How to Verify Windows File Integrity with Hashes

As I write this, I am developing a skill (app) for Amazon’s Alexa voice service. A couple of days into the development I thought I’d accidently corrupted a critical file. Fortunately, I hadn’t, but it reminded me of the practice of discovering file changes by comparing file hash values against a baseline.

The basic idea is this: a script is used to compute hash values for the files of interest. First, a baseline is computed, then each day (or whenever) the hashes are recomputed and compared to the baseline. If the hash for a particular file has changed, then the file has changed.

For those unfamiliar with the concept of hash values, these are “unique” values associated with the content of a file. Any change in the file’s contents results in an unpredictable change in the hash value. We explain the process and have exercises in using hash values in Learning Tree’s system and network security introduction course. Gene Kim and Dr. Eugene Spafford of Purdue University developed a tool for using hash values to detect file changes in 1992. That open source tool has morphed into a commercial product, Tripwire.

Since I was doing the development work on my Windows desktop, I needed a Windows tool to compute the hashes.

Three Microsoft tools you can use for checking file integrity:

1. Sigcheck

Sigcheck is part of the Windows Sysinternals suite. From the Introduction: “Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains.” We are interested in the hash values. Here is the output for a copy of the Alexa Skills Kit interface I was using:

Sigcheck output 1

We are mostly interested in the SHA256 Hash. While one could use the shorter MD5 or SHA1, the SHA256 is longer (more bits) and stronger.

Now see what happens when I change the file by adding a blank line at the end.

Sigcheck output 2

Sigcheck can be downloaded from the link above.

2. Get-FileHash

Get-FileHash is a cmdlet for computing hash values for files. It uses SHA-256 by default.

Output of Get-FileHash

Note that the value is the same as the one computed by Sigcheck. Get-FileHash is included with PowerShell.

3. Microsoft File Checksum Integrity Verifier

The Microsoft File Checksum Integrity Verifier tool is another command line tool for computing hashes, but it only computes SHA-1 or MD5 hashes.

Checking File Integrity

Any of these tools would work for checking file integrity (that is, checking to see whether a file had changed or not). Sigcheck is perfect for my situation because it can descend into sub-directories and compute values for files there, too. Get-FileHash is a PS cmdlet so I could write (or maybe find) a tool to manage changes as I want.

Systems programmers for Windows may know that the operating system has a FileSystemWatcher class that can be used to notify a user about file or folder content or property changes in real time. I chose the hashes because I don’t want or need real time notifications and because I wanted something pre-built (and I wanted to write a post about hash-computing tools!).

You can use the tools I’ve mentioned or third-party tools to compute hashes of files. Continue the conversation by tweeting to me at @jjmcdermott and share what tool you use and any good experiences.

To your safe computing,
John McDermott

image sources

  • Hashes for Skills Kit: John McDermott
  • Hashes for Skills Kit Changed: John McDermott
  • Hash with Get-FileHash: John McDermott

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.