Detecting if an EXE file is x86 or x64

[Phil Harvey]

I've been looking into this.  This superuser.com topic addresses the same question.  There are various techniques mentioned, but all of them that involve looking at the data in the file give the same answer as Exiftool because the PE32 header says the architecture is 386 (it isn't a PE32+ file).  The Cygwin "file" command also gives this result:

Code Select Expand

> file ~/Desktop/Win64bit.exe
/home/phil/Desktop/Win64bit.exe: PE32 executable (GUI) Intel 80386 Mono/.NET assembly, for MS Windows

According to a post in the superuser topic linked above, it should say "x86-64" instead of "Intel 80386" for a 64-bit app.

So ExifTool is at least as unreliable as the "file" utility, but that isn't much consolation.

I'm at a bit of a loss.  I can't find any documentation that provide any information about how to dig further into an EXE file to determine the architecture another way.

- Phil

[Phil Harvey]

Looking at this more, I found that my 64-bit sample has a "large address aware" flag set in the file header.  There is also a "32-bit" flag that is not set.  I'll test for this combination of flags, and call the file 64-bit if it matches.  This update will appear in ExifTool 11.08

- Phil

Edit:  I need to re-think this.  I found a reference that says the "large address aware" flag is used for 32-bit applications to be able to use the top bit of the address space.  So I can't use this to test for 64-bit apps.