91

I'm on a Windows machine and I want to run a checksum on the MySQL distribution I just got. It looks like there are products to download, an unsupported Microsoft tool, and probably other options. I'm wondering if there is a consensus for the best tool to use. This may be a really easy question, I've just never run a checksum routine before.

Bialecki
  • 30,061
  • 36
  • 87
  • 109
  • 2
    Also discussed on SuperUser: http://superuser.com/questions/245775/is-there-a-built-in-checksum-utility-on-windows-7 –  Feb 16 '16 at 22:50

20 Answers20

258

The CertUtil is a pre-installed Windows utility, that can be used to generate hash checksums:

CertUtil -hashfile pathToFileToCheck [HashAlgorithm]

HashAlgorithm choices: MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512

So for example, the following generates an MD5 checksum for the file C:\TEMP\MyDataFile.img:

CertUtil -hashfile C:\TEMP\MyDataFile.img MD5

To get output similar to *Nix systems you can add some PS magic:

$(CertUtil -hashfile C:\TEMP\MyDataFile.img MD5)[1] -replace " ",""
Cristian Ciupitu
  • 20,270
  • 7
  • 50
  • 76
Laisvis Lingvevicius
  • 2,581
  • 2
  • 12
  • 2
  • 1
    This is a much easier choice than FCIV, given that this is pre-installed . – CJBS Mar 24 '15 at 19:26
  • 1
    Note: this doesn't come pre-installed on Win XP, but given that that OS is now obsolete, that shouldn't be a problem. – CJBS Mar 26 '15 at 17:25
  • for XP/2003 Admin tool kit are needed - http://www.microsoft.com/en-us/download/details.aspx?id=7045 – npocmaka Jun 08 '15 at 16:33
  • 2
    @Laisvis - with your explanation, I went from 0 to done in about 2 minutes. I came to this page looking for how to do it. Your answer was simple and perfect. – Iceberg Aug 03 '15 at 19:16
  • 2
    +1 for recommending pre-installed version. What better way to ensure secure software to check security and save additional steps hunting, downloading, installing, and validating. – Zack Jannsen Feb 27 '16 at 12:48
  • 1
    Can someone please tell me how to check file checksum for using certUtil generated Hash ? command line. Would that be just use the same commandline to generate the Hash on the file (after the file was received on the target machine) ? – rvpals Jun 13 '16 at 14:42
  • How would you go about using that to make a simple hash out of a string rather than a file? – Kebman Dec 28 '16 at 06:03
  • 1
    Where can I find the list of available hash-algorithms? I tried `certutil -hashfile -?` but did not get the list of options. The [website](https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx#BKMK_hashfile) does not have it as well. – Ravindra HV Mar 30 '17 at 20:14
  • 1
    @RavindraHV CertUtil has changed/evolved subtly over time. I just checked: in 2008 (~Windows 7) it doesn't list them, but in 2012R2 (~Windows 8.1) or later it does. I'd just try each in the above list, just note the older versions are probably case-sensitive ('MD5' not 'md5'). – mwfearnley Oct 07 '20 at 14:53
  • I agree with this approach, and it is the one I would use for taking a fingerprint of a file to check its integrity. I just want to add that these days MD5 IS NOT GOOD FOR ANY OTHER CRYPTOGRAPHIC USE CASE other than this. :-) Happy Hashing – Baron_Samedi Feb 15 '22 at 10:30
28

I personally use Cygwin, which puts the entire smörgåsbord of Linux utilities at my fingertip --- there's md5sum and all the cryptographic digests supported by OpenSSL. Alternatively, you can also use a Windows distribution of OpenSSL (the "light" version is only a 1 MB installer).

Zach Scrivena
  • 29,073
  • 11
  • 63
  • 73
15

Any MD5 will produce a good checksum to verify the file. Any of the files listed at the bottom of this page will work fine. http://en.wikipedia.org/wiki/Md5sum

Nick Berardi
  • 54,393
  • 15
  • 113
  • 135
  • 9
    This answer is no longer good advice. MD5 is [vastly insecure](https://en.wikipedia.org/wiki/MD5#Security) nowadays. Using MD5 to validate downloaded files is not secure. – antiduh Oct 28 '15 at 20:12
  • 23
    @antiduh Seeing as you get the hash from the same place you download it from, your argument is moot. You're limited by the hash provided by the website. – J.J Mar 01 '16 at 14:19
  • 8
    Let's note that the user just wants to verify that the downloaded file has not been corrupted. If you take a look at [https://en.wikipedia.org/wiki/MD5#Security](https://en.wikipedia.org/wiki/MD5#Security) you will come across this key sentence in the opening paragraph: _"Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional corruption."_ – Kosta Tenedios Jul 06 '16 at 00:36
  • 2
    @J.J A lot of official websites make you download the actual binary from another domain, so the argument is valid. You can download a modified VLC from a malicious mirror via the official site, which will be detected by a checksum. – Hey Aug 22 '17 at 10:50
  • @antiduh then why don't you suggest the alternative? – java-addict301 May 02 '18 at 15:49
  • @Arno - That is my exact point. A malicious mirror could assemble a VLC binary that has a virus in it, but has the same exact checksum as published on the website; that is because Hash-MD5 is insecure. HMAC-MD5 is better (for now), but there are still better alternatives. – antiduh May 02 '18 at 16:01
  • @java-addict301 - Because I'm not here to hold your hand. You could spend about 5 minutes searching for hashing best practices and find an up-to-date answer. Owasp.org is a great resource. – antiduh May 02 '18 at 16:03
  • 4
    @antiduh I asked not because I'm too lazy to search, but because RTFM is never an appropriate 'answer' on Stackoverflow (which is what your answer implied). – java-addict301 May 02 '18 at 16:24
9

On Windows : you can use FCIV utility : http://support.microsoft.com/kb/841290

On Unix/Linux : you can use md5sum : http://linux.about.com/library/cmd/blcmdl1_md5sum.htm

sandyiit
  • 1,597
  • 3
  • 17
  • 23
6

Checksum tabs: http://code.kliu.org/hashcheck/

This has worked great for me on windows for a while now. It allows easy copying and pasting of checksums. It has box to type/paste check sums from webpages and show matches or non matches quite well.

Sqeaky
  • 1,876
  • 3
  • 21
  • 40
  • 2
    This handy little utility is rather understated here. First I have no relation to the author(s)---I just think it is a great utility! It lets you generate a hash file of your choice from the context menu in Windows Explorer for a single file or a group of files. You can later double-click that hash file to automatically run a hash verification of those files. I use this frequently to generate a hash for large files I want to copy, then copy the hash file with it, and at the destination, double-click to verify they survived intact. – Michael Sorens May 20 '15 at 22:02
  • 1
    Excellent solution, but the link is outdated. The safest place to get this software now is https://github.com/gurnec/HashCheck – asachet Nov 23 '18 at 16:29
5

On MySQL.com, MD5s are listed alongside each file that you can download. For instance, MySQL "Windows Essentials" 5.1 is 528c89c37b3a6f0bd34480000a56c372.

You can download md5 (md5.exe), a command line tool that will calculate the MD5 of any file that you have locally. MD5 is just like any other cryptographic hash function, which means that a given array of bytes will always produce the same hash. That means if your downloaded MySQL zip file (or whatever) has the same MD5 as they post on their site, you have the exact same file.

tonyz
  • 191
  • 1
  • 2
3

When I worked with Windows, I found handy HashTab 3rd party tool. It shows MD5, SHA-1 check sums in one of file properties tabs. http://implbits.com/products/hashtab/

user121391
  • 577
  • 5
  • 16
jabalv
  • 51
  • 3
3

7-Zip can be used to generate hashes for files, folders of files, and trees of folders of files. 7-Zip is small footprint and a very useful compression utility. http://7-zip.org/

gridtrak
  • 731
  • 7
  • 20
  • While it is true that 7-zip provides hashes for all of the items listed above, it lacks a way to simply copy-paste it's results directly. CertUtil, since it is a CMD program, does provide copy-paste functionality. – Jonathin Apr 28 '18 at 22:55
  • It's also possible to use 7z.exe via the CMD, for example `7z.exe h -scrcSHA256 -- /path/to/your/file.txt` produces a sha256 hash. – Elpy Apr 25 '19 at 13:36
3

To calculate md5 of all the files in the current directory in windows 7 

for %i in (*) DO CertUtil -hashfile %i MD5
Abey
  • 165
  • 7
2

Download fciv.exe directly from http://www.microsoft.com/en-us/download/confirmation.aspx?id=11533

shell> fciv.exe [yourfile]

will give you md5 by default.

You can read up the help file fciv.exe -h

Community
  • 1
  • 1
yantaq
  • 3,968
  • 2
  • 33
  • 34
2

Just to add another option for Windows users, the Get-FileHash PowerShell cmdlet can be used (https://technet.microsoft.com/en-us/library/dn520872.aspx).

Example usage: Get-FileHash MyImage.iso -Algorithm MD5

If all you're after is just the raw hash then: (Get-FileHash MyImage.iso -Algorithm MD5).Hash

Kosta Tenedios
  • 101
  • 8
1

The Powershell utility Get-FileHash worked perfectly for me.

https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.utility/get-filehash

Vale Trujillo
  • 71
  • 2
  • 7
1

Best utility for Windows is HashCheck that is now on GitHub. https://github.com/gurnec/HashCheck/releases/tag/v2.4.0

Install HashCheck. Now right click on the file -> Create verification file. It will create a file.extension.md5 file with MD5 code in it.

Love it.

djibe
  • 2,753
  • 2
  • 17
  • 26
0

for sure the certutil is the best approach but there's a chance to hit windows xp/2003 machine without certutil command.There makecab command can be used which has its own hash algorithm - here the fileinf.bat which will output some info about the file including the checksum.

npocmaka
  • 55,367
  • 18
  • 148
  • 187
0

Hashing is a standalone application that performs MD5, SHA-1 and SHA-2 family. Built upon OpenSSL.

Lelo
  • 854
  • 11
  • 25
0

I like to use HashMyFiles for windows.

desbest
  • 4,746
  • 11
  • 51
  • 84
0

QuickHash an open source tool supporting MD5, SHA1, SHA256, SHA512 and available for the Linux, Windows, and Apple Mac.

https://sourceforge.net/projects/quickhash/

harryssuperman
  • 465
  • 3
  • 7
0

In HPUX ( hp UNIX)

Please install the md5sum package on your UNIX machine for example, if there is a file called a.txt 

shell > md5sum a.txt
rene
  • 41,474
  • 78
  • 114
  • 152
Rnsthota
  • 11
  • 3
0

Note that the above solutions will not tell you if your installation is correct only if your install.exe is correct (you can trust it to produce a correct install.)

You would need MD5 sums for each file/folder to test if the installed code has been messed with after the install completed.

WinMerg is useful to compare two installs (on two different machines perhaps) to see if one has been changed or why one is broken.

Chris Nava
  • 6,614
  • 3
  • 25
  • 31
-4

Just use win32 Checksum api. MD5 is native in Win32.

  • 2
    Have an example of the Win32 API that is small enough for an SO answer and suitable for the asker? – Sqeaky Feb 21 '14 at 16:49