Software developers compile separate executable files (.EXE or .DLL) for 32-bit (x86) and 64-bit (x64) systems. The 64-bit version of the program is usually denoted by suffixing
x64 with the filename — e.g., sigcheck.exe vs. sigcheck64.exe. In some cases, the bitness notation may be missing, and you may be wondering if the executable is 32-bit or 64-bit.
This article discusses various methods to determine if a program or executable file is 32-bit or 64-bit in Windows.
Note that some vendors may combine the 32-bit and 64-bit executables into one 32-bit self-extractor file that would detect the platform, extract, and run the correct EXE for the current platform.
Methods to check the bitness of a .exe or .dll:
32-bit programs can run seamlessly on a Windows 64-bit Operating System using the WOW64 x86 emulator. But it won’t work the other way around. Running a 64-bit application on Windows 32-bit causes the following error(s):
Check if an executable (.exe or .dll) is 32-bit or 64-bit
To find if a .exe or .dll is 32-bit or 64-bit, use one of these methods:
You can find the bitness of each running program in the Task Manager Details tab.
- Open Task Manager and select the Details tab.
- Right-click on the column header and click Select columns. The column header is the row that has the caption for each column, such as Name, PID, Status, etc.
- Enable the Platform checkbox and click OK.
In this example, I’ve opened both versions of Notepad.exe — one from
Windows\System32, and the other (32-bit version) from
Windows\SysWOW64. The Platform column in Task Manager shows the bitness of each executable.
However, this method works only for executable files, but not for DLLs. Moreover, the program needs to be running for you to check the details in Task Manager. Unlike GUI, command-line programs usually run and quit after finishing the task, before you can check the process details in Task Manager.
The Resource Monitor tool displays information about the use of hardware (CPU, memory, disk, and network) and software (file handles and modules) resources in real-time.
- Start the Resource Monitor by running
- Launch the program whose bitness (32-bit or 64-bit) you want to know.
- In Resource Monitor, click on the CPU tab.
- In the Processes section, right-click on the column header, click Select Columns…
- Enable the column named Platform.
The Platform column shows the info you’re looking for.
Task Manager lets you view the bitness of executable (.exe) files, but not DLLs. So, for .dll (as well as .exe) files, we’ll use Microsoft SysInternals’ Process Explorer for this task, as Process Explorer can show the modules loaded by a process. Follow these steps:
- Download Process Explorer from the following link:
- Right-click Start, click Run, and type the following command-line/syntax:
In this example, I’d type:
(In this example, I’m trying to find the bitness of a file named
downloader.dll. The above command-line, with some bogus arguments, is simply for the sake of loading the DLL into the memory so that it shows up in Process Explorer.)
- You’ll see the following error message box. Please do not close it yet.
- With the above error message dialog kept open, launch Process Explorer.
- In Process Explorer, from the Find menu, click Find Handle or DLL option. (More information about this option.)
downloader.dllin the search box and click Search.
- When you see the process
rundll32.exein the list, click on it. This highlights the DLL file in the lower pane window.
- Double-click on
downloader.dllentry on the lower pane. You’ll see this properties dialog that shows the bitness (32-bit or 64-bit) of the module.
- Click Ok, and exit Process Explorer.
Additional Tip: You must run Process Explorer as administrator to manage processes that are running elevated. To elevate Process Explorer, click the File menu → Show Details for All Processes.
Sigcheck is a command-line utility from Microsoft Windows SysInternals that shows the file version number, timestamp information, and digital signature details, including certificate chains. To output also shows the bitness of the executable.
Sigcheck v2.54 - File version and signature viewer Copyright (C) 2004-2016 Mark Russinovich Sysinternals - www.sysinternals.com c:\windows\notepad.exe: Verified: Signed Signing date: 11:14 AM 6/21/2019 Publisher: Microsoft Windows Company: Microsoft Corporation Description: Notepad Product: Microsoft« Windows« Operating System Prod version: 10.0.18362.1 File version: 10.0.18362.1 (WinBuild.160101.0800) MachineType: 64-bit
Running Sigcheck on a file named
downloader.dll showed that the file is 32-bit.
VirusTotal.com portal helps you analyze suspicious files and URLs to detect malware and automatically share them with the security community. You can upload a suspicious file, search the VirusTotal database using the file name, hash, domain name as the keyword.
- If you have the file hash checksum of the DLL, you can search the VirusTotal database to know if the module’s info is already in their database. If not, you can upload the DLL to analyze it.
After you upload the file, you’ll see the ‘detections’ page. In the resulting page, click on the Details tab.
Scroll down to the Portable Executable Info section to know the architecture or bitness of the .exe/.dll file.
Intel 386 or Intel 486 (and later) means it’s a 32-bit module.
The 64-bit files would be denoted as
x64 adjacent to the Target Machine label.
Dependency Walker is a free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules. For each module found, it lists all the functions exported by that module and which of those functions are actually being called by other modules.
Dependency Walker is essentially a troubleshooting tool that lets you know the list of dependent files of a .dll or .exe. This tool helps you narrow down issues like missing or corrupt DLLs, wrong bitness (CPU type), import/export mismatches, etc.
- Download Dependency Walker from
- Open the DLL or EXE in Dependency Walker.
(Please ignore the Errors were detected when processing “filename.DLL”. See the log window for details error message in case you encounter it.)
- After the recursive scan, it will show the list of modules that are dependent on the module you opened. In the Modules list box at the bottom, scroll down and find the module name you opened.
- Note down the bit/architecture of the module, which is listed under the CPU column.
MiTec EXE Explorer is a third-party program that reads and displays executable file properties and structure. It is compatible with PE32 (Portable Executable), PE32+ (64bit), NE (Windows 3.x New Executable), and VxD (Windows 9x Virtual Device Driver) file types. .NET executables are supported too.
Another way to find out the bitness of an executable is by opening it using Notepad, Notepad++, or any other text editor. After you open the binary file in Notepad, use the Find option to look for the 1st occurrence of the word
The letter that follows the
PE header tells you if the file is 32-bit or 64-bit.
- 32-bit (x86) programs would have
PE Las the header.
- 64-bit (x64) programs would have
PE d†as the header.
You can see that the sigcheck.exe (32-bit) program has the
PE L header, and its 64-bit version sigcheck64.exe has the
PE d† header.
If the size of the binary file is huge, Notepad will hang or take more time to open the binary file. In that case, you can use Notepad++.
However, make sure that you don’t alter or save the executable file using your Text Editor, as doing so would corrupt the executable. Corrupted executables cause the following error when they’re launched:
This app can’t run on your PC. To find a version for your PC, check with the software publisher.
So, as always, back up the original executable before viewing it in a text editor if you’re going to follow the headers method.
One small request: If you liked this post, please share this?One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!