Skip to main content

How to Get the MD5 or SHA1 Hash of a File in Batch Script

A cryptographic hash (often called a checksum) is a unique digital fingerprint of a file. It is used to verify file integrity, ensuring that a file has not been corrupted during download or tampered with by a third party. While Windows doesn't have a simple md5sum command like Linux, it includes a powerful and versatile utility called CertUtil that can generate these hashes.

This guide will teach you how to use the CertUtil command to get the hash of a file, how to specify different algorithms like MD5, SHA1, and SHA256, and how to capture the hash value into a variable for use in your script's logic.

The Core Command: CertUtil -hashfile

CertUtil is a command-line program installed by default on modern Windows versions, intended for managing certificate services. However, it includes an extremely useful -hashfile function that can compute and display the cryptographic hash of a file.

The basic syntax is: CertUtil -hashfile "path\to\file.ext" [Algorithm]

  • "path\to\file.ext": The full path to the file you want to hash. It should be quoted to handle spaces.
  • [Algorithm]: An optional argument to specify which hash algorithm to use. If omitted, SHA1 is used by default.

Basic Example: Getting a File's Hash

Let's run the command on a file to see its default output.

@ECHO OFF
REM This will calculate the SHA1 hash of the specified file.
CertUtil -hashfile "my_installer.exe"

THe CertUtil command produces a three-line output: a header describing the algorithm, the hash itself, and a completion message.

SHA1 hash of my_installer.exe:
a9 4a 8f e5 cc b1 9b a6 1c 4c 08 73 d3 91 e9 87 98 2f bb d3
CertUtil: -hashfile command completed successfully.

Specifying a Hash Algorithm (MD5, SHA256, etc.)

While SHA1 is the default, you will often need to generate a specific hash like MD5 or SHA256 to match a checksum provided by a software vendor. You simply add the algorithm name at the end of the command.

@ECHO OFF
ECHO --- Calculating Hashes ---
ECHO.

ECHO MD5:
CertUtil -hashfile "my_installer.exe" MD5
ECHO.

ECHO SHA256:
CertUtil -hashfile "my_installer.exe" SHA256

CertUtil supports all standard algorithms, including MD5, SHA1, SHA256, and SHA512.

Storing the Hash in a Variable

To use the hash in a script (for example, to compare it to a known value), you need to extract it from the CertUtil output and store it in a variable. This requires parsing the output with a FOR /F loop.

This script captures the hash and cleans it up by removing spaces.

@ECHO OFF
SET "FILENAME=my_installer.exe"
SET "FILE_HASH="

REM The 'skip=1' ignores the header line.
REM The loop will grab the second line (the hash).
REM We use GOTO to exit the loop immediately so it doesn't process the final line.
FOR /F "skip=1 delims=" %%H IN ('CertUtil -hashfile "%FILENAME%" MD5') DO (
    SET "FILE_HASH=%%H"
    GOTO :HashFound
)

:HashFound
REM The hash from CertUtil contains spaces, so we remove them.
SET "FILE_HASH=%FILE_HASH: =%"

ECHO The clean MD5 hash is: %FILE_HASH%

This pattern is the most reliable way to get a clean hash value into a variable.

Common Pitfalls and How to Solve Them

Problem: The Output Includes Extra Header and Footer Text

As seen above, the raw output from CertUtil is not just the hash. It's multi-line and includes descriptive text.

Solution: Use FOR /F "skip=1"

The parsing method shown above is the definitive solution. The skip=1 option correctly discards the first line (the header), and the GOTO ensures the loop exits before it can process the third line (the "command completed" message), leaving only the hash itself.

Problem: Handling "File Not Found" Errors

If the file you are trying to hash does not exist, CertUtil will report an error and your FOR /F loop will not find anything, leaving your variable empty.

Let's see the error:

CertUtil: -hashfile command FAILED: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
CertUtil: The system cannot find the file specified.

Solution: Use IF EXIST First

Before calling CertUtil, always verify that the file exists. This allows your script to fail gracefully with a clear, user-friendly message.

@ECHO OFF
SET "FILENAME=non_existent_file.zip"

IF NOT EXIST "%FILENAME%" (
    ECHO [ERROR] File not found. Cannot calculate hash.
    GOTO :EOF
)

REM (Proceed with CertUtil command here)

Practical Example: Verifying a Downloaded File's Checksum

This is the most common use case for file hashing. A software provider gives you a SHA256 checksum for a download. This script calculates the hash of the file you downloaded and compares it to the expected value to ensure the file is authentic and uncorrupted.

@ECHO OFF
SETLOCAL
SET "DOWNLOADED_FILE=Npp.8.4.6.installer.x64.exe"
SET "EXPECTED_SHA256=a59f9e8cea5a338d7228805f1352e82b3a3c03504a2ea2d6f7a4e63b6d19426f"
SET "ACTUAL_HASH="

ECHO Verifying integrity of "%DOWNLOADED_FILE%"...
ECHO.

IF NOT EXIST "%DOWNLOADED_FILE%" (ECHO [ERROR] File not found! & GOTO :End)

FOR /F "skip=1" %%H IN ('CertUtil -hashfile "%DOWNLOADED_FILE%" SHA256') DO (
    SET "ACTUAL_HASH=%%H"
    GOTO :Continue
)

:Continue
SET "ACTUAL_HASH=%ACTUAL_HASH: =%"

ECHO Expected SHA256: %EXPECTED_SHA256%
ECHO Actual SHA256  : %ACTUAL_HASH%
ECHO.

IF /I "%ACTUAL_HASH%"=="%EXPECTED_SHA256%" (
    ECHO [SUCCESS] Hashes match. File is valid.
) ELSE (
    ECHO [FAILURE] Hashes DO NOT match. The file may be corrupt or tampered with.
)

:End
ENDLOCAL

Conclusion

The CertUtil -hashfile command is the standard, built-in Windows tool for generating file hashes. It is an essential utility for any script that deals with file integrity, security, or data verification.

For reliable scripting:

  • Use CertUtil -hashfile "filename" [Algorithm] to generate the hash.
  • Use a FOR /F "skip=1" loop to parse the output and capture the hash value into a variable.
  • Remember to remove the spaces from the captured hash string before using it in comparisons.
  • Always perform an IF EXIST check first to handle missing files gracefully.

Table of Contents