Determining If A Running Process Is Emulated 32 Bit In .NET On Windows

The previous post, Determining If A Running Process Is 64 Bit In .NET, discussed how to determine whether to shell to a 32 or a 64-bit process.

If you use the Is64BitProcess property of the Environment class, there is a possible edge case to consider.

64-bit Windows can absolutely run a 32-bit process. It does so using WOW, where it emulates a 32-bit environment.

This means that there are (theoretically) 3 possibilities to check for:

1. A 64-bit process
2. A 32-bit process
3. A 32-bit process running in 64-bit mode.

If you need to conclusively check for the third, you will need to use the Windows API.

// Reference the Windows API call
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern bool IsWow64Process(IntPtr hProcess, out bool wow64Process);

// Variable to store the result of the call
bool isWow64;
if (!IsWow64Process(Process.GetCurrentProcess().Handle, out isWow64))
  throw new Exception("Error invovking API");
if (isWow64)
{
  Console.WriteLine("Emulated 32 bit");
}
else
{
  Console.WriteLine("Not Emulated 32");
}

Here we can see that once we invoke the Windows API call, the result is stored in the bool isWow64 variable, which we can subsequently interrogate.

You may need additional permissions if you need to query other processes.

TLDR

It is possible to check if a process is an emulated 32-bit process using the Windows API.

Happy hacking!