How to check if a binary is 32 or 64 bit on Windows?
After examining header values from Richard's answer, I came up with a solution which is fast, easy, and only requires a text editor. Even Windows' default notepad.exe would work.
Open the executable in text editor. You might have to drag-and-drop or use the editor's
Open...
dialog, because Windows doesn't showOpen with...
option in context menu for executables.Check the first printable characters after the first occurrence of
PE
. This part is most likely to be surrounded by at least some whitespace (could be a lot of it), so it can be easily done visually.
Here is what you're going to find:
32-bit:
PE L
64-bit:
PE d†
A word of warning: using default Notepad on big files can be very slow, so better not use it for files larger than a megabyte or few. In my case in took about 30 seconds to display a 12 MiB file. Notepad++, however, was able to display a 120 MiB executable almost instantly.
This is solution might be useful in case you need to inspect a file on a machine you can't install any additional software on.
Additional info:
If you have a HEX-Editor available, the offset of PE Signature is located at offset 0x3C
. The signature is PE\0\0
(letters "P" and "E" followed by two null bytes), followed by a two byte Machine Type in Little Endian.
The relevant values are 0x8664
for a 64-bit executable and 0x014c
for a 32-bit one (64 86
and 4c 01
respectively when adjusted for endianness, but any decent hex editor will automatically handle endianness when you search for a hex value). There are a lot more possible values, but you probably won't ever encounter any of these, or be able to run such executables on your Windows PC.
Full list of machine types, along with the rest of .exe specifications, can be found in Microsoft PE and COFF Specification Machine Types section.
The SDK tool dumpbin.exe
with the /headers
option includes this information, compare these two (I've added bold for the key information)
PS [64] E:\ #4> dumpbin /headers C:\Windows\system32\cmd.exe Microsoft (R) COFF/PE Dumper Version 10.00.40219.01 Copyright (C) Microsoft Corporation. All rights reserved. Dump of file C:\Windows\system32\cmd.exe PE signature found File Type: EXECUTABLE IMAGE FILE HEADER VALUES 8664 machine (x64) 6 number of sections 4CE798E5 time date stamp Sat Nov 20 09:46:13 2010 0 file pointer to symbol table 0 number of symbols F0 size of optional header 22 characteristics Executable Application can handle large (>2GB) addresses [...]
and
PS [64] E:\ #5> dumpbin /headers C:\Windows\syswow64\cmd.exe Microsoft (R) COFF/PE Dumper Version 10.00.40219.01 Copyright (C) Microsoft Corporation. All rights reserved. Dump of file C:\Windows\syswow64\cmd.exe PE signature found File Type: EXECUTABLE IMAGE FILE HEADER VALUES 14C machine (x86) 4 number of sections 4CE78E2B time date stamp Sat Nov 20 09:00:27 2010 0 file pointer to symbol table 0 number of symbols E0 size of optional header 102 characteristics Executable 32 bit word machine [...]
If you don't have or want the whole Windows SDK or Visual Studio, you can use sigcheck.exe
from SysInternals:
sigcheck.exe C:\Windows\Notepad.exe
Output:
Sigcheck v2.1 - File version and signature viewer
Copyright (C) 2004-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\windows\notepad.exe:
Verified: Signed
Signing date: 8:59 AM 8/22/2013
Publisher: Microsoft Windows
Description: Notepad
Product: Microsoft« Windows« Operating System
Prod version: 6.3.9600.16384
File version: 6.3.9600.16384 (winblue_rtm.130821-1623)
MachineType: 64-bit