Some types of files you download, like ISO images, service packs, and even entire software programs or operating systems, are often large and high-profile, making them prone to downloading errors and even alteration by malicious third parties.
Fortunately, many websites offer a piece of data called a checksum that can be used to help verify that the file you end up with on your computer is exactly the same as the file they're providing.
A checksum, also called a hash or hash value, is produced by running a cryptographic hash function, usually MD5 or SHA-1, on a file. Comparing the checksum produced by running a hash function on your version of the file, with the one published by the download provider, can prove with near certainty that both files are identical.
Follow the easy steps below to verify a file's integrity with FCIV, a free checksum calculator:
Important: You can only verify that a file is genuine if the original producer of the file, or another person you trust who has used the file, has provided you with a checksum to compare to. Creating a checksum yourself is useless if you have nothing trustworthy to compare it to.
Download and "Install" File Checksum Integrity Verifier, often simply referred to as FCIV. This program is freely available from Microsoft and works on all commonly used versions of Windows.
FCIV is a command-line tool but don't let that scare you away. It's very easy to use, especially with the tutorial below.
Tip: Obviously if you've followed the tutorial above in the past then you can skip this step. The remainder of these steps assumes that you've downloaded FCIV and placed it in the appropriate folder as described in the link above.
Navigate to the folder that contains the file that you want to create the checksum value for.
Once there, hold down your Shift key while right-clicking on any empty space in the folder. In the resulting menu, select the Open command window here option.
Command Prompt will open and the prompt will be preset to this folder.
For example, on my computer, the file I wanted to create the checksum for was in my Downloads folder, so the prompt in my Command Prompt window reads C:\Users\Tim\Downloads> after following this step from my Downloads folder.
Next we need to make sure we know the exact file name of the file you want FCIV to generate the checksum for. You may already know it but you should double-check to be sure.
The easiest way to do this is to execute the dir command and then write down the full file name. Type the following in Command Prompt:
which should generate a list of files in that folder:
C:\Users\Tim\Downloads>dir Volume in drive C has no label. Volume Serial Number is D4E8-E115 Directory of C:\Users\Tim\Downloads 11/11/2011 02:32 PM <DIR> . 11/11/2011 02:32 PM <DIR> .. 04/15/2011 05:50 AM 15,287,296 LogMeIn.msi 07/31/2011 12:50 PM 397,312 ProductKeyFinder.exe 08/29/2011 08:15 AM 595,672 R141246.EXE 09/23/2011 08:47 AM 6,759,840 setup.exe 09/14/2011 06:32 AM 91,779,376 VirtualBox-4.1.2-73507-Win.exe 5 File(s) 114,819,496 bytes 2 Dir(s) 22,241,402,880 bytes free C:\Users\Tim\Downloads>
In this example, the file I want to create the checksum for is VirtualBox-4.1.2-73507-Win.exe so I'll write that down exactly.
Now we can run one of the cryptographic hash functions supported by FCIV to create a checksum value for this file.
Let's say that the website I downloaded the VirtualBox-4.1.2-73507-Win.exe file from published an SHA-1 hash to compare to. This means that I also want to create an SHA-1 checksum on my copy of the file.
To do this, execute FCIV as follows:
fciv VirtualBox-4.1.2-73507-Win.exe -sha1
Be sure you type the entire file name. Don't forget the file extension!
If you need to create an MD5 checksum, end the command with -md5 instead of -sha1.
Tip: Did you get a "'fciv' is not recognized as an internal or external command..." message? Be sure you've placed the fciv.exe file in an appropriate folder as described in the tutorial linked to in Step 1 above.
Continuing our example above, here's the result of using FCIV to create an SHA-1 checksum on my file:
// // File Checksum Integrity Verifier version 2.05. // 6b719836ab24ab48609276d32c32f46c980f98f1 virtualbox-4.1.2-73507-win.exe
The number/letter sequence before the file name in the Command Prompt window is your checksum.
Note: Don't worry if it takes several seconds or longer to generate the checksum value, especially if you're trying to generate one on a very large file.
Tip: You can save the checksum value produced by FCIV to a file by adding > filename.txt to the end of the command you executed in Step 5. See How To Redirect Command Output to a File if you need help.
Now that you've generated a checksum value for your file, you need to see if it equals the checksum value the download source provided for comparison.
Do the Checksums Match?
Great! You can be completely certain that the file on your computer is an exact copy of the one being provided.
This means that there were no errors during the download process and, as long as you're using a checksum provided by the original author or a very trusted source, you can also be sure that the file hasn't been altered for malicious purposes.
Do the Checksums NOT Match?
Download the file again. If you're not downloading the file from the original source, do that instead.