Certutil – Verify a File Hash in Windows

Welcome back, and this is a quick post on something you should 100% be doing with everything you download. You should be verifying the file hash.

Let’s cover the basics first.

A file hash is basically a file which is put through an algorithm to produce a string of characters. There are many different algorithms MD5, SHA1 and SHA256 to name a few.

In our example here we are going to download the new kali Linux Virtualbox ova file shown below. (note the hash is displayed along side, and the heading tells us which hash algorithm was used)

First we download the file and copy the hash into a text file for later. Make sure you check you have copied the whole hash, and that it is the correct hash for the file you are downloading.

Now we have our file and hash text file as below.

Now while in this folder, and without highlighting the 2 files hold SHIFT and right click on the mouse. This will bring up a menu with “open powershell window here” or “open cmd window here” if you are still on Windows 7. Select whichever option you have and the windows should open.

Next we need to confirm file names and location by simply runningĀ  “dir” as shown

Then from the same Window we run our certutil command which hashes our ova file.

Let’s quickly break down the command.

certutil -hashfile

This is the tool we are using and the command instruction

.\kali-Linux-2018.2-vbox-amd64.ova

This is the file we wish to hash

sha256

This is the hashing algorithm we want it to use.

Obviously if you don’t use the same algorithm the hashes wont match and you wont get an accurate result.

The idea is that you run the same algorithm and you should get the same result. If you don’t it means that the file has been tampered with or changed and you should not use it.

Copy the hash created in our window above and paste it into our hash file we created earlier so we can compare the two.

Excellent! A perfect match. We can now go ahead and use our file.

If a download has a hash file to check the integrity, please use it!