x86/x64 Emulation Compatibility on EC2 Graviton Windows 11 ARM
x86/x64 Emulation Compatibility on EC2 Graviton Windows 11 ARM
After running Windows 11 ARM on EC2 Graviton instances, the most practical question is: do x86/x64 operations tools still work? This article tests the full Sysinternals Suite on t4g.large (Graviton2), comparing ARM64 native vs x64 emulated performance.
Test Environment
| Item | Configuration |
|---|---|
| Instance | t4g.large (2 vCPU / 8 GB), Graviton2 |
| OS | Windows 11 Pro 25H2 ARM64 (Build 26200) |
| Sysinternals Suite | v2024.11.28 (ARM64 + x64 editions) |
Quick Summary
| Category | ARM64 Native | x64 Emulated | Notes |
|---|---|---|---|
| User-mode tools (PsExec, Handle, sigcheck, etc.) | Works | Works | All function normally |
| Kernel driver tools (Sysmon) | Works | Fails | x64 kernel drivers cannot load into ARM64 kernel |
| Performance overhead | Baseline | +10%–32% | IO-bound gap is small, CPU-bound gap is larger |
| SSM Agent / AWS CLI | Runs emulated as x64 | — | No ARM64 native version available, but works fine |
| PowerShell 5.1 | Runs emulated as x64 | — | Process self-reports Architecture=X64 |
| Hyper-V / WSL / Containers | Unavailable | — | No nested virtualization support |
How the Emulation Layer Works
Windows 11 ARM ships with two built-in translators:
- xtajit64.dll (in System32): x64 → ARM64 JIT translation (Prism), handles 64-bit x64 programs
- xtajit.dll (in SysWOW64): x86 → ARM64 translation, handles 32-bit x86 programs
Translation happens in user mode and is transparent to applications. Processes "see" ProcessArchitecture as X64, and APIs like GetNativeSystemInfo return x64 information. However, this mechanism only covers user mode — kernel drivers must be compiled natively for ARM64.
Observed process distribution: 138 ARM64 native, 6 x64 emulated, 1 x86 emulated.
Sysinternals Tool Compatibility
The ARM64 native edition (filenames with 64a suffix) has 58 tools; the x64 standard edition has 151. Core operations tools all have ARM64 native versions.
Tools with ARM64 Native Versions (58 tools)
Includes: PsExec64a, Procmon64a, procexp64a, Sysmon64a, handle64a, autorunsc64a, sigcheck64a, procdump64a, strings64a, psping64a, Autoruns64a, accesschk64a, ADExplorer64a, ADInsight64a, and more.
Tools with x64-Only Versions
PsLoggedon, psloglist, Cacheset, Clockres, Contig, CPUSTRES, ctrl2cap, Desktops, disk2vhd, Diskmon, DiskView, du, efsdump, hex2dec, junction, ldmdump, livekd, LoadOrd, logonsessions, movefile, notmyfault, ntfsinfo, pendmoves, pipelist, portmon, RAMMap, RDCMan, regjump, ru, sdelete, ShareEnum, ShellRunas, sync, tcpview, Testlimit, vmmap, Volumeid, Winobj, ZoomIt, and more.
All these x64-only tools run normally under the emulation layer (user-mode tools).
Kernel Driver Tool Tests
| Tool | ARM64 Native | x64 Emulated |
|---|---|---|
| Sysmon64a.exe (ARM64) | Driver installs and starts successfully, events collected normally | — |
| Sysmon64.exe (x64) | — | Install succeeds but SysmonDrv fails to start |
The ARM64 native Sysmon loads the SysmonDrv kernel driver normally and produces Process Create and Process Terminate events in the Event Log. The x64 version reports installed but StartService failed for SysmonDrv — the kernel only accepts ARM64 native drivers.
x64 Tool Emulation Test Results
| Tool | Test Operation | Result |
|---|---|---|
| PsExec64.exe | Local cmd /c echo | Pass |
| PsInfo64.exe | Query system info | Correctly shows Graviton2 processor |
| handle64.exe | Enumerate explorer.exe handles | Pass |
| Listdlls64.exe | Enumerate explorer.exe DLLs | Pass |
| autorunsc64.exe | Scan startup items | Pass |
| sigcheck64.exe | Verify ntoskrnl.exe signature | Pass (reports MachineType: 64-bit ARM) |
| strings64.exe | Extract ntoskrnl.exe strings | Pass |
| psping64.exe | TCP ping localhost:3389 | Pass (~0.43ms latency) |
| procdump64.exe | Dump explorer process | Success (1055 MB, 32.6 seconds) |
| Coreinfo64.exe | Query CPU info | Runs but some info inaccurate (reports 32-bit address width) |
Performance Comparison: ARM64 Native vs x64 Emulated
sigcheck Signature Verification (scanning ntoskrnl.exe, 5 runs total)
| Version | Time | Overhead |
|---|---|---|
| sigcheck64a (ARM64 native) | 731 ms | Baseline |
| sigcheck64 (x64 emulated) | 964 ms | +32% |
strings Extraction (scanning ntoskrnl.exe, single run)
| Version | Time | Overhead |
|---|---|---|
| strings64a (ARM64 native) | 15,671 ms | Baseline |
| strings64 (x64 emulated) | 17,310 ms | +10% |
IO-bound operations have ~10% emulation overhead; CPU-bound operations (cryptographic signature verification) have ~32% overhead.
AWS Component Status
| Component | Architecture | Status |
|---|---|---|
| Amazon SSM Agent 3.3.4624.0 | x64 (emulated) | Running |
| Amazon Inspector SSM Plugin | x64 (emulated) | Installed |
| AWS CLI v2.35.5 | x64 (emulated) | Functional |
| ENA Network Adapter | ARM64 native | Normal |
SSM Agent has no ARM64 native version but works normally through the x64 emulation layer.
Incompatible Scenarios
- Kernel drivers: All x64 software depending on kernel drivers will not work. This includes x64 Sysmon drivers, x64 antivirus real-time monitoring drivers, x64 VPN client TUN/TAP drivers, etc.
- Hyper-V / WSL / Windows Sandbox: All unavailable. Graviton does not support nested virtualization.
- Coreinfo data inaccuracy: The x64 Coreinfo may report incorrect CPU topology and address widths. Use the ARM64 native Coreinfo64a instead.
- 16-bit programs: Completely unsupported (Windows 11 itself doesn't support 16-bit).
Practical Recommendations
- Prefer ARM64 native tools (
*64a.exe) for best performance and most accurate information. - x64-only user-mode programs run directly with good emulation compatibility.
- Sysmon for security monitoring must use the ARM64 native version; the x64 kernel driver fails to load.
- SSM Agent runs emulated as x64 but is fully functional — Send Command, Session Manager all work.
- When running performance benchmarks, be aware whether the test tool itself is native or emulated — emulated tools include translation overhead in their measurements.
