How to check if a binary is 32 or 64 bit on Windows?

After examining header values from Richard's answer, I came up with a solution which is fast, easy, and only requires a text editor. Even Windows' default notepad.exe would work.

  1. Open the executable in text editor. You might have to drag-and-drop or use the editor's Open... dialog, because Windows doesn't show Open with... option in context menu for executables.

  2. Check the first printable characters after the first occurrence of PE. This part is most likely to be surrounded by at least some whitespace (could be a lot of it), so it can be easily done visually.

Here is what you're going to find:

32-bit:

PE  L

64-bit:

PE  d†

A word of warning: using default Notepad on big files can be very slow, so better not use it for files larger than a megabyte or few. In my case in took about 30 seconds to display a 12 MiB file. Notepad++, however, was able to display a 120 MiB executable almost instantly.

This is solution might be useful in case you need to inspect a file on a machine you can't install any additional software on.

Additional info:

If you have a HEX-Editor available, the offset of PE Signature is located at offset 0x3C. The signature is PE\0\0 (letters "P" and "E" followed by two null bytes), followed by a two byte Machine Type in Little Endian.

The relevant values are 0x8664 for a 64-bit executable and 0x014c for a 32-bit one (64 86 and 4c 01 respectively when adjusted for endianness, but any decent hex editor will automatically handle endianness when you search for a hex value). There are a lot more possible values, but you probably won't ever encounter any of these, or be able to run such executables on your Windows PC.

Full list of machine types, along with the rest of .exe specifications, can be found in Microsoft PE and COFF Specification Machine Types section.


The SDK tool dumpbin.exe with the /headers option includes this information, compare these two (I've added bold for the key information)

PS [64] E:\ #4> dumpbin /headers C:\Windows\system32\cmd.exe
Microsoft (R) COFF/PE Dumper Version 10.00.40219.01
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file C:\Windows\system32\cmd.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
            8664 machine (x64)
               6 number of sections
        4CE798E5 time date stamp Sat Nov 20 09:46:13 2010
               0 file pointer to symbol table
               0 number of symbols
              F0 size of optional header
              22 characteristics
                   Executable
                   Application can handle large (>2GB) addresses
[...]

and

PS [64] E:\ #5> dumpbin /headers C:\Windows\syswow64\cmd.exe
Microsoft (R) COFF/PE Dumper Version 10.00.40219.01
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file C:\Windows\syswow64\cmd.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
             14C machine (x86)
               4 number of sections
        4CE78E2B time date stamp Sat Nov 20 09:00:27 2010
               0 file pointer to symbol table
               0 number of symbols
              E0 size of optional header
             102 characteristics
                   Executable
                   32 bit word machine
[...]

If you don't have or want the whole Windows SDK or Visual Studio, you can use sigcheck.exe from SysInternals:

sigcheck.exe C:\Windows\Notepad.exe

Output:

Sigcheck v2.1 - File version and signature viewer
Copyright (C) 2004-2014 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\windows\notepad.exe:
    Verified:       Signed
    Signing date:   8:59 AM 8/22/2013
    Publisher:      Microsoft Windows
    Description:    Notepad
    Product:        Microsoft« Windows« Operating System
    Prod version:   6.3.9600.16384
    File version:   6.3.9600.16384 (winblue_rtm.130821-1623)
    MachineType:    64-bit