guides / windows

Verify a checksum on Windows

Two commands ship with every Windows machine that will hash a file: certutil and PowerShell's Get-FileHash. Here's each, step by step — and a no-terminal alternative.

Option 1: certutil (works in plain cmd)

Open a terminal — press Win+R, type cmd, hit Enter — and run:

certutil -hashfile C:\Users\you\Downloads\ubuntu.iso SHA256

Swap in your file's real path (quote it if it contains spaces: "C:\My Files\app.exe"). The output looks like:

SHA256 hash of C:\Users\you\Downloads\ubuntu.iso:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CertUtil: -hashfile command completed successfully.

The middle line is your checksum. The algorithm name goes last and is written without a dash — SHA256, SHA1, MD5, SHA384 or SHA512.

Option 2: Get-FileHash (PowerShell)

Get-FileHash C:\Users\you\Downloads\ubuntu.iso

SHA-256 is the default — add -Algorithm SHA512 or similar to change it. Get-FileHash prints uppercase; that's fine, hex case never matters. Its party trick is skipping the eyeball comparison entirely:

(Get-FileHash ubuntu.iso).Hash -eq "paste-the-published-hash-here"

True means verified; False means stop and re-download.

Common trip-ups

Skip the terminal entirely

The verify tool does this whole page in one step: drop the file, paste the published hash, and it detects the algorithm and compares for you — locally in your browser, with nothing uploaded. It happily accepts certutil's spaced-out output format too, and the batch tool covers whole folders against a SHA256SUMS list. On another machine? Same steps for macOS and Linux.

questions

Which algorithms does certutil support?

MD5, SHA1, SHA256, SHA384 and SHA512 — pass the name as the last argument, without a dash: certutil -hashfile file.iso SHA256. It's been built into Windows since long before Windows 10, so there's nothing to install.

certutil or Get-FileHash — which should I use?

Either; same math. Get-FileHash is the PowerShell-native option, defaults to SHA-256, and is easier to script ((Get-FileHash f).Hash -eq "…" gives you a clean true/false). certutil works in plain cmd.

The output is uppercase but the website shows lowercase. Problem?

No — hex is case-insensitive. Get-FileHash prints uppercase, most download pages publish lowercase, and the values are identical. Compare ignoring case, or paste both into the verify tool, which handles it.

How do I avoid comparing 64 characters by eye?

In PowerShell: (Get-FileHash file.iso).Hash -eq "expected" prints True or False. Or drop the file into the in-browser checker and paste the expected hash — it compares every character for you.

Can I hash every file in a folder at once?

PowerShell: Get-ChildItem -File | Get-FileHash. To check them against a published list instead, the batch tool imports a SHA256SUMS file and shows per-file pass/fail.