Sometimes you need to create a file checksum to make sure files are not tampered with. Luckily PowerShell offers a standard cmdlet for this: Get-FileHash. Use this to validate file integrity in Windows (Windows Server).

Identifying changed files and possible attacks on your systems is of create importance. PowerShell offers the Get-FileHash cmdlet which computes a hash value of a file. If a hash value has changed a file has change and might indicate a possible infection or attack. Here is how to use Get-FileHash.

The cmdlet Get-FileHash:

... computes the hash value for a file by using a specified hash algorithm. A hash value is a unique value that corresponds to the content of the file.

As long as there are no collisions likely (we all remember MD5 collisions), a hash algorithm can be a valuable method in your day to day security and systems administration workflow: Checking files haven't been tampered with.

Suppose I have a file cmd.exe (yeah we all know that one :-) ). Its hash value is:

Get-FileHash C:\Windows\System32\cmd.exe | Select-Object Hash


Or in one command:

(Get-FileHash C:\Windows\System32\cmd.exe).Hash

If I copy that executable to my local directory, the file hash remains the same:

PS C:\Users\Jan Reilink> copy C:\Windows\System32\cmd.exe .
PS C:\Users\Jan Reilink> (Get-FileHash "C:\Users\Jan Reilink\cmd.exe").Hash

But as soon as I echo (append) a whitespace into the executable file, its file hash changes:

PS C:\Users\Jan Reilink> echo " " >> "C:\Users\Jan Reilink\cmd.exe"
PS C:\Users\Jan Reilink> (Get-FileHash "C:\Users\Jan Reilink\cmd.exe").Hash

If I were to regularly store and check / verify file checksums, I now know the file is tampered with. Such file changes might indicate an attack. File Integrity Monitor (FIM) in Windows Defender for Cloud can also do this for you.

Learn working with file attributes in PowerShell to verify the LastWriteTime (or last modified date) time of files.

Did you know you can also use certutil.exe for the job? Even for checking an MD5 checksum? See:

PS C:\Users\Jan Reilink> certutil.exe -hashfile C:\Windows\System32\cmd.exe SHA256
SHA256 hash of C:\Windows\System32\cmd.exe:
CertUtil: -hashfile command completed successfully.
PS C:\Users\Jan Reilink> certutil.exe -hashfile C:\Windows\System32\cmd.exe MD5
MD5 hash of C:\Windows\System32\cmd.exe:
CertUtil: -hashfile command completed successfully.
Donate a cup of coffee
Donate a cup of coffee

Thank you very much! <3 ❤️


Comments are closed