How to verify the checksum of an installer file

One method of knowing if a downloaded program file is safe to install is to compare the file checksum (also called a hash) before running the executable.

Verifying the checksum of a file helps ensure the file was not corrupted during download, or modified by a malicious third-party before you downloaded it. If it was infected with malware or other malicious software after the checksum was originally calculated, you will discover the change when you calculate the new checksum.

The checksum is a long string of numbers that looks like this:

This hexadecimal number is unique to the installer .exe file created by the author. If anyone has altered or tampered with the file that you downloaded, the checksum will be different on your computer.

For maximum system security, always verify the checksum of any software you download from the Internet, before you run it.

How to check the checksum of a file in Windows

Many utilities can verify the checksum of a file in Windows. Below are our favorite options, the Checksum Calculator, an easy to use and compare checksum utility and the FCIV command line utility from Microsoft.

Checksum calculator

The Checksum Calculator is a free file checksum calculation utility that supports the most commonly used file checksum algorithms, such as md5, crc32, and sha1. The Checksum Calculator can also batch process multiple files and is an easy to understand and use Windows program.

Downloading and installing the checksum calculator

1. Download the Checksum Calculator.
2. Run the executable, checksumcalculator_setup.exe.
3. Follow the prompts to install the program.

Using the calculator

1. Open the Checksum Calculator if not already opened after the install.
2. Click the Browse next to the file box and browse to the file you want to check. In our example, we are checking the checksum of the windirstat1_1_2_setup.exe file.
3. Select the type of Checksum you are calculating. By default, the Checksum is set to MD5, in our example below we’ve set the value to SHA1.
4. Click the Calculate button.
5. After clicking Calculate, a result is shown in the Result box. To compare the values with what’s shown on the web page or documentation, copy and paste the checksum into the Compare box and click Verify. If both values match, you’ll see a message box indicating that the values are the same.

Using the Microsoft FCIV utility

Unfortunately, no version of Microsoft Windows comes pre-installed with a checksum utility, but Microsoft has released a command line command perform a checksum. In our example, we’ll be downloading, installing, and using the Microsoft FCIV (File Checksum Integrity Verifier) to check the WinDirStat installer file. WinDirStat is a great free utility for checking what files and folders are occupying space on your hard drive.

Downloading and installing Microsoft FCIV

1. Download FCIV from Microsoft.
2. Run the executable, Windows-KB841290-x86-ENU.exe.
3. Click Yes to accept the license agreement.
4. The installer asks where you would like to extract the files. It’s convenient to have it in the same place as the WinDirStat installer, so we recommend you extract it to your Downloads folder. Click Browse, highlight Downloads, and click OK.

1. Click OK to extract the files.
2. Click OK to close the installer.

If you copy the fciv.exe file into your C:\Windows directory, the command works from any directory or drive in the command prompt.

Using FCIV

1. FCIV is a command-line utility, so you need to run it from the Windows command prompt. Open a new command prompt window now. In Windows 10, you can find it under Start menu → Windows System → Command Prompt. You can also open it from the Run box if you press Win+R (hold down the Windows key on your keyboard and press R), type cmd, and press Enter .
2. Change to your Downloads directory or the directory containing fciv and the file you want to compare. At the command prompt, run:

1. The checksums provided on the WinDirStat use the SHA1 algorithm, so we need to use the -sha1 option when we run FCIV. For example, to verify windirstat1_1_2_setup.exe, use this command:

FCIV will spend a few moments calculating, and then provide output like this:

The checksum is the long hexadecimal number on the last line:

That hexadecimal number is the SHA1 checksum for your file. Check to make sure it matches the checksum on the WinDirStat website:

• See our fciv command page for further information about this command and its syntax and options.

How to check the checksum of a file in Linux

In Linux, the checksum of a file can be checked using one of the following command line commands depending on the checksum the author used for comparison.

• The MD5 checksum is verified using the md5sum command.
• An SHA224 checksum is checked using the sha224sum command.
• An SHA256 checksum is shown using the sha256sum command.
• An SHA384 checksum is shown using the sha384sum command.
• An SHA512 checksum is verified using the sha512sum command.

Availability and description of the File Checksum Integrity Verifier utility

Summary

The File Checksum Integrity Verifier (FCIV) is a command-prompt utility that computes and verifies cryptographic hash values of files. FCIV can compute MD5 or SHA-1 cryptographic hash values. These values can be displayed on the screen or saved in an XML file database for later use and verification.

INTRODUCTION

This article discusses the File Checksum Integrity Verifier (FCIV) utility.

Warning The Microsoft File Checksum Integrity Verifier (FCIV) utility is an unsupported command-line utility that computes MD5 or SHA1 cryptographic hashes for files. Microsoft does not provide support for this utility. Use this utility at your own risk. Microsoft Product Support Services (PSS) cannot answer questions about the File Checksum Integrity Verifier utility.

The File Checksum Integrity Verifier (FCIV) utility can generate MD5 or SHA-1 hash values for files to compare the values against a known good value. FCIV can compare hash values to make sure that the files have not been changed.

With the FCIV utility, you can also compute hashes of all your critical files and save the values in an XML file database. If you suspect that your computer may have been compromised, and important files have been changed, you can run a verification of the file system files against the XML database to determine which files have been modified.

The FCIV utility runs on Microsoft Windows 2000, Windows XP, and Windows Server 2003.

The FCIV utility has the following features:

Supports MD5 or SHA1 hash algorithms (The default is MD5.)

Can output hash values to the console or store the hash value and file name in an XML file

Can recursively generate hash values for all files in a directory and in all subdirectories (for example, fciv.exe c:\ -r)

Supplies an exception list to specify files or directories to hash

Can store hash values for a file with or without the full path of the file

To obtain the FCIV utility, follow these steps:

In Windows Explorer, create a new folder that is named FCIV.

The following file is available for download from the Microsoft Download Center:

Download the File Checksum Integrity Verifier utility package now.
Release Date: May 17, 2004

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

In the File Download dialog box, click Save, and then save the file to the FCIV folder that you created in step 1.

When the download is completed, click Close.

In the FCIV folder, double-click Windows-KB841290-x86-ENU.exe.

Click Yes to accept the license agreement.

Click Browse, click the FCIV folder, and then click OK.

Click OK to extract the files.

When the file extraction is completed, click OK.

Add the FCIV folder to the system path.

To start a command prompt, click Start, click Run, type cmd in the Open box, and then click OK.

Type fciv.exe /?, and then press ENTER.

Note If FCIV was installed to the C:\FCIV directory, type set path=%path%;c:\fciv to add it to the system path in a command shell.

Syntax

Commands

-add file | dir: Compute the hash and send it to an output device (default screen). The dir parameter has the following options:

-type: Specify file type. For example, -type *.exe.

-exc file: Do not compute these directories.

-wp: Do not store the full path name. (By default, FCIV stores the full path name.)

-bp: Remove the base path from the path name of each entry.

-list: List entries in the database.

-v: Verify hashes. The -v option has the following option:

-bp: Remove the base path from the path name of each entry.

-?, -h, or -help: Open extended help.

Options

-md5, -sha1, or -both: Specify hash type. (By default, MCIV uses -md5.)

-xml db: Specify database format and name.

Note When you use the -v option to verify a hash, FCIV also sends a return error code to indicate whether a hash is verified. A zero (0) indicates success, and a 1 indicates failure. With the return error code, you can use FCIV in automated scripts to verify hashes.

Example usage

To display the MD5 hash of a file, type the following command at a command prompt:

fciv.exe filename Note filename is the name of the file.

To compute a hash of a file, type a command line that is similar to any one of the following command lines:

fciv.exe c:\mydir\ myfile.dll

fciv.exe c:\ -r -exc exceptions.txt -sha1 -xml dbsha.xml

fciv.exe c:\ mydir -type *.exe

fciv.exe c:\ mydir -wp -both -xml db.xml

To list the hashes that are stored in a database, type a command line that is similar to the following command line:

fciv.exe -list -sha1 -xml db.xml

To verify a hash in a file, type a command line that is similar to any one of the following command lines:

fciv.exe -v -sha1 -xml db.xml

fciv.exe -v -bp c:\ mydir -sha1 -xml db.xml

The File Checksum Integrity Verifier (FCIV) utility can store entries in an XML database file. When FCIV is configured to store hash values in an XML database file, the hexadecimal hash values are stored in base64 encoded format. When you view the XML database directly, the base64 encoded representation of the hash value does not visually match the hexadecimal value that the console displays. FCIV decodes the base64 encoded hashes when it displays the contents of the database to the screen. Therefore, it displays the correct hexadecimal value.

The following example shows how FCIV computes the MD5 hash value for Ntdll.dll and displays it at the command prompt:

Here is the hash value for the same file that is base64 encoded and stored in an XML file by using the following command:

C:\WINDOWS\system32>fciv -add ntdll.dll -xml c:\temp\ntdll.xml

Here is the value that appears in the XML file that uses FCIV to list the contents.

Note It matches the value that was computed in the first example.

How to generate and verify hash values for a Microsoft Download

Download the file to a temporary directory (such as C:\Temp).

To extract the contents of the file, use the /x switch. Specify an output directory for the extracted files when you are prompted (such as C:\Temp\Files).

You can also use the /extract switch to extract the files without starting Setup.

For additional information about the /extract switch, click the following article number to view the article in the Microsoft Knowledge Base:

262841 Command-Line switches for Windows software update packages
The security update may be an IExpress package. If it is, see the following article in the Microsoft Knowledge Base about how to extract an IExpress package:

197147 Command-line switches for IExpress software update packages

To create a database for a single file and to save it to the C:\Temp directory, type the following command:

fciv.exe -add c:\temp\files\ filename.dll -wp c:\temp\files -XML c:\temp\ filename.XML

To verify the contents of the XML database against an installed file, type the following command:

fciv.exe -v -bp c:\installeddirectory -XML c:\temp\filename.XML Note installeddirectory is the location of the installed file.

Note When you use the -v option to verify a hash, FCIV also provides a return error code to indicate success (0) or failure (1) to verify a hash. Because of the return error code, you can use FCIV in automated scripts to verify hashes.

FCIV will confirm at the console if the hash values for the file matches the values that are stored in the XML database.

How to verify the hash values for the files in the Windows directory and in all sub-directories

You can also build a hash database of your sensitive files and verify them regularly.

To create the database and to save it to the C:\Temp directory, type the following command:

fciv.exe -add %systemroot% -r -XML c:\temp\windows-hashes.XML

To list the contents of the database to the console, type the following command:

fciv.exe -list -XML c:\temp\windows-hashes.XML

To verify the contents of the XML database against the current file system files, type the following command: