Software developers compile separate executable files (.EXE or .DLL) for 32-bit (x86) and 64-bit (x64) systems. The 64-bit version of the program is usually denoted by suffixing
x64 with the filename — e.g., sigcheck.exe vs. sigcheck64.exe. In some cases, the bitness notation may be missing, and you may be wondering if the executable is 32-bit or 64-bit.
This article discusses various methods to determine if a program or executable file is 32-bit or 64-bit in Windows.
Note that some vendors may combine the 32-bit and 64-bit executables into one 32-bit self-extractor file that would detect the platform, extract, and run the correct EXE for the current platform.
Methods to check the bitness of a .exe or .dll:
- Using Task Manager
- Using Resource Monitor
- Using Process Explorer from Microsoft SysInternals
- Using Sigcheck from Microsoft SysInternals
- Using VirusTotal.com
- Using Dependency Walker
- Using a PE tool like MiTec Exe Explorer
- Checking the file headers
- Using 7-Zip command-line tool
- Using the Properties/Compatibility Tab
- Using Dumpbin from Visual Studio tools
- Using a VBScript to read Binary Streams
32-bit programs can run seamlessly on a Windows 64-bit Operating System using the WOW64 x86 emulator. But it won’t work the other way around. Running a 64-bit application on Windows 32-bit causes the following error(s):
Check if an executable (.exe or .dll) is 32-bit or 64-bit
To find if a .exe or .dll is 32-bit or 64-bit, use one of these methods:
You can find the bitness of each running program in the Task Manager Details tab.
- Open Task Manager and select the Details tab.
- Right-click on the column header and click Select columns. The column header is the row that has the caption for each column, such as Name, PID, Status, etc.
- Enable the Platform checkbox and click OK.
In this example, I’ve opened both versions of Notepad.exe — one from
Windows\System32, and the other (32-bit version) from
Windows\SysWOW64. The Platform column in Task Manager shows the bitness of each executable.
However, this method works only for executable files, but not for DLLs. Moreover, the program needs to be running for you to check the details in Task Manager. Unlike GUI, command-line programs usually run and quit after finishing the task, before you can check the process details in Task Manager.
The Resource Monitor tool displays information about the use of hardware (CPU, memory, disk, and network) and software (file handles and modules) resources in real-time.
- Start the Resource Monitor by running
- Launch the program whose bitness (32-bit or 64-bit) you want to know.
- In Resource Monitor, click on the CPU tab.
- In the Processes section, right-click on the column header, click Select Columns…
- Enable the column named Platform.
The Platform column shows the info you’re looking for.
Task Manager lets you view the bitness of executable (.exe) files, but not DLLs. So, for .dll (as well as .exe) files, we’ll use Microsoft SysInternals’ Process Explorer for this task, as Process Explorer can show the modules loaded by a process. Follow these steps:
- Download Process Explorer from the following link:
- Right-click Start, click Run, and type the following command-line/syntax:
In this example, I’d type:
(In this example, I’m trying to find the bitness of a file named
downloader.dll. The above command-line, with some bogus arguments, is simply for the sake of loading the DLL into the memory so that it shows up in Process Explorer.)
- You’ll see the following error message box. Please do not close it yet.
- With the above error message dialog kept open, launch Process Explorer.
- In Process Explorer, from the Find menu, click Find Handle or DLL option. (More information about this option.)
downloader.dllin the search box and click Search.
- When you see the process
rundll32.exein the list, click on it. This highlights the DLL file in the lower pane window.
- Double-click on
downloader.dllentry on the lower pane. You’ll see this properties dialog that shows the bitness (32-bit or 64-bit) of the module.
- Click Ok, and exit Process Explorer.
Additional Tip: You must run Process Explorer as administrator to manage processes that are running elevated. To elevate Process Explorer, click the File menu → Show Details for All Processes.
Sigcheck is a command-line utility from Microsoft Windows SysInternals that shows the file version number, timestamp information, and digital signature details, including certificate chains. To output also shows the bitness of the executable.
Sigcheck v2.54 - File version and signature viewer Copyright (C) 2004-2016 Mark Russinovich Sysinternals - www.sysinternals.com c:\windows\notepad.exe: Verified: Signed Signing date: 11:14 AM 6/21/2019 Publisher: Microsoft Windows Company: Microsoft Corporation Description: Notepad Product: Microsoft« Windows« Operating System Prod version: 10.0.18362.1 File version: 10.0.18362.1 (WinBuild.160101.0800) MachineType: 64-bit
Running Sigcheck on a file named
downloader.dll showed that the file is 32-bit.
VirusTotal.com portal helps you analyze suspicious files and URLs to detect malware and automatically share them with the security community. You can upload a suspicious file, search the VirusTotal database using the file name, hash, domain name as the keyword.
- If you have the file hash checksum of the DLL, you can search the VirusTotal database to know if the module’s info is already in their database. If not, you can upload the DLL to analyze it.
After you upload the file, you’ll see the ‘detections’ page. In the resulting page, click on the Details tab.
Scroll down to the Portable Executable Info section to know the architecture or bitness of the .exe/.dll file.
Intel 386 or Intel 486 (and later) means it’s a 32-bit module.
The 64-bit files would be denoted as
x64 adjacent to the Target Machine label.
Dependency Walker or depends.exe is a free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules. For each module found, it lists all the functions exported by that module and which of those functions are actually being called by other modules. Dependency Walker can help you determine if a module is 32-bit or 64-bit.
Dependency Walker is essentially a troubleshooting tool that lets you know the list of dependent files of a .dll or .exe. This tool helps you narrow down issues like missing or corrupt DLLs, wrong bitness (CPU type), import/export mismatches, etc.
- Download Dependency Walker from
- Open the DLL or EXE in Dependency Walker.
(Please ignore the Errors were detected when processing “filename.DLL”. See the log window for details error message in case you encounter it.)
- After the recursive scan, it will show the list of modules that are dependent on the module you opened. In the Modules list box at the bottom, scroll down and find the module name you opened.
- Note down the bit/architecture of the module, which is listed under the CPU column.
Open the module/binary (e.g., shell32.dll) in Dependency Walker.
If it’s a 64-bit module, you’ll see the letters
64 in the icon shown before the name of the module. It works for .exe, dll, ocx, and .sys files.
When loading the 32-bit version of
Shell32.dll in Depends.exe, it appears as below:
→ denotes a 32-bit module.
→ denotes a 64-bit module.
MiTec EXE Explorer is a third-party program that reads and displays executable file properties and structure. It is compatible with PE32 (Portable Executable), PE32+ (64bit), NE (Windows 3.x New Executable), and VxD (Windows 9x Virtual Device Driver) file types. .NET executables are supported too.
Another way to find out the bitness of an executable is by opening it using Notepad, Notepad++, or any other text editor. After you open the binary file in Notepad, use the Find option to look for the 1st occurrence of the word
The letter that follows the
PE header tells you if the file is 32-bit or 64-bit.
- 32-bit (x86) programs would have
PE Las the header.
- 64-bit (x64) programs would have
PE d†as the header.
You can see that the sigcheck.exe (32-bit) program has the
PE L header, and its 64-bit version sigcheck64.exe has the
PE d† header.
If the size of the binary file is huge, Notepad will hang or take more time to open the binary file. In that case, you can use Notepad++.
However, make sure that you don’t alter or save the executable file using your Text Editor, as doing so would corrupt the executable. Corrupted executables cause the following error when they’re launched:
This app can’t run on your PC. To find a version for your PC, check with the software publisher.
So, as always, back up the original executable before viewing it in a text editor if you’re going to follow the headers method.
If you have 7-Zip installed, you can use its command-line version
7z.exe to determine if a binary is 32-bit or 64-bit.
Example: To check if the binary Windows Photo Viewer‘s binary file
PhotoViewer.dll is 32-bit or 64-bit, run this command:
"C:\Program Files\7-Zip\7z.exe" l "C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll"
The parameter “
l” is to list the contents of an archive. It however gives additional details such as the bitness of the file.
You’ll see the following in the output:
7-Zip 18.05 (x64) : Copyright (c) 1999-2018 Igor Pavlov Scanning the drive for archives: 1 file, 1532928 bytes (1497 KiB) Listing archive: C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll -- Path = C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll Type = PE Physical Size = 1532928 CPU = x86 Characteristics = Executable DLL 32-bit
Tip: To show only the line(s) containing the word “CPU” (denotes the bitness of the module) and hide the other irrelevant data, run this command:
"C:\Program Files\7-Zip\7z.exe" l "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll" | findstr "CPU"
Next, run the tool against the 64-bit version of
"C:\Program Files\7-Zip\7z.exe" l "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll"
You’ll see the following in the output:
7-Zip 18.05 (x64) : Copyright (c) 1999-2018 Igor Pavlov Scanning the drive for archives: 1 file, 1753088 bytes (1712 KiB) Listing archive: C:\Program Files\Windows Photo Viewer\PhotoViewer.dll -- Path = C:\Program Files\Windows Photo Viewer\PhotoViewer.dll Type = PE Physical Size = 1753088 CPU = x64 64-bit = + Characteristics = Executable DLL LargeAddress
The file’s property sheet → Compatibility tab tells you whether an executable file is 32-bit or 64-bit.
For example, when you right-click a 32-bit file (e.g., autoruns.exe), click Properties, and select the Compatibility tab, you’ll see the 32-bit Operating Systems like Windows 95/98/Me/XP listed under the “Compatibility mode” dropdown list box.
Whereas, for 64-bit files (e.g., autoruns64.exe), you’ll find only Windows Vista and higher in the “Compatibility mode” list box.
Similarly, to know the bitness of a DLL file using the Compatibility tab, make copy of the DLL, then change the file extension to
.exe and open the Properties sheet → Compatibility tab of that file. Once determined the bitness, revert the file extension to .DLL.
The following method was posted by Microsoft Engineer Frank Chism on his official blog. Check out his blog post (Web Archive) titled How to tell if a .exe file is a 32-bit or 64-bit application using dumpbin – The Windows HPC Team Blog.
I’m reposting it here:
— begin quote —
One of my customers wanted to know if they had really built a 64-bit application for their cluster. After all, we run Windows HPC Server on a 64-bit server OS, so why not take full advantage of it?
I had a few minutes before I had to get back to them so I thought I’d try to polish the answer a bit. Here’s what I told him: “Dumpbin is your friend.”
Here’s what I then provided as a really simple ‘tool’. A one liner actually. If and only if you have
C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\bin\amd64
in your path. See my blog on compiling with Visual Studio from Powershell. This works fine from the old command line shell as well.
Windows PowerShell Copyright (C) 2006 Microsoft Corporation. All rights reserved. PS C:\Home\fchism> .\pVSvars.ps1 PS C:\Home\fchism> cd PGI PS C:\Home\fchism\PGI> dir Directory: Microsoft.PowerShell.Core\FileSystem::C:\Home\fchism\PGI Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 2/17/2009 2:54 PM OSBench d---- 2/10/2009 4:17 PM POP_PVF -a--- 3/26/2009 4:59 PM 135680 Hi.dwf -a--- 3/26/2009 4:59 PM 391168 Hi.exe -a--- 2/11/2009 11:00 AM 73 Hi.f -a--- 3/26/2009 4:59 PM 1436672 Hi.pdb -a--- 2/10/2009 4:31 PM 175156824 pgivfx64-vs2008-803.exe -a--- 2/10/2009 10:34 AM 1123401 pgi_whitepaper_unix2win.pdf -a--- 2/10/2009 4:08 PM 3526334 POP_PVF.zip PS C:\Home\fchism\PGI> dumpbin /headers Hi.exe|findstr "magic machine" 8664 machine (x64) 20B magic # (PE32+) PS C:\Home\fchism\PGI> cd C:\UnixUtilities PS C:\UnixUtilities> dumpbin /headers zsh.exe|findstr "magic machine" 14C machine (x86) 32 bit word machine 10B magic # (PE32) PS C:\UnixUtilities> cd ..\Home\fchism PS C:\Home\fchism> more pVSvars.ps1 # Set up Visual Studio Variables for Powershell
A magic machine indeed! You can get dumpbin with any version of Visual Studio. If you don’t have a commercial version go to http://www.microsoft.com/express/ .
— end quote —
Here’s a nice script from Vbsedit.com that tells you if the mentioned file is 32-bit or 64-bit.
How to Use
- Download the above script and open it using Notepad.
- Change the file name path in Line #5. In this example, the binary path is mentioned as “
- Save the script file.
- Double-click to run it.
The above script reads the binary streams of the mentioned .exe/.dll/.ocx/.sys file using the “ADODB.Stream” object. If it encounters the following hex code, the binary is 32-bit.
PE..L.. (hex code: 504500004C01) = 32 bit
If it encounters the following hex code in the binary stream, then the module is 64-bit.
PE..d.. (hex code: 504500006486) = 64 bit
Do you know any other method to determine the bitness of a binary? Let’s know in the Comments section below!
One small request: If you liked this post, please share this?One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!