question

WinSider-4575 avatar image
0 Votes"
WinSider-4575 asked WinSider-4575 edited

Detect x86_64 process on ARM64

I need to determine what architecture a process (not my own) is. With IsWow64Process2 I can get the process architecture and the native architecture. The documentation says of pProcessMachine:

The value will be IMAGE_FILE_MACHINE_UNKNOWN if the target process is not a WOW64 process; otherwise, it will identify the type of WoW process.

So my code checks

 if (usProcessMachine == IMAGE_FILE_MACHINE_UNKNOWN)
   usProcessMachine = usNativeMachine;

This all works great on i686, x86_64, and released ARM64 versions of Windows with i686, x86_64, ARM32, and ARM64 processes.

BUT, on the ARM64 Insider Preview version, which supports x86_64 processes via emulation, IsWow64Process2 returns pProcessMachine = IMAGE_FILE_MACHINE_UNKNOWN, pNativeMachine = IMAGE_FILE_MACHINE_ARM64, just like it does for ARM64 processes. How can I tell the difference between an ARM64 process and and x86_64 process on ARM64 Windows?

windows-api
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WinSider-4575 avatar image
1 Vote"
WinSider-4575 answered WinSider-4575 edited

It's probably bad form to answer your own question, but the person who answered this for me is not on this forum, so I figured I'd at least provide an update for posterity. Thanks go to Biswa96

https://github.com/msys2/MINGW-packages/discussions/8991

Calling GetProcessInformation with ProcessMachineTypeInfo appears to tell me what I want to know, but unfortunately it doesn't seem to be present in 20H2 or 21H1, only in the Insider Preview. So my answer came out something like

   if (!pIsWow64Process2(process, &process_arch, &native_arch))
     return FALSE;
    
   /* The value will be IMAGE_FILE_MACHINE_UNKNOWN if the target process
    * is not a WOW64 process
    */
   if (process_arch == IMAGE_FILE_MACHINE_UNKNOWN)
     {
       struct _PROCESS_MACHINE_INFORMATION
         {
           /* 0x0000 */ USHORT ProcessMachine;
           /* 0x0002 */ USHORT Res0;
           /* 0x0004 */ DWORD MachineAttributes;
         } /* size: 0x0008 */ process_machine_info;
    
       is_wow = FALSE;
       /* However, x86_64 on ARM64 claims not to be WOW64, so we have to
        * dig harder... */
       /*#define ProcessMachineTypeInfo 9*/
       if (pGetProcessInformation &&
           pGetProcessInformation(process, (PROCESS_INFORMATION_CLASS)9,
             &process_machine_info, sizeof(process_machine_info)))
         process_arch = process_machine_info.ProcessMachine;
       else
         process_arch = native_arch;
     }
   else
     {
       is_wow = TRUE;
     }
   return TRUE;


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

XiaopoYang-MSFT avatar image
0 Votes"
XiaopoYang-MSFT answered XiaopoYang-MSFT commented

As everyone knows, The Insider Preview version is not The Public Stable version.
And According to WOW64 Implementation Details, Perhaps you can Check The Specific Dll Loaded(such as xtajit.dll and wowarmw.dll for ARM64 Machine) Or Environment Variables(such as PROCESSOR_ARCHITECTURE, PROCESSOR_ARCHITEW6432 etc).

These DLLs, along with the 64-bit version of Ntdll.dll, are the only 64-bit binaries that can be loaded into a 32-bit process. On Windows 10 on ARM, CHPE (Compiled Hybrid Portable Executable) binaries may also be loaded into an x86 32-bit process.



· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, I contrasted the Public Stable version with the Insider Preview. I am looking for some clarification as to whether this is an oversight in the Insider Preview (and I can feel comfortable pushing code looking at IsWow64Process2 to definitively answer what arch a process is), or if there's some other API that I should be looking at. After all, taskmgr on the Insider Preview has a column on the details view that shows exactly what I want to know, so there must be some way to find it.

0 Votes 0 ·

Which column shows you wanted details? The Detecting an x64 app running on ARM64 Question may answer you.


0 Votes 0 ·

Ooh, that's close, but I am trying to find the information for a different process, not the current process. I don't have the Insider Preview open in front of me, but I believe the column is called "Architecture".

0 Votes 0 ·
Show more comments