If I have a process dump file, is there anyway of knowing if the dump was generated on a x64 machine or x86 machines?
You can look at the environment variables. Output of command !peb
, among other things, contains list of environment variables. If you see variables PROCESSOR_ARCHITEW6432
or ProgramW6432
defined, the OS is 64 bit. Otherwise, it is 32 bit.
Unfortunately, above answers don't work in most cases.
Dupmchk.exe will say "x86 compatible" for both x86 and x64 OS if the target process was built as x86 binary. And !peb command also gives you useless "PEB NULL..." for minidumps which we use most of the time.
You would better check the full path of "Kernel32.dll" since x64 OS will load "C:\Windows\Syswow64\Kernel32.dll" instead while x86 OS will load the plain "C:\Windows\System32\Kernel32.dll" for x86 executables. Loaded modules and their paths are recoreded in minidump and easily checked by dumpchk.exe, windbg and Visual Studio.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With