How to know the type of a file through the PE HEADER

Question

https://learn.microsoft.com/zh-cn/windows/win32/api/winnt/ns-winnt-image_optional_header32

if the file is exe, Are the values of subSystem always 2 or 3 ?

how to Confirm whether a file is .sys ?

Answer 1

how to Confirm whether a file is .sys ?

You should find ntoskrnl.exe in the Import Directory (IMAGE_DIRECTORY_ENTRY_IMPORT)

Answer 2

Hello,

Welcome to Microsoft Q&A!

if the file is exe, Are the values of subsystem always 2 or 3 ?

I suggest you could refer to the Blog: How do I write a program that can be run either as a console or a GUI application?

Each PE application contains a field in its header that specifies which subsystem it was designed to run under. You can say IMAGE_SUBSYSTEM_WINDOWS_GUI to mark yourself as a Windows GUI application, or you can say IMAGE_SUBSYSTEM_WINDOWS_CUI to say that you are a console application.

As far as I'm concerned, if the file is exe, values of subsystem are always IMAGE_SUBSYSTEM_WINDOWS_GUI or IMAGE_SUBSYSTEM_WINDOWS_CUI.

However, if you want to confirm whether the file is .exe. I suggest you could try to look in the Characteristics member of IMAGE_FILE_HEADER. If the file is .exe, the Characteristics member is IMAGE_FILE_EXECUTABLE_IMAGE.

how to Confirm whether a file is .sys ?

If you want to confirm whether the file is .sys.the Characteristics member is IMAGE_FILE_SYSTEM.

I suggest you could refer to the Doc: IMAGE_FILE_HEADER structure

Thank you.

Jeanine

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.