If you’ve just downloaded a file from the Internet, you may want to verify that the downloaded file hasn’t been tampered with. After all, who knows what kind of nefarious fiddling a hacker might have been up to? By checking the MD5, SHA-1 or SHA-256 checksum of a file, you can verify its integrity and ensure the file hasn’t been corrupted or changed.
What’s a Checksum?
A checksum is a short, unique string that results from running an encryption algorithm on a given file. The algorithm looks at all the bits that make up a file and, based on those unique bits, creates a checksum.
This checksum will change if even a single bit in the file changes. By comparing two checksums, you can make sure your file hasn’t been damaged or modified. It’s a useful way to defend against file corruption or malicious interference in your downloads.
The most commonly used algorithms for checksums in MD5, SHA-1 and SHA-256 are also available and based on cryptographically-secure algorithms. If you can choose from among the three, use SHA-256.
Good to know: adequate email encryption can secure your data. Check out the best email services that offer email encryption.
How Do You Use a Checksum?
To use a checksum, you’ll first need to know what a given file’s checksum is. This will have to be provided to you by the same source that provided the file.
Run your downloaded file through the same checksum algorithm using one of the tools below. Once you’ve done that, compare the two strings. If the strings match, the file hasn’t changed. If the strings don’t match, something about your file is different from the original file.
Verify Checksums with Third-Party Tool
The best way to run checksums in Windows is with a tool called MD5 & SHA Checksum Utility. It will calculate the MD5, SHA-1 and SHA-256 checksums for a given file simultaneously and allow you to compare your result against the provided data.
- Download MD5 & SHA Checksum Utility from Softpedia (where the developer hosts the file).
- Double-click the downloaded file to launch the program. You may be prompted to download .NET Framework 3.5, which the app needs to run correctly. Click “Download and install this feature” to continue.
- Click the “Browse” button to select the file you want to check.
- Locate the provided checksum for your downloaded file. Not all downloaded files have checksums available, but open-source or security-conscious developers will frequently provide a checksum. Copy that checksum to the clipboard, then click the “Paste” button in the MD5 & SHA Checksum Utility.
- Click “Verify” to verify your checksum. If the checksum is the same as the checksum the application calculated, you’ll receive a success message. This means that the file you have is identical to the file that was previously checked.
- If the checksum is different, you’ll get an error message. This means the file has somehow changed since the last checksum was calculated.
Tip: File Explorer has gained tabs in a recent Windows 11 update. Learn how to take advantage of the tabs.
Verify Checksums within File Explorer
If you verify checksums frequently, you might be interested in OpenHashTab. The application installs an additional tab in the “Properties” window of File Explorer. Thanks to being embedded in Explorer, OpenHashTab can calculate checksums in place without requiring a separate application. By default, it calculates MD5, SHA-1, SHA-256, and SHA-512 hash values. Additional hashing algorithms can be enabled in OpenHashTab’s settings.
Note: if you find that you don’t like OpenHashTag, try HashCheck, which works similarly.
- Download and install OpenHashTab from GitHub.
- Right-click on the file you want to run a checksum against and choose “Properties” from the context menu.
- Click the tab labeled “Hashes” at the top of the window to see the MD5, SHA-1, SHA-256, and SHA-512 hashes for the file you selected.
- Copy and paste the checksum you want to compare against in the “Check Against” dialog box.
- If the hash checks out, you’ll see the algorithm that matched (in this case MD5) and the file name underneath the “Check against” box. If it doesn’t check out, you’ll see “No match found.”
Good to know: you can do so many things with Command Prompt, such as running a Java program. We show you how.
Verify Checksums in Windows with Certutil
If you’d prefer not to download anything, use the Windows Command Prompt or Terminal to verify the checksum by using the certutil
command.
- Open Command Prompt. Either press Win + R, type
cmd.exe
, and click “OK” or open Start and search for “command prompt.”
- Use the
cd
command to navigate to the directory your downloaded file is in. By default, this is usually the “Downloads” folder, but some people download files to the desktop. A quick way to get the path is to right-click your file and select “Copy Path.” Copy this into the Command Prompt without the quotes or the file name itself.
cd filepath
- Enter the following command using your file name:
certutil -hashfile filename MD5
- The MD5 value will appear below the command. Compare this number with the checksum hash value you received with your downloaded file. When using this
certutil
command, you’ll usually just copy the value to Notepad and manually verify after running the utility.
- While we’ve used MD5 as an example, this utility also supports MD2, MD4, MD5, SHA1, SHA256, SHA384, and SHA512.
Tip: you can verify that your antivirus is working properly by testing it against real malware in a safe environment.
Frequently Asked Questions
Why can't I find a checksum to verify?
Many developers simply don’t create one. If you can’t find it on the developer’s site, odds are one doesn’t exist. Even on sites where one does exist, you’ll need to scroll for a while to find it.
For many Windows executable files, the verification is built in. An embedded certificate allows Microsoft to verify the file is legitimate and signed software before it installs on your device. This is why you sometimes get warnings about installing unsigned software.
You can still install unsigned files and those without a hash to verify. For instance, many drivers are unsigned files but still necessary for your hardware to work.
Ideally, only download from sites you trust and always check the site with VirusTotal first. It’s also a good idea to run the downloaded file through your antivirus before installing it. Windows Defender works well, too.
Can malicious files ever match the checksum?
Yes. If hackers are able to replace the original file with a malicious file and also edit the checksum on the site, then the checksum would match. Often, hackers don’t go this far, especially if they don’t notice the developer has provided a way for users to verify the integrity of the file.
While verifying the checksum is one way to help protect yourself, don’t rely on it as your own line of defense. Always double-check downloaded files with your antivirus app too.
If a developer releases a new version of an app or file, do I need to verify again?
Yes. Even the smallest change to a file leads to a different checksum. Always check every new file download, even if it’s just an upgraded version.
Image credit: Wikimedia Commons. All screenshots by Crystal Crowder.
Our latest tutorials delivered straight to your inbox