How to Get the Hash (MD5, SHA1, SHA256, SHA512) of a File on Windows Without Installing Anything

Sometimes, when you go to a website to download a program or some other file, the page lists a series of letters and numbers, known as a hash, for that file. For example, the site may say that the file has an MD5 hash of "d597850f62c02287cd5a6869544b3e06", an SHA1 hash of "21531996203e83575d5e61e861c147d687c57ed6" and so on. This sequence of cryptic letters and numbers, along with the file size (which should also be listed), is given so that you have the means to check that the file you downloaded is most likely the same as the one the website offered. This article shows you how you can generate the hash of a file on a Windows system using the programs already preinstalled, so that you can compare it with the official hashes listed.

What is a Hash?

Feel free to skip to the next section if you already know what a hash is, or can't be bothered to find out more (eg, you are thinking, "Who cares what a hash is? Just tell me the practical steps to take."). Note also that this is a rough explanation, intended for the layperson. If you are a programmer, and need a precise and technically accurate description, please read a programming reference instead.

For our purposes here, a hash is something like a checksum. Let's say you work at a bank, and your job is to enter a list of account numbers, together with some data about each account, into the computer system. How do you know that at the end of a long session of entering data, you have typed in everything accurately? This is especially so for things like account numbers, which have no inherent meaning (unlike normal words), and therefore are easy to get wrong.

One possible way is to use a checksum. Let's say that the account numbers use the format of "123-456-789-5", where the last digit ("5") is a checksum. The fictitious bank in this illustration uses a checksum that is calculated by adding all the earlier digits in the account number (ie, 1+2+3+4+5+6+7+8+9), resulting in a total of 45, and discarding everything in the answer except the last digit (ie, 5). If you make a mistake and enter "124-456-789-5" instead (where you type 4 instead of 3 for the third digit), the computer system instantly knows that you have made a mistake somewhere, since an account number beginning with the digits "124-456-789-" should have a final digit (the checksum) of "6", but you entered "5".

Notice though that it is still possible to have an account number that is entered wrongly, but where the checksum is unable to show that error, since, in this example, we only have 10 possible checksums, 0 to 9, for the 1 billion possible account numbers. In general, checksums are often not intended to be a 100% accurate method of making sure its data is correct. They are usually meant only to be a quick and dirty way of detecting certain errors. That said, the algorithm used in this example, where we only preserve the last digit of the sum, is particularly flawed.

Hashes are similar to checksums, except that they were originally created for other purposes besides error checking. However, by design, hashes are often unique for a wide range of data (though not all possible data), unlike my lousy checksum method mentioned in the above example, so they are sometimes used as a quick and dirty way to check if the file we downloaded is most likely the same one that the author (or distributor) intended us to have.

Before You Get Overconfident About the Results

When you check a file you downloaded to see if it is genuine, that is, that it has not been tampered with nor has it been corrupted in transit, you should note the following:

• The file sizes must also be identical. An identical checksum or hash alone is not enough. Anyone can add/subtract bytes to/from a tampered file so as to produce the same checksum as the original.

• If there are multiple types of hashes provided, eg, MD5, SHA1, SHA256 and SHA512, your confidence of the file's integrity improves if all the hashes match, and the file size is identical. That is, even if a particular hash algorithm (ie, method) allows 2 different files of the same size to end up with the same sequence of letters and numbers, it is less likely that those files also produce matching hashes for all the other algorithms.

  Or to put it simply (in case the above paragraph has too much technobabble, making it difficult to understand), if a website provides many types of hashes for a file, and you can match them all with the file you downloaded, and it has the same size as the original, you have greater assurance that you have the same file as that listed on the website.

• The commonly provided hashes have their own problems, in that they are known to have collisions, where different files can actually end up with the same hash. This is particularly so with MD5 and SHA1. That is why I said earlier that you have greater confidence if all the hashes match, since it is probably harder to create a tampered file that provides matching hashes for every single algorithm.

• For all this checking to have any use at all, the site from which you get the hashes must be reliable and trustworthy. In addition, your connection to it must be secure. Otherwise you may be checking against hashes that have also been tampered with, giving you false confidence that your file is legitimate.

  If the site from which you obtained the hashes is not accessed using "https://" (notice the "s"), but you reached it with a simple "http://", then your connection is definitely not secure. This increases the risk even more, since there is a chance that you are not really connected to the website you think you are accessing. Someone on the Internet (or on your WiFi connection or network) can substitute a fake website that seems to be at the correct address, but provide hashes for a tampered file.

• A file with hashes that match the officially-published hashes means, at best, that you probably have the item intended by the author/distributor. It does not mean that it is not infected with malware. Remember that anyone's computers can get infected, even the people from whom you are getting the file, resulting in the files they distribute being infected. The hashes provided may have been generated unknowingly (or even knowingly) after those files were infected. You should always scan the file you obtain with an antivirus, and perhaps even upload it to one of the free online antivirus sites that scan using multiple antivirus programs.

How to Hash a File on Windows

Windows 7, 8, 8.1, 10 and 11 (I'm not sure about earlier versions) have a command-line program called certutil that can generate MD2, MD4, MD5, SHA1, SHA256, SHA384 and SHA512 hashes for a file.

Note that if you are intimidated by the thought of using a command-line program, and prefer to use a program sporting a graphical user interface, where you can just click buttons and the like, you will have to install a third party (ie, non-Microsoft) program. There are a few such tools listed on the Free MD5 Checksum or Hashing Utilities page. Although the latter is focused on MD5, some of the free tools it links to also support multiple types of hashes. I will not deal with such programs here, though, since it's outside the scope of this tutorial.

1. Copy or move your file to somewhere where you can easily access it, such as your desktop. If you are not familiar with working on the command line, copy or move the file to your desktop. This will help you with one of the steps below, since you can just use my instructions verbatim.

2. Open a command line prompt. To do this, click the Start menu button and type "cmd" (without the quotation marks). The words "Command Prompt" should appear at the top of the menu. Click it to run it.

3. You will see a black window with a title bar that says "Command Prompt", and a blinking text cursor just after words that say something like "c:\Users\christopherheng>" somewhere in the window. (The exact words will not be the same, since your Windows account name will probably be different from mine.)

4. Now navigate to the directory or folder where you have placed your file. If you have copied the file to your desktop as I suggested, type "cd desktop" (without the quotation marks) and hit the ENTER key. Otherwise, change directory by typing "cd" followed by the full path. If the previous sentence does not make sense to you (because it is filled with technical lingo), type "cd desktop" (without the quotation marks, and followed by the ENTER key) to go to your desktop, and copy your file to your desktop as I mentioned in the first step.

   You can verify that your file is indeed in your new location by typing "dir" (without the quotation marks), followed by the ENTER key. This will list all the files and folders in that directory.

5. To get the MD5 hash for the file, type the command line in the box below, followed by the ENTER key. Change "filename.exe" to your file's actual name. This must be the full filename, including the suffix (or extension). Note that you may not be able to see the real full filename in Windows Explorer or your desktop, since Windows hides it by default. If so, either force Windows to show the full name, complete with file extension, or find out the name from the "dir" listing you did above. Enclose the name inside double quotation marks, especially if your filename contains spaces. (If you are not sure, just enclose it inside double quotation marks anyway. It will do no harm.)

   certutil -hashfile "filename.exe" MD5

   The command line for the other types of hashes are:

   certutil -hashfile "filename.exe" SHA1
   certutil -hashfile "filename.exe" SHA256
   certutil -hashfile "filename.exe" SHA512
   

   The same pattern follows for the MD2, MD4 and SHA384 hashes, although you are unlikely to have to use those.

6. The program certutil will print the results on the screen when it has finished processing the file. If your file is very big, and your hard disk is slow, it may take some time to run, since it has to read every single byte of the file.

7. Compare the results with your source. Remember to compare the file size too. You can quickly get the file size from the command line (since you are already there), by typing the following (after substituting your actual file name in place of "filename.exe", of course), and hitting the ENTER key.

   dir "filename.exe"

   This gives you the actual file size in bytes, instead of the rounded up number you see in a typical Windows Explorer window.

8. When you are done hashing your file, close the Command Prompt window by typing "exit" followed by the ENTER key. Alternatively, you can also close it by clicking the "X" button on the top right corner of the window.

Copyright © 2020-2023 by Christopher Heng. All rights reserved. Get more "How To" guides and tutorials from https://www.howtohaven.com/.

This article can be found at https://www.howtohaven.com/system/how-to-hash-file-on-windows.shtml

howtohaven™ RSS Site Feed

Do you find this article useful? You can learn of new articles and scripts that are published on howtohaven.com by subscribing to the RSS feed. Simply point your RSS feed reader or a browser that supports RSS feeds at https://www.howtohaven.com/howtohaven.xml.

Please Do Not Reprint This Article

This article is copyrighted. Please do not reproduce this article in whole or part, in any form, without obtaining my written permission.

Related Pages

• How to Create a Blog
• How to Get a Domain Name for Email Only
• How to Register Your Own Domain Name
• How to Make / Create a Website
• How to Set Up a Standard User Account (or Limited Account) on Windows Vista and Windows 7 for Daily Use
• Free Hard Disk Backup and Restore, Hard Disk Image and Cloning Utilities
• Free Partitioning Software - Copy, Create, Move, Resize, Convert, Undelete Partitions
• Free Video Conferencing Software

Newest Pages

• Two Ways to View a Binary/Hexadecimal File on Windows Without Installing Anything
• How to Get the Hash (MD5, SHA1, SHA256, SHA512) of a File on Windows Without Installing Anything
• How to Solve the 0x80092004 Error When Installing a Windows 7 Security-Only/Monthly Update
• How to Create a Blog
• How to Record a Game Video
• How to Set Up a Standard User Account (or Limited Account) on Windows Vista and Windows 7 for Daily Use
• How to Securely Prepare Your Old Computer for Disposal
• How to Create / Start Your Own Website (Beginner's Guide)

How to Link to This Page

It will appear on your page as:

How to Get the Hash (MD5, SHA1, SHA256, SHA512) of a File on Windows Without Installing Anything