The other day I came across an excellent function written by Boe Prox, called Get-FileSignature. His function will read a file and give you the Hex and ASCII signature of the file. I thought a bit about how I could use this function and came across several sites on-line listing the file signatures of known file formats. That got me thinking! What if I could create a function that tried to determine a files type based on its file signature? 

And so the first version of Get-FileType was born. It has only one parameter, a path to a file. Internally it has a list of known file signatures, and it uses Get-FileSignature to check for each of them for each file through the path parameter. The output is an object with a type description and some additional information gotten from Get-FileSignature.

The internal signature list is by all means not complete, but I added some common ones and stuff I personally would find useful. If you use this function, and end up adding more file signatures to the list, please let me know so I can update my function as well!

Remember that you need Get-FileSignature in order for this function to work!

function Get-FileType {
Try to get the file type based on it's file signature.
This function uses Get-FileSignature by Boe Prox and a list of
known file signatures to try to find the file type of a given file.
Get-FileType c:\path\to\file.pdf
Author: Øyvind Kallstad
Date: 15.12.2014
Version: 1.0
param (
# Path to file.
[Parameter(Position = 0, ValueFromPipelineByPropertyName)]
[string[]] $Path
begin {
# description, hex signature, byte offset, byte limit
$fileSignatures = @(
@('Portable Network Graphics (PNG)','89504E470D0A1A0A',0,8),
@('Graphics Interchange Format – GIF87a (GIF)','474946383761',0,6),
@('Graphics Interchange Format – GIF89a (GIF)','474946383961',0,6),
@('Icon (ICO)','00000100',0,4),
@('MPEG-4 (MP4)','000000*66747970',0,8),
@('MPEG-4 (MP4)','336770',0,3),
@('Windows/DOS executable file (EXE/COM/DLL/DRV/PIF/OCX/OLB/SCR/CPL ++)','4D5A',0,2),
@('Archive (RAR)','526172211A0700',0,7),
@('Archive (RAR)','526172211A070100',0,8),
@('Adobe Portable Document Format (PDF) / Forms Document file (FDF)','25504446',0,4),
@('MPEG-1 Audio Layer 3 (MP3)','FFFB',0,2),
@('MPEG-1 Audio Layer 3 (MP3)','494433',0,3),
@('ISO9660 CD/DVD image (ISO)','4344303031','0x8001',5),
@('ISO9660 CD/DVD image (ISO)','4344303031','0x8801',5),
@('ISO9660 CD/DVD image (ISO)','4344303031','0x9001',5),
@('Install Shield compressed file (CAB/HDR)','49536328',0,4),
@('Microsoft cabinet file (CAB) / Powerpoint Packaged Presentation (PPZ) / Microsoft Access Snapshot Viewer file (SNP)','4D534346',0,4),
@('Microsoft Windows Imaging Format file (WIM)','4D5357494D',0,5),
@('Rich text format (RTF)','7B5C72746631',0,6),
@('TrueType font file (TTF)','0001000000',0,5),
@('Windows shell link (shortcut) file (LNK)','4C00000001140200',0,8),
@('Windows Help (HLP/GID)','4C4E0200',0,4),
@('Windows Help (HLP/GID)','3F5F0300',0,4),
@('Windows Help (HLP)','0000FFFFFFFF',0,6),
@('Windows Registry (REG/SUD)','52454745444954',0,7),
@('Windows Registry (REG)','FFFE',0,2),
@('Archive (ZIP/JAR)','504B0304',0,4),
@('Microsoft security catalog file (CAT)','30',0,1),
@('Windows memory dump (DMP)','5041474544554D50',0,8),
@('Windows 64-bit memory dump (DMP)','5041474544553634',0,8),
@('Windows minidump (DMP) / Windows heap dump (HDMP)','4D444D5093A7',0,6),
@('Microsoft Compiled HTML Help (CHM/CHI)','49545346',0,4),
@('Waveform Audio (WAV)','52494646*57415645',0,12)
process {
foreach ($filePath in $Path) {
if (Test-Path $Path) {
foreach($signature in $fileSignatures) {
if($thisSig = Get-FileSignature Path $filePath HexFilter $signature[1] ByteOffset $signature[2] ByteLimit $signature[3]) {
Write-Output (,([PSCustomObject] [Ordered] @{
Path = $filePath
FileType = ($signature[0])
HexSignature = $thisSig.HexSignature
ASCIISignature = $thisSig.ASCIISignature
Extension = $thisSig.Extension
else {
Write-Warning "$filePath not found!"

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s