How to verify MD5, SHA-1 and SHA-256 checksums in Windows

If you have just downloaded a file from the Internet, you may want to verify that the downloaded file has not been tampered with. After all, who knows what nefarious things a hacker might have done? By checking the file's MD5, SHA-1, or SHA-256 checksum, you can verify the file's integrity and make sure it hasn't been corrupted or altered.

What is Checksum?

A checksum is a short, unique string that comes from running an encryption algorithm on a given file. The algorithm looks at all the bits that make up a file and, based on those unique bits, generates a checksum.

This checksum will change if even one bit in the file changes. By comparing two checksums, you can make sure your file is not corrupted or modified. It's a useful way to protect against file corruption or malicious interference with your downloads.

The most commonly used algorithms for checksums in MD5, SHA-1 and SHA-256 are also available and are based on cryptographically secure algorithms. If you can choose, use SHA-256.

How to use a checksum?

To use the checksum, you first need to know what the checksum of a given file is. This will have to be provided to you by the same source that downloaded the file.

Run your downloaded file through the same checksum algorithm using one of the tools below. Once you've done that, compare the two strings. If the strings match, the file is unchanged. If the strings do not match, it means that your file is different from the original file.

Verify the checksum with a third-party tool

The best way to run checksums in Windows is to use a tool called MD5 & SHA Checksum Utility. It will calculate the MD5, SHA-1 and SHA-256 checksums for a given file simultaneously and allow you to compare your results with the data provided.

1. Download MD5 & SHA Checksum Utility.

2. Double-click the downloaded file to launch the program. You may be prompted to download the .NET Framework 3.5 that the application needs to run correctly. Click Download and install this feature to continue.

3. Click the Browse button to select the file you want to check.

4. Determine the checksum provided for the downloaded file. Not all downloaded files have a checksum available, but open source or highly security conscious developers will frequently provide checksums. Copy that checksum to the clipboard, then click the Paste button in the MD5 & SHA Checksum Utility.

5. Click Verify to verify your checksum. If the checksum is the same as the checksum calculated by the application, you will receive a success message. This means that the file you have is the same as the file that was checked before.

6. If the checksum is different, you will get an error message. This means that the file has changed in some way since the last checksum was calculated.

Verify checksum in File Explorer

If you regularly verify checksums, you might be interested in OpenHashTab. The application will install an additional tab in the Properties window of the File Explorer. Thanks to being embedded in Explorer, OpenHashTab can calculate checksums in place without requiring a separate application. By default, it calculates MD5, SHA-1, SHA-256 and SHA-512 hashes. Additional hashing algorithms can be enabled in OpenHashTab's settings.

Note : If you don't like OpenHashTag, try HashCheck, it works similarly.

1. Download and install OpenHashTab from GitHub.

2. Right click on the file you want to run the checksum and select Properties from the context menu.

3. Click the tab labeled Hashes at the top of the window to see the MD5, SHA-1, SHA-256, and SHA-512 hash functions for the file you selected.

4. Copy and paste the checksum you want to compare into the Check Against dialog box.

5. If you check the hash, you'll see the matching algorithm (in this case MD5) and the filename below the Check against box. Otherwise, you will see the message No match found .

Verify checksums in Windows with Certutil

If you don't want to download anything, use Windows Command Prompt or Terminal to verify the checksum using the certutil command.

1. Open Command Prompt. Press Win + R , type cmd.exe and click OK or open Start and search for 'command prompt' .

2. Use the cd command to navigate to the directory where your downloaded file is located. By default, this is usually the Downloads folder , but some people download files to their computer. A quick way to get the path is to right-click on the file and choose Copy Path. Copy this to the Command Prompt.

cd filepath

3. Enter the following command with your filename:

certutil -hashfile filename MD5

4. The MD5 value will appear below the command. Compare this number with the hash checksum value you get with your downloaded file. When using this certutil command, you would normally just copy the value into Notepad and verify it manually after running the utility.

5. Although using MD5 as an example, this utility also supports MD2, MD4, MD5, SHA1, SHA256, SHA384 and SHA512.

Lesley Montoya

Update 27 June 2023