guides / windows
Verify a checksum on Windows
Two commands ship with every Windows machine that will hash a file: certutil and PowerShell's Get-FileHash. Here's each, step by step — and a no-terminal alternative.
Option 1: certutil (works in plain cmd)
Open a terminal — press Win+R, type cmd, hit Enter — and run:
certutil -hashfile C:\Users\you\Downloads\ubuntu.iso SHA256Swap in your file's real path (quote it if it contains spaces: "C:\My Files\app.exe"). The output looks like:
SHA256 hash of C:\Users\you\Downloads\ubuntu.iso:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CertUtil: -hashfile command completed successfully.
The middle line is your checksum. The algorithm name goes last and is written without a dash — SHA256, SHA1, MD5, SHA384 or SHA512.
Option 2: Get-FileHash (PowerShell)
Get-FileHash C:\Users\you\Downloads\ubuntu.isoSHA-256 is the default — add -Algorithm SHA512 or similar to change it. Get-FileHash prints uppercase; that's fine, hex case never matters. Its party trick is skipping the eyeball comparison entirely:
(Get-FileHash ubuntu.iso).Hash -eq "paste-the-published-hash-here"True means verified; False means stop and re-download.
Common trip-ups
- "The system cannot find the file specified" — the path is wrong or unquoted spaces broke it. Drag the file from Explorer into the terminal window to paste its full path.
- Comparing 64 characters by eye — don't. Use the
-eqtrick above, or paste both values into the in-browser checker and let it compare. - Wrong algorithm — a published hash that's 32 characters long is MD5, 40 is SHA-1, 64 is SHA-256. Match the command to what the site actually published.
Skip the terminal entirely
The verify tool does this whole page in one step: drop the file, paste the published hash, and it detects the algorithm and compares for you — locally in your browser, with nothing uploaded. It happily accepts certutil's spaced-out output format too, and the batch tool covers whole folders against a SHA256SUMS list. On another machine? Same steps for macOS and Linux.
questions
Which algorithms does certutil support?
MD5, SHA1, SHA256, SHA384 and SHA512 — pass the name as the last argument, without a dash: certutil -hashfile file.iso SHA256. It's been built into Windows since long before Windows 10, so there's nothing to install.
certutil or Get-FileHash — which should I use?
Either; same math. Get-FileHash is the PowerShell-native option, defaults to SHA-256, and is easier to script ((Get-FileHash f).Hash -eq "…" gives you a clean true/false). certutil works in plain cmd.
The output is uppercase but the website shows lowercase. Problem?
No — hex is case-insensitive. Get-FileHash prints uppercase, most download pages publish lowercase, and the values are identical. Compare ignoring case, or paste both into the verify tool, which handles it.
How do I avoid comparing 64 characters by eye?
In PowerShell: (Get-FileHash file.iso).Hash -eq "expected" prints True or False. Or drop the file into the in-browser checker and paste the expected hash — it compares every character for you.
Can I hash every file in a folder at once?
PowerShell: Get-ChildItem -File | Get-FileHash. To check them against a published list instead, the batch tool imports a SHA256SUMS file and shows per-file pass/fail.