How to verify MD5, SHA1, and SHA256 Checksum on Windows

If you ever need to quickly and easily verify the hash sum, or checksum, of a piece of software using Windows, here is a quick and easy way to do it:

  1. Download and run Raymond’s MD5 & SHA Checksum Utility (Download)
  2. Click “File”, browse to your file you want to verify, and select it.
  3. The utility will automatically run the file through the MD5, SHA-1, and SHA-256 cryptographic functions and output them for you.

You can give it a try by verifying the programs own checksum. Just browse and select the checksum utility and have it check itself:

Windows Checksum Utility

Windows Checksum Utility

As you can see above, the checksums match the checksum distributed by the software developer (version 2.0 of the utility). You can either manually eyeball the strings to verify, or you can copy and paste a checksum string provided by the developer into the hash box and verify.

You should run this type of verification on all software downloads. Checksum verification works on zip files, executables, iso downloads, or any other type of file.

If you are a command line fan, Microsoft has their own unsupported command line checksum utility.

Why should you verify a checksum in the first place?

Verify the checksum so you don’t deploy malware ridden software!

A malware distributor would have no problem injecting a free piece of software with his own hidden code. He would then release it out into the wild for unsuspecting individual to use and distribute.

Even if you downloaded your software from a “reputable” 3rd party site, there is a chance that the site owners didn’t verify the checksum and are unknowingly distributing a tainted version of the software. Always verify.

There is also a chance that your software is legitimately corrupt. It sometimes happens. These same integrity verification functions will pick up on those changes same as it picks up on malware.

How does a checksum work?

A checksum is a hash value that’s created and distributed by the software creator. They obtain this hash by running their program through one or several cryptographic hash functions right at release. These hash functions scan the program’s contents and hash it into a short, readable “checksum” string. If a 3rd party were to take this same piece of software and alter the underlying code, even if only by a small amount, the hash functions will pick up on the changes and generate a completely different checksum string. No matter how hard a malware distributor can try, he could never taint a program without affecting the checksum. His only hope is that his victims will not verify the checksum and skip straight to installation.

8 thoughts on “How to verify MD5, SHA1, and SHA256 Checksum on Windows

  1. I want to thank you for this program. It’s the easiest I have found. I tested it with Avidemux download 32-bit and 64-bit. It indicated the 32-bit was ok but the 64-bit was tampered with. Another download site said same to validate what your check sum program said.

    You gave me an education and appreciation for what you created and that is the best think. Again thanks!

  2. You can also use the Windows built in tool using the following commands:

    certutil -hashfile MD5
    certutil -hashfile SHA256

  3. Thank you a lot!
    I was looking for a program to verify a lot files encrypted with SHA256.
    My checksums are in txt file, but I will not find better program I guess and this one is good enough 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *