All geek questions in one place

Determine if a process dump was generated on an x64 or x86 machine

If I have a process dump file, is it still known if the dump was generated on an x64 machine or x86 machines?

+4
source share
4 answers

You can see the environment variables. The output of the !peb , among other things, contains a list of environment variables. If you see the variables PROCESSOR_ARCHITEW6432 or ProgramW6432 , the OS is 64 bits. Otherwise, it is 32 bits.

+2
source

You can use the dumpchk.exe utility that comes with debugging tools for Windows. Just pass the dump file as an argument.

In the generated report, you will have the OS version and processor taste, for example:

Windows 7 Version 7601 (Service Pack 1) UP Free x64

Product: WinNt, Kit: SingleUserTS

+2
source

You can use the .effmach command to find out the architecture on which the dump was created. Note that there is a WOW64 script where the dump arch is x64, but you must debug it using the x86 approach (see wow64exts.sw Command).

0:000> .effmach Effective machine: x64 (AMD64)

+2
source

Unfortunately, the above answers do not work in most cases.

Dupmchk.exe will say โ€œx86 compatibleโ€ for x86 and x64 if the target process was built as binary x86. Command! Peb also gives you the useless "PEB NULL ..." for the mini remotes we use most of the time.

It is better to check the full path to "Kernel32.dll", since x64 OS will load "C: \ Windows \ Syswow64 \ Kernel32.dll" , while x86 OS will load a simple "C": \ Windows \ System32 \ Kernel32.dll for executable x86 files. Loaded modules and their paths are restored in minidump and are easily checked with dumpchk.exe, windbg and Visual Studio.

+1
source

Source: https://habr.com/ru/post/1380633/

More articles:


All Articles