Determine if process dump was generated on x64 or x86 machine

Question

If I have a process dump file, is there anyway of knowing if the dump was generated on a x64 machine or x86 machines?

Answer 1

You can use the .effmach command to know the architecture that the dump was created on. Note that there is the WOW64 scenario where the dump arch is x64 but you should actually debug it with a x86 approach (see !wow64exts.sw command).

0:000> .effmach Effective machine: x64 (AMD64)

Answer 2

Unfortunately, above answers don't work in most cases.

Dupmchk.exe will say "x86 compatible" for both x86 and x64 OS if the target process was built as x86 binary. And !peb command also gives you useless "PEB NULL..." for minidumps which we use most of the time.

You would better check the full path of "Kernel32.dll" since x64 OS will load "C:\Windows\Syswow64\Kernel32.dll" instead while x86 OS will load the plain "C:\Windows\System32\Kernel32.dll" for x86 executables. Loaded modules and their paths are recoreded in minidump and easily checked by dumpchk.exe, windbg and Visual Studio.

Answer 3

You can use the dumpchk.exe utility that ships with Debugging tools for Windows. Simply pass the dump file as the argument.

In the generated report, you'll have the OS version and the CPU flavor, for example :

Windows 7 Version 7601 (Service Pack 1) UP Free x64

Product: WinNt, suite: SingleUserTS

Answer 4

You can look at the environment variables. Output of command !peb, among other things, contains list of environment variables. If you see variables PROCESSOR_ARCHITEW6432 or ProgramW6432 defined, the OS is 64 bit. Otherwise, it is 32 bit.