Hi,
based on this stackoverflow post I’ve written a powershell function to determine the image type of an Windows executable. The Powershells System.IO.FileSystemInfo type does not provide such an info.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | function fGetImageArchitecture( [string] $sFilePath ) { # dos header is 64 bytes, last element, long (4 bytes) is the address of the PE header [int32] $MACHINE_ARCH_LENGTH = 4 [int32] $PE_POINTER_OFFSET = 60 [byte[]] $aData = New-Object System.Byte[] 4096 $oFileStream = New-Object -TypeName System.IO.FileStream( $sFilePath , [System.IO.FileMode] ::Open, [System.IO.FileAccess] ::Read) $oFileStream .Read( $aData , 0, 4096) | Out-Null [int32] $PE_HEADER_ADDR = [System.BitConverter] ::ToInt32( $aData , $PE_POINTER_OFFSET ) [int32] $uiArch = [System.BitConverter] ::ToUInt16( $aData , $PE_HEADER_ADDR + $MACHINE_ARCH_LENGTH ) switch ( $uiArch ) { 0 { return "Native" } 0x014c { return "x86" } 0x0200 { return "Itanium" } 0x8664 { return "x64" } default { return "unknown" } } } |
The function needs the input file as parameter and return the image type as string
1 2 | PS D:\fGetImageArchitecture $ENV:SYSTEMROOT \regedit.exe x64 |
Michael