How to Generate an MD5 Checksum Manifest in Batch Script
In data migration, software distribution, or forensic auditing, you often need to verify that a hundred different files in a folder have arrived safely and haven't been modified. Individually checking each file's size is not enough to detect internal corruption. You need a Manifest, i.e. a single text file that lists every file in the directory alongside its unique MD5 Checksum. By generating this manifest before a move and comparing it afterward, you can guarantee 100% data integrity. A Batch script can use a loop combined with certutil to crawl through a directory and build this fingerprint list automatically.
This guide will explain how to generate a directory-wide MD5 manifest.
Method: Creating the MD5 Fingerprint List
We use a FOR loop to visit every file and pipe the certutil result into a master text file.
@echo off
setlocal enabledelayedexpansion
set "TargetDir=C:\MyArchive"
set "AuditDir=C:\Audit"
set "Manifest=%AuditDir%\manifest_md5.txt"
:: Verify the source directory exists
if not exist "%TargetDir%" (
echo [ERROR] Source directory not found: %TargetDir%
pause
exit /b 1
)
echo [ACTION] Generating MD5 manifest for %TargetDir%...
:: Ensure the output directory exists
if not exist "%AuditDir%" mkdir "%AuditDir%"
:: Write a header with timestamp
echo Audit Date: %date% %time% > "%Manifest%"
echo Source: %TargetDir% >> "%Manifest%"
echo. >> "%Manifest%"
:: Loop through every file in the folder
set "FileCount=0"
for %%f in ("%TargetDir%\*.*") do (
set "current_hash="
for /f "skip=1 tokens=*" %%a in ('certutil -hashfile "%%f" MD5') do (
if not defined current_hash (
set "current_hash=%%a"
)
)
set "current_hash=!current_hash: =!"
echo %%~nxf : !current_hash! >> "%Manifest%"
set /a FileCount+=1
)
echo [SUCCESS] Manifest saved to %Manifest% (!FileCount! files processed^)
pause
endlocal
Method 2: Recursive Subfolder Scan
If your project has nested folders (e.g., src/, img/), you need to use the /R flag to walk through every subdirectory.
@echo off
setlocal enabledelayedexpansion
set "Root=C:\Project_Data"
set "OutFile=C:\Audit\recursive_md5_audit.log"
:: Verify the source directory exists
if not exist "%Root%" (
echo [ERROR] Directory not found: %Root%
pause
exit /b 1
)
echo [ACTION] Crawling %Root% and subfolders...
:: Ensure the output directory exists
if not exist "C:\Audit" mkdir "C:\Audit"
:: Write header
echo Audit Date: %date% %time% > "%OutFile%"
echo Source: %Root% (recursive^) >> "%OutFile%"
echo. >> "%OutFile%"
set "FileCount=0"
for /r "%Root%" %%f in (*) do (
set "current_hash="
for /f "skip=1 tokens=*" %%a in ('certutil -hashfile "%%f" MD5') do (
if not defined current_hash set "current_hash=%%a"
)
set "current_hash=!current_hash: =!"
echo %%~nxf : !current_hash! >> "%OutFile%"
set /a FileCount+=1
)
echo [SUCCESS] Recursive manifest saved to %OutFile% (!FileCount! files processed^)
pause
endlocal
Method 3: Comparing a Folder Against an Existing Manifest
Use this script to verify a folder's current state against a previously generated manifest. It reports any mismatches indicating files that have changed since the last audit.
@echo off
setlocal enabledelayedexpansion
set "TargetDir=C:\MyArchive"
set "Manifest=C:\Audit\manifest_md5.txt"
set "Mismatches=0"
:: Verify inputs exist
if not exist "%Manifest%" (
echo [ERROR] Manifest file not found: %Manifest%
pause
exit /b 1
)
if not exist "%TargetDir%" (
echo [ERROR] Target directory not found: %TargetDir%
pause
exit /b 1
)
echo [AUDIT] Running integrity comparison against manifest...
echo.
:: Read each line from the manifest and compare
for /f "usebackq tokens=1,3 delims=: " %%a in ("%Manifest%") do (
if exist "%TargetDir%\%%a" (
set "expected=%%b"
set "actual="
for /f "skip=1 tokens=*" %%h in ('certutil -hashfile "%TargetDir%\%%a" MD5') do (
if not defined actual set "actual=%%h"
)
set "actual=!actual: =!"
if /i "!actual!" neq "!expected!" (
echo [MISMATCH] %%a
echo Expected: !expected!
echo Actual: !actual!
set /a Mismatches+=1
)
) else (
echo [MISSING] %%a
set /a Mismatches+=1
)
)
echo.
if !Mismatches! equ 0 (
echo [OK] All files match the manifest. Integrity verified.
) else (
echo [ALERT] !Mismatches! file(s) failed integrity check.
)
pause
endlocal
How to Avoid Common Errors
Wrong Way: Using "certutil" directly on a folder
certutil -hashfile "C:\MyFolder" MD5 will fail. certutil only hashes individual files.
Correct Way: You MUST use a FOR loop (as shown in Method 1) to pass each file to the command one at a time.
Problem: Filenames with Special Characters
If a file has a & or a ( in the name, your echo or loop might crash.
Solution: Always wrap your file variables in double quotes: "%%f" and "%%~nxf". This ensures the Batch engine treats the entire string as a single path.
Best Practices and Rules
1. Identify "MD5" vs "SHA-256"
MD5 is fast and great for detecting "Accidental" corruption (like a network glitch). If you are guarding against "Malicious" tampering (hackers), you should upgrade your script to use SHA256 instead.
2. Relative Paths
If you are moving the folder to a different drive, use %%~nxf (Name and Extension Only) in your manifest. If you use the full path (C:\Data\file.txt), the manifest will "Break" when you move it to D:\Data\file.txt.
3. Log the Timestamp
Always include the date and time in your manifest header. This helps you track which version of the files you are looking at.
echo Audit Date: %date% %time% > "%Manifest%"
Conclusions
Generating an MD5 manifest via Batch script provides a professional "Seal of Integrity" for your datasets. By moving from simple file counts to mathematical fingerprints, you gain the absolute proof needed to manage large-scale data migrations and security audits. This automated precision is essential for system administrators and developers who need to guarantee that their digital assets remain unchanged and uncorrupted across their entire infrastructure.