EXE & DLL File Viewer

When you download a Windows program, the file itself is the most honest source of truth about what it actually is. The EXE / PE Viewer opens that file in your browser and decodes its internal structure — the same Portable Executable (PE) format that every .exe, .dll, .sys, .drv, .ocx, .scr and .cpl on Windows shares — so you can read what a program declares about itself before you ever double-click it. It reads bytes only; it never runs the program, never modifies it, and never uploads it anywhere.

Every PE file begins with a small DOS stub (the familiar “MZ” magic and the “This program cannot be run in DOS mode” message), followed by the real PE header that Windows actually loads. From that header the viewer reads the machine type and tells you whether the binary is 32-bit (PE32, x86), 64-bit (PE32+, x64), ARM64, or something more exotic like Itanium or RISC-V. It also decodes the file’s characteristics to distinguish a normal application from a dynamic-link library (DLL) or a kernel driver, and reads the subsystem field to show whether the program expects a graphical window, a console, or the native/driver environment. These few fields alone answer the most common question people have about a mystery executable: what kind of thing is this, and will it even run on my machine?

Beyond architecture, the header carries a compile timestamp, the linker version that produced the file, and the minimum Windows version it targets. The viewer converts the timestamp into a human-readable date while being honest that this value lives inside the file and can be zeroed or forged — so it is shown as a hint, not as proof of when the file was built. The tool also checks the certificate (Security) data directory to tell you whether the file is digitally signed. It deliberately reports only the presence of a signature, not its validity: fully verifying an Authenticode certificate chain is not something a browser can do reliably, so claiming a signature is “valid” would be misleading.

One of the most useful panels lists the file’s imports — the external DLLs it depends on and the specific functions it calls from each. This is where an executable reveals a great deal about its behaviour: a program that imports networking functions from WININET or WS2_32 clearly talks to the internet; one that imports heavily from GDI32 and USER32 draws windows; one that pulls in CRYPT32 handles certificates or encryption. Developers use this view to understand dependencies and diagnose “missing DLL” errors, while curious users use it to get a rough sense of what an unknown .exe is capable of doing. For DLLs, the Exports panel does the reverse, listing the functions a library makes available to other programs along with their ordinals.

The Sections panel breaks the file into its constituent regions — typically .text for code, .data and .rdata for data, .rsrc for resources, and .reloc for relocations — and shows each one’s virtual size, raw size, and read/write/execute permissions. For every section it also calculates Shannon entropy, a measure of how random the bytes look on a scale from 0 to 8. Ordinary code and data sit comfortably below 7; values pushed up near 8.0 usually mean the content is compressed or encrypted, which is the signature of a packer. The viewer recognises the section names left behind by common packers and protectors — UPX, ASPack, Themida, VMProtect, MPRESS and others — and surfaces a “Packer detected” note when it sees them. Packing is completely legitimate (plenty of commercial software ships packed to reduce size), but it is useful to know, because a packed file hides its real imports and strings until it unpacks itself at runtime.

The Resources & Icons panel is where the tool earns its keep for everyday users. Windows stores a program’s icons inside the PE resource tree as a group-icon directory pointing at individual image entries, and the viewer walks that tree, reconstructs a valid .ico file from the raw image data — handling both classic BMP icons and modern PNG-compressed ones — and lets you download the full multi-size .ico or export any single size as a PNG. If you have ever wanted the high-resolution icon out of an application, this does it in a couple of clicks. The same panel reads the version resource (VS_VERSIONINFO) to display the publisher metadata an author embedded: CompanyName, ProductName, FileDescription, FileVersion, ProductVersion, OriginalFilename, InternalName and LegalCopyright. When a file embeds an application manifest, the raw XML is shown too, which can reveal requested privilege levels and declared Windows compatibility.

For identification and reputation, the Hashes panel computes SHA-256, SHA-1 and MD5 entirely in your browser, reading the file in chunks so even large binaries don’t exhaust memory. Each hash has a one-click copy button. A hash is a compact fingerprint of the exact bytes, which makes it the right way to ask a third party about a file without exposing the file itself — so the viewer offers a “Look up hash on VirusTotal” button that opens VirusTotal’s report for that SHA-256. Only the hash travels in the URL; the file is never uploaded. If the hash is already known to VirusTotal you’ll see the community’s scan results, and if it isn’t, that absence is informative too.

An optional Strings panel extracts readable ASCII and UTF-16 text from the binary on demand, which can surface URLs, file paths, error messages and configuration hints embedded in the code. Finally, a Safety Signals panel collects the structural observations above — signed or unsigned, packed or not, the presence of memory- and process-manipulation imports, and any unusual writable-and-executable sections — and presents them as neutral chips. It is important to be clear about what this is and is not: these are structural signals, not an antivirus verdict. The tool cannot and does not tell you a file is “safe” or “malware”. It gives you the facts the file declares about itself and points you to a real reputation service when you need one.

Everything runs locally. The file you drop is read with the browser’s File API and parsed in memory for the duration of your session only; nothing is stored, cached, or sent to a server, which you can confirm in your browser’s Network tab. That makes the EXE / PE Viewer a fast, private file detective for inspecting installers, libraries and drivers — whether you’re a developer auditing a dependency, an IT admin triaging an unknown download, or simply someone who wants to know what an .exe is before trusting it.