2.0.50727
CLR Header: 2.5
PE        : PE32
CorFlags  : 0x3
ILONLY    : 1
32BITREQ  : 1
32BITPREF : 0
Signed    : 0

For 64-bit executable:

Version   : v2.0.50727
CLR Header: 2.5
PE        : PE32+
CorFlags  : 0x1
ILONLY    : 1
32BITREQ  : 0
32BITPREF : 0
Signed    : 0

For executable that can run as 32- or 64-bit and will run as 64-bit when possible:

Version   : v2.0.50727
CLR Header: 2.5
PE        : PE32
CorFlags  : 0x1
ILONLY    : 1
32BITREQ  : 0
32BITPREF : 0
Signed    : 0

For executable that can run as 32- or 64-bit, but will run as 32-bit unless loaded into a 64-bit process:

Version   : v4.0.30319
CLR Header: 2.5
PE        : PE32
CorFlags  : 0x20003
ILONLY    : 1
32BITREQ  : 0
32BITPREF : 1
Signed    : 0

Answer 13

If you are on Windows 7, on a Windows Explorer, right click on the executable and select Properties. At the properties window select the Compatibility tab. If under the Compatibility Mode section you see Windows XP, this is a 32 bit executable. If you see Windows Vista, it is 64 bit.

Answer 14

How to add 32/64 bit test to your context menu

Create a text file named exetest.reg and containing this code:

Windows Registry Editor Version 5.00

; What will appear in the contextual menu when right-clicking on a .exe file
[HKEY_CLASSES_ROOT\exefile\shell\command32_64]
@="32/64 bit test"

; What to do with it
; here, %1 is the file given as argument of the script
[HKEY_CLASSES_ROOT\exefile\shell\command32_64\command]
@="\"c:\\temp\\x86TestStart.bat\" \"%1\""

Create a text file named x86TestStart.bat containing just this line of code and save it in C:\temp:

c:\temp\x86or64.vbs %1

Create a text file named x86or64.vbs containing this code and save it in C:\temp:

rem Reading binary file in VBScript: http://stackoverflow.com/questions/21249440/modify-first-two-bytes-of-a-file-using-vbscript
rem Info on executables: https://dmoj.ca/problem/exe

rem x86/64 signature is located dinamycally; its position is addressed
rem from bytes in 0x3C-0x3D position.

rem Possible signatures;
rem "PE..L" (hex code: 50.45.00.00.4C) = 32 bit
rem "PE..d†" (hex code: 50.45.00.00.64.86) = 64 bit

' ------------------------------------
' Source code by Jumpkack 2015
' ------------------------------------

' Read all arguments from command line:
Set args = Wscript.Arguments

' Store first argument (full path to file)
FileName = args(0)

' Find address of executable signature:
FirstChars = readBinary(FileName)
FirstChars = FirstChars
Addr1 = asc(mid(FirstChars,61,1))
Addr2 = asc(mid(FirstChars,62,1))
AddrFinal = Addr2*256 + Addr1 + 1

' Check signature:
if ucase(hex(asc(mid(FirstChars,AddrFinal+4,2)))) = "4C" then Wscript.Echo Filename & " is a 32 bit executable."
if ucase(hex(asc(mid(FirstChars,AddrFinal+4,2)))) = "64" then Wscript.Echo Filename & " is a 64 bit executable."


Function readBinary(path)
    Dim a, fso, file, i, ts
    Set fso = CreateObject("Scripting.FileSystemObject")
    Set file = fso.getFile(path)
    If isNull(file) Then
        wscript.echo "File not found: " & path
        Exit Function
    End If
    Set ts = file.OpenAsTextStream()
    'a = makeArray(file.size)
    a=""
    i = 0
    While (Not ts.atEndOfStream) and (i<60000)
       'a(i) = ts.read(1)
       a = a + ts.read(1)
       i = i + 1
    Wend
    ts.close
    readBinary = a
 End Function

Double click on exetest.reg file: a new key will be added in the windows registry:

[HKEY_CLASSES_ROOT\exefile\shell\command32_64\command]

It will appear as "32/64 bit test" in context menu upon right clicking on an executable file.

Clicking the item will result in starting batch file c:\\temp\\x86TestStart.bat\, which starts VBscript file x86or64.vbs , which reads exe signature and shows result.

If you cannot or don't want to tamper with registry, just copy the .vbs file in QuickLaunch bar, and drag executable over it.

Answer 15

Yet, WSL's file command works greatly.

file /mnt/c/p/bin/rg.exe would output:

/mnt/c/p/bin/rg.exe: PE32+ executable (console) x86-64, for MS Windows

file /mnt/c/p/bin/u.exe would output:

/mnt/c/p/bin/u.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

Answer 16

The platform column in the task manager of windows 10

Windows 7 doesn't have a platform column. So Windows 7 task manager won't show it.

In windows 10 choosing columns is not under 'view' anymore. In Windows 10, when in the details tab, you right click column header then 'select columns'. Then check the box for 'platform'.

Answer 17

you can also use the file tool from within the msys2 bundle of mingw-w64. It works like the unix command. Similar works the file tool from GNUwin32.

Answer 18

The Simplest Solution is that the 32-bit version has windows XP listed on the compatibility tab of the properties ( tested on Windows 7 & 10 ) of the executable file.

Firefox 32 Bit:

Firefox 64 Bit:

Answer 19

I haven't seen this mentioned. There is a PE viewer program called CFF Explorer by NTCore, which can provide you this information. It can be downloaded and run as portable, but you can install it as well, if you wish.

Right click on the binary (.exe, .dll etc.) and select "Open with CFF Explorer". Go to Nt Headers -> File Header -> On the "Characteristics" field click "Click here"

If it's a 32bit program, the checkbox "32 bit word machine" will be ticked. For instance, i have installed the 32bit version of Notepad++ as you can see in the image below. Otherwise, it's 64bit.

Answer 20

my two cents: as a C++ developer, dependency walker (http://www.dependencywalker.com/) is very informative, not only displays 64/32 bits, but also every Dll involved:

You can see 64 on left of every file name...

Answer 21

My simple version in Powershell, seems to be 100% reliable from my tests.

Clear-Host
$Check32Bit = $null
$Check64Bit = $null

$File = "C:\WINDOWS\system32\notepad.exe"

$ExeData = get-content $File -totalcount 50

$Check32Bit = $ExeData | select-string -Pattern "PE..L" -Quiet
$Check64Bit = $ExeData | select-string -Pattern "PE..d†" -Quiet

if ($Check32Bit) {
"File is 32bit (x86)"
}
elseif ($Check64Bit) {
"File is 64bit (x64)"
}
else {
"Couldn't identify if the file is 32bit or 64bit"
}

Answer 22

As pointed out in a comment by @user1055604, the easiest out-of-the-box way of doing this on Windows 10 is:

dumpbin /headers yourfile.lib | findstr "machine"

This one-liner will produce an intuitive result as an output. For example, on a 64-bit library I just tested, it printed the following:

8664 machine (x64)

Answer 23

Many excellent answers already, some claiming "most simple", but the absolute simplest way is inspecting the folder path.

C:\Program Files (x86)\ has only 32-bit stuff

Answer 24

You can use corflags from VS command prompt to change machine type

https://docs.microsoft.com/en-us/dotnet/framework/tools/corflags-exe-corflags-conversion-tool

Change Machine Type:

corflags d:\abc.exe /32BITREQ- 

Verify using corflags:

corflags d:\abc.exe 

32BITREQ : 0 ** 0 means 64 bit

Answer 25

I know they are many answers here, but none of them are really portable and require some kind of tool to use. I wanted to solve this in a programmatic way for all platforms. This will work on anything with a C compiler.

#include <stdio.h>
#include <fstream>      // std::fstream
#include <stdio.h>
#include <string.h>


char Header      [0x200];
char Elf32Magic  [20] = "\x7f\x45\x4c\x46\01";  //7F 45 4C 46  01 // ELF32 
char Elf64Magic  [20] = "\x7f\x45\x4c\x46\02";  //7F 45 4C 46  02 // ELF64
char Win32Magic  [20] = "\x50\x45\x00\x00\x4C\x01";// PE32
char Win64Magic  [20] = "\x50\x45\x00\x00\x64\x86";// PE64

char PeHeader[20] = {};
void CheckWinHeader(){
  int k = 0;
  for (int i = 0; i < 0x200; i++)
  {
   if(Header[i] == 0x50 && Header[i+1] == 0x45) // PE     
     {

      for(int j = i; j < i + 6; j++)
      {
        PeHeader[k] = Header[j];
        k++;
       //printf("%hhx", Header[j]); 
      }
     }
  }
}


int main(){
  std::fstream fs; 
  fs.open ("/home/PATH/TO/YOUR/BINARY", std::fstream::in | std::fstream::out | std::fstream::app);
  fs.read( Header , 0x200);
 
  if(memcmp ( Header, Elf32Magic, 5 ) == 0 ){
    printf("ELF 32 Match Found ! \n");
  }
  if(memcmp ( Header, Elf64Magic, 5 ) == 0 ){
    printf("Elf 64 Match Found ! \n");
  }

  CheckWinHeader();

  if(memcmp ( &PeHeader, Win32Magic, 6 ) == 0 ){
    printf("Win 32 Match Found ! \n");
  }

  if(memcmp ( &PeHeader, Win64Magic, 6 ) == 0 ){
    printf("Win 64 Match Found ! \n");
  }

 fs.close();
 return 0;
}

compile by using any compiler. I used g++.

g++ Bincheck.cpp -o bincheck
./bincheck

Answer 26

If you want to scan a folder structure for 32/64 bit DLL's or executables, you can also try a free tool called ScanFor64bit, found at: https://canservices.nl/download-tools ScanFor64bit allows you to enter a drive-letter or directory-path and one or more filemasks to scan for 32 or 64 bitness. The result is a list sorted by 32bit files first and 64bit second. I have used it a lot to check computers with Java to make sure the 64 bit version is used.

Output example of ScanFor64bit:

Answer 27

Something different from all the excellent answers above, but use PowerShell to search for the telltale "This program must be run under Win32"?

PS C:\Program Files\Snap Inc> ls -R . -filter *.exe | % { $file = $_; Select-String -Path $_ -Encoding 'oem' -Pattern 'under Win32' -SimpleMatch -Quiet } | % { Write-Output "$file is Win32: $_" }

Snap Camera.exe is Win32: False
unins000.exe is Win32: True
installer.exe is Win32: False

This also matches the results for the PE L and PE d† trick.

Answer 28

• run the application
• open Task Manager
• right click and create dump file
• note down path
• go to path and open .DMP dump in Visual Studio
• there you get all the details
• check process architecture: