How to Check if a Program (.EXE or .DLL) is 32-bit or 64-bit

Software developers compile separate executable files (.EXE or .DLL) for 32-bit (x86) and 64-bit (x64) systems. The 64-bit version of the program is usually denoted by suffixing 64 or x64 with the filename — e.g., sigcheck.exe vs. sigcheck64.exe. In some cases, the bitness notation may be missing, and you may be wondering if the executable is 32-bit or 64-bit.

This article discusses various methods to determine if a program or executable file is 32-bit or 64-bit in Windows.

Note that some vendors may combine the 32-bit and 64-bit executables into one 32-bit self-extractor file that would detect the platform, extract, and run the correct EXE for the current platform.

Check if an executable (.exe or .dll) is 32-bit or 64-bit

To find if a .exe or .dll is 32-bit or 64-bit, use one of these methods:

Using Task Manager

You can find the bitness of each running program in the Task Manager Details tab.

1. Open Task Manager and select the Details tab.
2. Right-click on the column header and click Select columns. The column header is the row that has the caption for each column, such as Name, PID, Status, etc.
   
3. Enable the Platform checkbox and click OK.

In this example, I’ve opened both versions of Notepad.exe — one from Windows\System32, and the other (32-bit version) from Windows\SysWOW64. The Platform column in Task Manager shows the bitness of each executable.

However, this method works only for executable files, but not for DLLs. Moreover, the program needs to be running for you to check the details in Task Manager. Unlike GUI, command-line programs usually run and quit after finishing the task, before you can check the process details in Task Manager.

Using Resource Monitor

The Resource Monitor tool displays information about the use of hardware (CPU, memory, disk, and network) and software (file handles and modules) resources in real-time.

1. Start the Resource Monitor by running resmon.exe or perfmon.exe /res
2. Launch the program whose bitness (32-bit or 64-bit) you want to know.
3. In Resource Monitor, click on the CPU tab.
4. In the Processes section, right-click on the column header, click Select Columns…
5. Enable the column named Platform.
   

The Platform column shows the info you’re looking for.

Using Process Explorer from Microsoft SysInternals

Task Manager lets you view the bitness of executable (.exe) files, but not DLLs. So, for .dll (as well as .exe) files, we’ll use Microsoft SysInternals’ Process Explorer for this task, as Process Explorer can show the modules loaded by a process. Follow these steps:

1. Download Process Explorer from the following link:

   https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

2. Right-click Start, click Run, and type the following command-line/syntax:

   rundll32 "path_to_filename.dll",BlahBlah

   In this example, I’d type:

   rundll32 "D:\Users\ramesh\Desktop\downloader.dll",BlahBlah

   (In this example, I’m trying to find the bitness of a file named downloader.dll. The above command-line, with some bogus arguments, is simply for the sake of loading the DLL into the memory so that it shows up in Process Explorer.)

3. You’ll see the following error message box. Please do not close it yet.
   
4. With the above error message dialog kept open, launch Process Explorer.
5. In Process Explorer, from the Find menu, click Find Handle or DLL option. (More information about this option.)
6. Type downloader.dll in the search box and click Search.
7. When you see the process rundll32.exe in the list, click on it. This highlights the DLL file in the lower pane window.
   
8. Double-click on downloader.dll entry on the lower pane. You’ll see this properties dialog that shows the bitness (32-bit or 64-bit) of the module.
   
9. Click Ok, and exit Process Explorer.

Additional Tip: You must run Process Explorer as administrator to manage processes that are running elevated. To elevate Process Explorer, click the File menu → Show Details for All Processes.

Using Sigcheck from Microsoft SysInternals

Sigcheck is a command-line utility from Microsoft Windows SysInternals that shows the file version number, timestamp information, and digital signature details, including certificate chains. To output also shows the bitness of the executable.

Examples:

sigcheck.exe c:\windows\system32\shell32.dll

sigcheck.exe C:\Windows\Notepad.exe

Output:

Sigcheck v2.54 - File version and signature viewer
Copyright (C) 2004-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\windows\notepad.exe:
Verified: Signed
Signing date: 11:14 AM 6/21/2019
Publisher: Microsoft Windows
Company: Microsoft Corporation
Description: Notepad
Product: Microsoft« Windows« Operating System
Prod version: 10.0.18362.1
File version: 10.0.18362.1 (WinBuild.160101.0800)
MachineType: 64-bit

Running Sigcheck on a file named downloader.dll showed that the file is 32-bit.

Using VirusTotal.com

The VirusTotal.com portal helps you analyze suspicious files and URLs to detect malware and automatically share them with the security community. You can upload a suspicious file, search the VirusTotal database using the file name, hash, domain name as the keyword.

• If you have the file hash checksum of the DLL, you can search the VirusTotal database to know if the module’s info is already in their database. If not, you can upload the DLL to analyze it.

After you upload the file, you’ll see the ‘detections’ page. In the resulting page, click on the Details tab.

Scroll down to the Portable Executable Info section to know the architecture or bitness of the .exe/.dll file.

Intel 386 or Intel 486 (and later) means it’s a 32-bit module.

The 64-bit files would be denoted as x64 adjacent to the Target Machine label.

Using Dependency Walker

Dependency Walker or depends.exe is a free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules. For each module found, it lists all the functions exported by that module and which of those functions are actually being called by other modules. Dependency Walker can help you determine if a module is 32-bit or 64-bit.

Dependency Walker is essentially a troubleshooting tool that lets you know the list of dependent files of a .dll or .exe. This tool helps you narrow down issues like missing or corrupt DLLs, wrong bitness (CPU type), import/export mismatches, etc.

1. Download Dependency Walker from http://www.dependencywalker.com
2. Open the DLL or EXE in Dependency Walker.
   (Please ignore the Errors were detected when processing “filename.DLL”. See the log window for details error message in case you encounter it.)
3. After the recursive scan, it will show the list of modules that are dependent on the module you opened. In the Modules list box at the bottom, scroll down and find the module name you opened.
   
4. Note down the bit/architecture of the module, which is listed under the CPU column.

Another Method

Open the module/binary (e.g., shell32.dll) in Dependency Walker.

If it’s a 64-bit module, you’ll see the letters 64 in the icon shown before the name of the module. It works for .exe, dll, ocx, and .sys files.

When loading the 32-bit version of Shell32.dll in Depends.exe, it appears as below:

→ denotes a 32-bit module.

→ denotes a 64-bit module.

Using MiTec EXE Explorer

MiTec EXE Explorer is a third-party program that reads and displays executable file properties and structure. It is compatible with PE32 (Portable Executable), PE32+ (64bit), NE (Windows 3.x New Executable), and VxD (Windows 9x Virtual Device Driver) file types. .NET executables are supported too.

Open the .exe file using Notepad to check its headers

Another way to find out the bitness of an executable is by opening it using Notepad, Notepad++, or any other text editor. After you open the binary file in Notepad, use the Find option to look for the 1st occurrence of the word PE.

The letter that follows the PE header tells you if the file is 32-bit or 64-bit.

• 32-bit (x86) programs would have PE L as the header.
• 64-bit (x64) programs would have PE d† as the header.

You can see that the sigcheck.exe (32-bit) program has the PE L header, and its 64-bit version sigcheck64.exe has the PE d† header.

If the size of the binary file is huge, Notepad will hang or take more time to open the binary file. In that case, you can use Notepad++.

However, make sure that you don’t alter or save the executable file using your Text Editor, as doing so would corrupt the executable. Corrupted executables cause the following error when they’re launched:

This app can’t run on your PC. To find a version for your PC, check with the software publisher.

So, as always, back up the original executable before viewing it in a text editor if you’re going to follow the headers method.

Using 7-Zip command-line tool

If you have 7-Zip installed, you can use its command-line version 7z.exe to determine if a binary is 32-bit or 64-bit.

Example: To check if the binary Windows Photo Viewer‘s binary file PhotoViewer.dll is 32-bit or 64-bit, run this command:

"C:\Program Files\7-Zip\7z.exe" l "C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll"

The parameter “l” is to list the contents of an archive. It however gives additional details such as the bitness of the file.

You’ll see the following in the output:

7-Zip 18.05 (x64) : Copyright (c) 1999-2018 Igor Pavlov

Scanning the drive for archives:
1 file, 1532928 bytes (1497 KiB)

Listing archive: C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll

--
Path = C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll
Type = PE
Physical Size = 1532928
CPU = x86
Characteristics = Executable DLL 32-bit

"C:\Program Files\7-Zip\7z.exe" l "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll" | findstr "CPU"

Next, run the tool against the 64-bit version of PhotoViewer.dll.

"C:\Program Files\7-Zip\7z.exe" l "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll"

You’ll see the following in the output:

7-Zip 18.05 (x64) : Copyright (c) 1999-2018 Igor Pavlov

Scanning the drive for archives:
1 file, 1753088 bytes (1712 KiB)

Listing archive: C:\Program Files\Windows Photo Viewer\PhotoViewer.dll

--
Path = C:\Program Files\Windows Photo Viewer\PhotoViewer.dll
Type = PE
Physical Size = 1753088
CPU = x64
64-bit = +
Characteristics = Executable DLL LargeAddress

Using the Properties/Compatibility Tab

The file’s property sheet → Compatibility tab tells you whether an executable file is 32-bit or 64-bit.

For example, when you right-click a 32-bit file (e.g., autoruns.exe), click Properties, and select the Compatibility tab, you’ll see the 32-bit Operating Systems like Windows 95/98/Me/XP listed under the “Compatibility mode” dropdown list box.

Whereas, for 64-bit files (e.g., autoruns64.exe), you’ll find only Windows Vista and higher in the “Compatibility mode” list box.

Similarly, to know the bitness of a DLL file using the Compatibility tab, make copy of the DLL, then change the file extension to .exe and open the Properties sheet → Compatibility tab of that file. Once determined the bitness, revert the file extension to .DLL.

Using Dumpbin from Visual Studio tools

The following method was posted by Microsoft Engineer Frank Chism on his official blog. Check out his blog post (Web Archive) titled How to tell if a .exe file is a 32-bit or 64-bit application using dumpbin – The Windows HPC Team Blog.

I’m reposting it here:

— begin quote —

One of my customers wanted to know if they had really built a 64-bit application for their cluster. After all, we run Windows HPC Server on a 64-bit server OS, so why not take full advantage of it?

in your path. See my blog on compiling with Visual Studio from Powershell. This works fine from the old command line shell as well.

Windows PowerShell
Copyright (C) 2006 Microsoft Corporation. All rights reserved.

PS C:\Home\fchism> .\pVSvars.ps1
PS C:\Home\fchism> cd PGI
PS C:\Home\fchism\PGI> dir


    Directory: Microsoft.PowerShell.Core\FileSystem::C:\Home\fchism\PGI


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----         2/17/2009   2:54 PM            OSBench
d----         2/10/2009   4:17 PM            POP_PVF
-a---         3/26/2009   4:59 PM     135680 Hi.dwf
-a---         3/26/2009   4:59 PM     391168 Hi.exe
-a---         2/11/2009  11:00 AM         73 Hi.f
-a---         3/26/2009   4:59 PM    1436672 Hi.pdb
-a---         2/10/2009   4:31 PM  175156824 pgivfx64-vs2008-803.exe
-a---         2/10/2009  10:34 AM    1123401 pgi_whitepaper_unix2win.pdf
-a---         2/10/2009   4:08 PM    3526334 POP_PVF.zip


PS C:\Home\fchism\PGI> dumpbin /headers Hi.exe|findstr "magic machine"
            8664 machine (x64)
             20B magic # (PE32+)
PS C:\Home\fchism\PGI> cd C:\UnixUtilities
PS C:\UnixUtilities> dumpbin /headers zsh.exe|findstr "magic machine"
             14C machine (x86)
                   32 bit word machine
             10B magic # (PE32)
PS C:\UnixUtilities> cd ..\Home\fchism
PS C:\Home\fchism> more pVSvars.ps1
# Set up Visual Studio Variables for Powershell

A magic machine indeed! You can get dumpbin with any version of Visual Studio. If you don’t have a commercial version go to http://www.microsoft.com/express/ .

— end quote —

Using a VBScript to read Binary Streams

Here’s a nice script from Vbsedit.com that tells you if the mentioned file is 32-bit or 64-bit.

How to Use

• Download the above script and open it using Notepad.
• Change the file name path in Line #5. In this example, the binary path is mentioned as “c:\windows\system32\mspaint.exe“.
• Save the script file.
• Double-click to run it.

The above script reads the binary streams of the mentioned .exe/.dll/.ocx/.sys file using the “ADODB.Stream” object. If it encounters the following hex code, the binary is 32-bit.

PE..L.. (hex code: 504500004C01) = 32 bit

If it encounters the following hex code in the binary stream, then the module is 64-bit.

PE..d.. (hex code: 504500006486) = 64 bit

Do you know any other method to determine the bitness of a binary? Let’s know in the Comments section below!