Check if a .exe is console-based or not

Microsoft / Windows vista
January 22, 2010 at 02:54:51
Specs: Windows Vista Ultimate SP2, 3GB
Hi, can someone tell me how to check what type of file a given Windows executable file (.exe) is. I.e. write a utility (in either C++, C#, VBS, or batch) that you pass the pathname of a .exe file, and it tells you if it is a Win32 GUI-only, Win32 Console-based, or Win16/DOS. (I can ignore Win64 for now.)

See More: Check if a .exe is console-based or not

January 22, 2010 at 03:10:17
Hmm, there should be some command that can tell what bit-type an EXE is ... but I wouldn't directly be able to tell you which.

As for GUI ... there is a tendency, that GUI EXEs do NOT have any text output (they are graphic, so ...). You could do a test on that (Redirect output, see if you get any. This would not even bother the running, but it does if it is a command line one, and one asking for input ...)

Report •

January 22, 2010 at 03:44:21
Thanks, but I wanted to check the file type without actually running the file. I may not even know what the file actually does, so would not dare to run it in case it does something nasty like delete files etc.

Report •

January 22, 2010 at 04:14:53
If the executable isn't compressed(ipx, ect) it may be a good idea to crack it open with a text editor(or use something like "strings") and see if you can find any imports(normally toward the end of the .exe). The imports *may* give a good idea of what the program does.

You should also be able to check if it's a win32 .exe by the "this program cannot be run in dos mode" at the very top.

If you check the file at it should also tell you what the imports(if any) are on top of multiple scan results.

Edit: Though I have no idea on how to check if it's a console or gui program, other than check for imports like "ShowWindow", but even that isn't conclusive....

Batch Variable how to

Report •

Related Solutions

January 22, 2010 at 06:05:19
you could also pipe debug dump out to file and analyze that way. (f/e: debug foo.exe<dump >testfile
where dump is: d0,400 # q
or ever how much dump is required to determine.

or write native code to use int 21 aH=4B aL=01 to load
the program then report the relevant header information.

this may be classic case of "TMI", but:
AH = 4Bh
AL = type of load
00h load and execute
01h load but do not execute
03h load overlay (see #01591)
04h load and execute in background (European MS-DOS 4.0 only)
"Exec & Go" (see also AH=80h)
DS:DX -> ASCIZ program name (must include extension)
ES:BX -> parameter block (see #01590,#01591,#01592)
this function ignores the filename extension, instead checking the
first two bytes of the file to determine whether there is a valid
.EXE header (see #01594); if not, the file is assumed to be in .COM
format. If present, the file may be in any of several formats which
are extensions of the original .EXE format (see #01593)

Format of EXEC parameter block for AL=00h,01h,04h:
Offset Size Description (Table 01590)
00h WORD segment of environment to copy for child process
(copy caller's environment if 0000h)
02h DWORD pointer to command tail to be copied into child's PSP
06h DWORD pointer to first FCB to be copied into child's PSP
0Ah DWORD pointer to second FCB to be copied into child's PSP
0Eh DWORD (AL=01h) will hold subprogram's initial SS:SP on return
12h DWORD (AL=01h) will hold entry point (CS:IP) on return
SeeAlso: #01591,#01592

(Table 01593)
Values for the executable types understood by various environments:
MZ old-style DOS executable (see #01594)
ZM used by some very early DOS linkers, and still supported as an
alternate to the MZ signature by MS-DOS, PC DOS, PTS-DOS, and S/DOS
NE Windows or OS/2 1.x segmented ("new") executable (see #01596)
LE Windows virtual device driver (VxD) linear executable (see #01609)
LX variant of LE used in OS/2 2.x (see #01609)
W3 Windows WIN386.EXE file; a collection of LE files
W4 Windows95 VMM32.VXD file
PE Win32 (Windows NT and Win32s) portable executable based on Unix COFF
DL HP 100LX/200LX system manager compliant executable (.EXM)
MP old PharLap .EXP (see #01619)
P2 PharLap 286 .EXP (see #01620)
P3 PharLap 386 .EXP (see #01620)

Format of .EXE file header:
Offset Size Description (Table 01594)
00h 2 BYTEs .EXE signature, either "MZ" or "ZM" (5A4Dh or 4D5Ah)
(see also #01593)
02h WORD number of bytes in last 512-byte page of executable
04h WORD total number of 512-byte pages in executable (includes any
partial last page)
06h WORD number of relocation entries
08h WORD header size in paragraphs
0Ah WORD minimum paragraphs of memory required to allocate in addition
to executable's size
0Ch WORD maximum paragraphs to allocate in addition to executable's size
0Eh WORD initial SS relative to start of executable
10h WORD initial SP
12h WORD checksum (one's complement of sum of all words in executable)
14h DWORD initial CS:IP relative to start of executable
18h WORD offset within header of relocation table
40h or greater for new-format (NE,LE,LX,W3,PE,etc.) executable
1Ah WORD overlay number (normally 0000h = main program)
---new executable---
1Ch 4 BYTEs ???
20h WORD behavior bits
22h 26 BYTEs reserved for additional behavior info
3Ch DWORD offset of new executable (NE,LE,etc) header within disk file,
or 00000000h if plain MZ executable
---ARJ self-extracting archive---
1Ch 4 BYTEs signature "RJSX" (older versions, new signature is "aRJsfX" in
the first 1000 bytes of the file)
---LZEXE 0.90 compressed executable---
1Ch 4 BYTEs signature "LZ09"
---LZEXE 0.91 compressed executable---
1Ch 4 BYTEs signature "LZ91"
---PKLITE compressed executable---
1Ch BYTE minor version number
1Dh BYTE bits 0-3: major version
bit 4: extra compression
bit 5: huge (multi-segment) file
1Eh 6 BYTEs signature "PKLITE" (followed by copyright message)
---LHarc 1.x self-extracting archive---
1Ch 4 BYTEs unused???
20h 3 BYTEs jump to start of extraction code
23h 2 BYTEs ???
25h 12 BYTEs signature "LHarc's SFX "
---LHA 2.x self-extracting archive---
1Ch 8 BYTEs ???
24h 10 BYTEs signature "LHa's SFX " (v2.10) or "LHA's SFX " (v2.13)
---TopSpeed C 3.0 CRUNCH compressed file---
1Ch DWORD 018A0001h
20h WORD 1565h
---PKARCK 3.5 self-extracting archive---
1Ch DWORD 00020001h
20h WORD 0700h
---BSA (Soviet archiver) self-extracting archive---
1Ch WORD 000Fh
1Eh BYTE A7h
---LARC self-extracting archive---
1Ch 4 BYTEs ???
20h 11 BYTEs "SFX by LARC "
---LH self-extracting archive---
1Ch 8 BYTEs ???
24h 8 BYTEs "LH's SFX "
---RAR self-extracting archive---
1Ch 4 BYTEs signature "RSFX"
---other linkers---
1Ch var optional information
Format of new executable header:
Offset Size Description (Table 01596)
00h 2 BYTEs "NE" (4Eh 45h) signature
02h 2 BYTEs linker version (major, then minor)
04h WORD offset from start of this header to entry table (see #01603)
06h WORD length of entry table in bytes
34h WORD number of resource table entries
36h BYTE target operating system
00h unknown
01h OS/2
02h Windows
03h European MS-DOS 4.x
04h Windows 386
05h BOSS (Borland Operating System Services)
81h PharLap 286|DOS-Extender, OS/2
82h PharLap 286|DOS-Extender, Windows

Bitfields for new executable program flags:
Bit(s) Description (Table 01597)
0-1 DGROUP type
0 = none
1 = single shared
2 = multiple (unshared)
3 = (null)
2 global initialization
3 protected mode only
4 8086 instructions
5 80286 instructions
6 80386 instructions
7 80x87 instructions

Bitfields for new executable application flags:
Bit(s) Description (Table 01598)
0-2 application type
001 full screen (not aware of Windows/P.M. API)
010 compatible with Windows/P.M. API
011 uses Windows/P.M. API
3 is a Family Application (OS/2)
5 0=executable, 1=errors in image
6 non-conforming program (valid stack is not maintained)
7 DLL or driver rather than application
(SS:SP info invalid, CS:IP points at FAR init routine called with
AX=module handle which returns AX=0000h on failure, AX nonzero on
successful initialization)

Bitfields for other new .EXE flags:
Bit(s) Description (Table 01599)
0 supports long filenames
1 2.X protected mode
2 2.X proportional font
3 gangload area

Format of Codeview trailer (at end of executable):
Offset Size Description (Table 01600)
00h WORD signature 4E42h ('NB')
02h WORD Microsoft debug info version number
04h DWORD Codeview header offset
SeeAlso: #01624

Format of new executable segment table record:
Offset Size Description (Table 01601)
00h WORD offset in file (shift left by alignment shift to get byte offs)
02h WORD length of image in file (0000h = 64K)
04h WORD segment attributes (see #01602)
06h WORD number of bytes to allocate for segment (0000h = 64K)
Note: the first segment table entry is entry number 1

Report •

January 22, 2010 at 10:45:17
Thanks nbrane, I didn't realise just how much work was involved
in checking the executable file image header. Thankfully, I found
a Windows port of the common Unix 'file' utility (file.exe) which
tells me exactly what type of file it is.

Report •

January 23, 2010 at 05:51:43
Love that update Klint ...

Report •

Ask Question