Windows: MD5/SHA256 CheckSum – Built-In Utility

In Windows you can make a checksum of a file without installing any additional software.

For this you can use the certUtil – built-in command-line utility that works both in Windows CMD and Powershell.

In this note i will show the examples of how to make md5sum and sha256sum of a file in Windows from the command line.

Cool Tip: zip and unzip from the command line in Windows! Read more →

MD5/SHA256 CheckSum in Windows

Checksum a file in Windows using the built-in certUtil command-line utility:

C:\> certUtil -hashfile <PATH_TO_FILE> <HASH_ALGORITHM>

MD5 checksum example (md5sum):

C:\> certUtil -hashfile C:\file.img MD5

SHA256 checksum example (sha256sum):

C:\> certUtil -hashfile C:\file.img SHA256

Get only hash value:

# Windows CMD:
C:\> CertUtil -hashfile C:\file.img MD5 | findstr /v "hash"

# Windows PowerShell:
PS C:\> $(CertUtil -hashfile C:\file.img MD5)[1] -replace " ",""

Available hash algorithms:

MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512

Hash Algorithms: Note that on Windows 7, the hash algorithms are case-sensitive. Be sure to type, for example, not “md5” but “MD5”. In the subsequent versions of Windows the case doesn’t matter.

Get help:

C:\> certutil -hashfile -?

9 Replies to “Windows: MD5/SHA256 CheckSum – Built-In Utility”

  1. I am getting the following errors:
    A)
    (what I typed or part of it) is not recognized as an internal or external command, operable program or batch file

    B)
    The filename, directory name, or volume label syntax is incorrect.

  2. are you using unc paths? depending on the windows version you mean need to put the locations within ” or ‘ brackets

  3. Thanks for the info it worked for me.

  4. If this registry is used, you will have it as shell extension:
    Windows Registry Editor Version 5.00
    [HKEY_CLASSES_ROOT\*\shell\Certutil md5sum]
    [HKEY_CLASSES_ROOT\*\shell\Certutil md5sum\command]
    @=”cmd /k certutil -hashfile %1 md5″

    [HKEY_CLASSES_ROOT\*\shell\Certutil SHA1sum]
    [HKEY_CLASSES_ROOT\*\shell\Certutil SHA1sum\command]
    @=”cmd /k certutil -hashfile %1 SHA1″

    [HKEY_CLASSES_ROOT\*\shell\Certutil SHA256sum]
    [HKEY_CLASSES_ROOT\*\shell\Certutil SHA256sum\command]
    @=”cmd /k certutil -hashfile %1 SHA256″

  5. worked great, awesome, thank you!!

  6. Here’s a script I wrote that takes the information in this article and shows or checks the checksum. The remarks at the top show how to use the script, and there is also a usage prompt if no parameter is provided or the first parameter is a file that doesn’t exist.

    @echo off
    
    REM ============================================================
    REM =
    REM =  Author:  Eric C. Berlin MIS 
    REM =    Date:  7:16 PM 1/2/2021
    REM = Version:  1.0
    REM =  Script:  checkhash.cmd
    REM =  Source:  https://www.shellhacks.com/windows-md5-sha256-checksum-built-in-utility/
    REM =
    REM ============================================================
    REM =
    REM = This script has three parameters.  The first is required and the second
    REM = and third are figured out contextually.  The first parameter is the file
    REM = to check hash(es) on.
    REM =
    REM = If the second parameter matches an available hash method, it is used
    REM = as the hash method to check.  If the third parameter is also provided,
    REM = it is compared to the computed hash, and a success/fail message
    REM = is displayed.
    REM =
    REM = If the second parameter IS NOT an available hash method, it is used as
    REM = a hash to verify against the file and all available hashes are used.
    REM = When done, a success/fail message is displayed.
    REM =
    REM = If the second parameter IS NOT PROVIDED, all available hashes are
    REM = displayed.
    REM =
    REM ============================================================
    
    REM -- INITIALIZATION
    setlocal ENABLEEXTENSIONS ENABLEDELAYEDEXPANSION
    set hashes=MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512
    set file="%~1"
    set hashcheck=%~2
    if "%~2" == "" set hashcheck=none
    set match=n
    set hashmethod=none
    set hashfound=none
    set method=checkall
    
    REM ============================================================
    
    REM -- IF NO PARAMTERS PROVIDED OR FILE DOES NOT EXIST, DISPLAY USAGE
    if not exist !file! (
    	cls
    	echo USAGE: %~n0 FILE [HASH [CHECK]]
    	echo
    	echo OPTION 1:
    	echo If only the file is specified, all available hashes will be displayed.
    	echo OPTION 2:
    	echo if FILE and HASH are specified, the hash will be compared to all available
    	echo hashes and a success/fail message will indicate if a match was found.
    	echo OPTION 3:
    	echo This is like option 2 except that HASH is one of the available hashes
    	echo and is validated against CHECK, if provided.
    )
    
    REM ============================================================
    
    REM -- CHECK IF PARAMETER 2 IS A HASH METHOD AND INITIALIZE
    for %%f in (%hashes%) do (
    	if /i %%f == !hashcheck! (
    		set hashmethod=%%f
    		set method=checkone
    		if "%~3" == "" (
    			set hashcheck=none
    		) else (
    			set hashcheck=%~3
    		)
    	)
    )
    
    REM ============================================================
    
    REM -- IF NO HASH METHOD WAS PROVIDED, CHECK ALL HASHES
    if !method! == checkall (
    	cls
    	echo Checking !file! against all hashes %hashes%...
    	for %%f in (%hashes%) do (
    		for /f "tokens=*" %%g in ('certUtil -hashfile !file! %%f ^| findstr /v "hash"') do (
    			REM -- This check will not return anything if hashcheck == none.
    			if /i "%%~g" == "!hashcheck!" (
    				set match=y
    				set hashmethod=%%f
    				set hashfound=%%g
    			)
    			echo %%~f=%%~g
    			echo.
    		)
    	)
    
    	REM -- The success and failure messages are only displayed if hashcheck != none.
    	if !match! == y (
    		echo The file !file! matched
    		echo !hashmethod! !hashfound!.
    	) else (
    		if not !hashcheck! == none (
    			echo The file !file! hash
    			echo did not match any of the calculated
    			echo %hashes%
    			echo hashes.
    		)
    	)
    )
    
    REM ============================================================
    
    REM -- If a hash method is supplied, this is used.
    if !method! == checkone (
    	cls
    	echo Checking !file! against hash method !hashmethod!...
    	for /f "tokens=*" %%g in ('certUtil -hashfile !file! !hashmethod! ^| findstr /v "hash"') do (
    		REM -- This check will not return anything if hashcheck == none.
    		if "%%~g" == "!hashcheck!" (
    			set match=y
    			set hashfound=%%g
    		)
    		echo !hashmethod!=%%~g
    		echo.
    	)
    
    	REM -- The success and failure messages are only displayed if hashcheck != none.
    	if !match! == y (
    		echo The file !file! matched
    		echo !hashmethod! !hashfound!.
    	) else (
    		if not !hashcheck! == none (
    			echo The file !file! hash
    			echo did not match any of the calculated
    			echo %hashes%
    			echo hashes.
    		)
    	)
    )
    
    REM -- Not required since this is the end of the script, but there
    REM -- for completeness.
    endlocal
    
  7. @Eric C Berlin Thank you for your effort to help (at 2:31am!). But I’m afraid you have made the same assumptions and/or mistakes as EVERY other teckie-trying-to-help-non-teckies that I’ve encountered over the years. That is, you talk amongst yourselves NOT to us “uninitiated”. I have used Unix terminal some and tried to use MSwhatthe f–k but always hit the same wall: the instructions assume the user already knows how to do whatever and just needs a little clarification; i.e.: teckie talk to teckie. In addition many of the “suggestions” for what to enter into a terminal are not proofread and usually don’t work because of a typo -some I’ve found most I’ve wasted time with. I do not know that about your instructions , only that they don’t work for me. MS Help is as useful as an ice-cube in hell. Unix/Linx is better but overall the tech sphere does a good job repelling anyone who wants to learn a bit at a time rather than becoming a programmer. What is one to do about the “REMark – initialization” are those commands?, are they “set” in some other folder? what? Anyway, thanks for trying.

  8. Ther is a logic problem with the script. When I run it without any args, it does not display useage. Please check your script.

  9. minor error on line #45. fix it and you will get “help” screen:

    42  REM ============================================================
        43
        44  REM -- IF NO PARAMTERS PROVIDED OR FILE DOES NOT EXIST, DISPLAY USAGE
        45  if not exist %file% (
        46          cls
    

Leave a Reply