How to open a .dat file — identify the contents first

What .dat actually means

.dat is a generic extension used by many unrelated applications. Game save files, Outlook TNEF attachments (winmail.dat), SQLite databases, and custom binary dumps all hide behind the same name.

Bottom line: the extension alone proves nothing, so use the leading bytes (magic numbers) to determine the real format first.

Decision table (what to check and what to do next)

Situation	What to check	Next action
Unknown sender, email attachment	Do not open. Save to disk first	Go to Step 1. If anything feels off, delete
Just downloaded an unfamiliar .dat	On Windows, watch for Mark of the Web + SmartScreen warnings	Don't bypass the warning. Don't open it directly from the browser
You know which app produced it	Whether that app can open it directly	Open it from that app — .dat payloads often use private headers
Source app unknown	Run the file through Step 1	Match the result against "Common magic bytes" below
No signature matches	Sender, storage path, transfer route	Jump to Step 3

Step 0: Copy the file first

Before touching anything, duplicate the file into a working directory. If a rename or overwrite goes wrong, you still have the original.

Step 1: Inspect the bytes in your browser

1. Drop the copy into our File Signature Checker (nothing is uploaded; everything runs in your browser).
2. The leading bytes reveal the real format — PDF, ZIP, image, or executable.
3. If it matches an executable (PE/EXE, Mach-O, ELF), do not rename and open it. Switch to Is this .exe safe? instead.

Common magic bytes (representative examples only)

First bytes (hex)	ASCII	Typical format	What to do next
4D 5A	MZ	Windows executable (PE/EXE)	Do not run. Go to the exe safety guide
25 50 44 46 2D	%PDF-	PDF	Rename to .pdf and open in a PDF viewer
50 4B 03 04	PK..	ZIP / DOCX / XLSX / EPUB and other ZIP-based	Unzip first, then inspect the inner files
89 50 4E 47	.PNG	PNG image	Rename to .png, open in an image viewer
FF D8 FF	—	JPEG image	Rename to .jpg
53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33 00	SQLite format 3\0	SQLite DB (spec)	Open with DB Browser for SQLite
7F 45 4C 46	.ELF	Linux executable	Do not run. Use an isolated environment if you must
CF FA ED FE / CE FA ED FE	—	macOS Mach-O executable	Do not run.

Treat the table above as representative examples only — many proprietary formats aren't listed. If none match, continue to Step 3.

Step 2: Common formats

• If the signature matches a standard format (PDF, ZIP, image), rename the copy and open with the appropriate app.
• Be aware that the originating app may have prefixed its own header. A generic viewer can render it, but parts may look broken. If you know the source application, opening it there is safer.

Step 3: When nothing matches

Context about the source app or filename is the next clue. The items below are representative examples — real .dat payloads often use private, undocumented shapes.

• winmail.dat (example): Outlook TNEF; Microsoft publishes the spec as MS-OXTNEF. Contents are attachments + metadata. On Windows, tools like Winmail Opener can extract them. In Gmail, you need to disable TNEF on the sender side or use a conversion tool.
• Game save files (example): proprietary binary; only the game itself can read them.
• Application databases (example): a leading SQLite format 3\0 means SQLite (file format spec). Inspect with DB Browser for SQLite or the sqlite3 CLI.
• Legacy Windows app logs / settings (example): best opened by the original app. A hex editor may reveal embedded app-name strings in the first few hundred bytes.

Safety checklist

• A .dat from an unknown sender can disguise an executable. Always scan with antivirus (how to use VirusTotal).
• Encrypted archives and DB files ignore extension renames — go back to the source app.
• Don't let the OS "figure it out" via double-click before you know what's inside.
• On Windows, downloaded files carry the Mark of the Web so SmartScreen can warn you. Don't dismiss those warnings.