PE File typing

Albert · March 6, 2018, 6:30pm

I am looking for ways to identify different kinds of PE files like
services, versus DLLs versus drivers versus regular PE exe files.

Is there a way ti classify all this from the PE headers, or is the only way
to assertively do this is to look at the export tables?

thanks
Al

Doron_Holan · March 6, 2018, 9:48pm

The PE header can tell you kernel VS user mode. A service exe is the same a normal exe, so no, the PE header won’t tell you. You have to look to at the imports to infer what the binary’s runtime functionality is.

Bent from my phone

From: xxxxx@lists.osr.com on behalf of xxxxx@gmail.com
Sent: Tuesday, March 6, 2018 3:29:15 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] PE File typing

I am looking for ways to identify different kinds of PE files like services, versus DLLs versus drivers versus regular PE exe files.

Is there a way ti classify all this from the PE headers, or is the only way to assertively do this is to look at the export tables?

thanks
Al
— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at

raj_r · March 7, 2018, 4:42am

you can use pefile in python

:\>cat pyel.py

import pefile
pe = pefile.PE(“c:\windows\system32\calc.exe”)
print pe.is_dll()
print pe.is_driver()
print pe.is_exe()
:\>python pyel.py
False
False
True

as doron replied you cant differentiate betwwen a normal exe and exe
for service

On 3/7/18, xxxxx@microsoft.com wrote:
> The PE header can tell you kernel VS user mode. A service exe is the same a
> normal exe, so no, the PE header won’t tell you. You have to look to at the
> imports to infer what the binary’s runtime functionality is.
>
> Bent from my phone
> ________________________________
> From: xxxxx@lists.osr.com
> on behalf of xxxxx@gmail.com
> Sent: Tuesday, March 6, 2018 3:29:15 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] PE File typing
>
> I am looking for ways to identify different kinds of PE files like services,
> versus DLLs versus drivers versus regular PE exe files.
>
> Is there a way ti classify all this from the PE headers, or is the only way
> to assertively do this is to look at the export tables?
>
> thanks
> Al
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on
> crash dump analysis, WDF, Windows internals and software drivers! Details at
> To unsubscribe, visit the List Server section of OSR Online at
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at:
> http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
> drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:</http:></http:></http:>