Skip to main content

How to Get the SHA-256 Hash of a File in Batch Script

In a world of insecure downloads and potential malware, verifying the Integrity of a file is a critical security step. A "Hash" (Specifically SHA-256) is a unique digital fingerprint of a file's contents. If even one single character in a text file or one bit in an installer is changed, the hash will be completely different. By generating the SHA-256 hash of a file you've just downloaded or a system file you're auditing, you can prove that the data hasn't been tampered with or corrupted. A Batch script can use the built-in certutil command to calculate this fingerprint instantly.

This guide will explain how to verify file integrity using SHA-256.

Method 1: The Standard Hash (Certutil)

certutil is the most reliable way to get a hash in Windows without installing third-party tools.

@echo off
setlocal

set "TargetFile=C:\Downloads\installer.exe"

:: Verify the file exists before attempting to hash it
if not exist "%TargetFile%" (
    echo [ERROR] File not found: %TargetFile%
    pause
    exit /b 1
)

echo [INTEGRITY] Calculating SHA-256 for: %TargetFile%...
echo.

:: -hashfile = The hashing command
:: SHA256 = The algorithm (you can also use MD5 or SHA1)
certutil -hashfile "%TargetFile%" SHA256

echo.
pause

Method 2: Extracting the Hash Only (Clean Output)

Method 1 includes a lot of "Header" and "Footer" text. This script isolates the actual hash string into a variable for use in your automations.

@echo off
setlocal

set "File=C:\Temp\data.zip"

:: Verify the file exists before attempting to hash it
if not exist "%File%" (
    echo [ERROR] File not found: %File%
    pause
    exit /b 1
)

:: Clear any stale value from a previous run
set "file_hash="

:: Use a loop to grab the SECOND line of the certutil output
for /f "skip=1 tokens=*" %%a in ('certutil -hashfile "%File%" SHA256') do (
    if not defined file_hash (
        set "file_hash=%%a"
    )
)

:: Clean up spaces in the hash string (older Windows versions add them)
set "file_hash=%file_hash: =%"

if not defined file_hash (
    echo [ERROR] Failed to compute hash. Verify the file is accessible.
) else (
    echo [HASH] %file_hash%
)

pause
endlocal

Method 3: The "Tamper Detection" Guard

This script compares a file's current hash against a "Known Good" value and alerts you if they don't match.

@echo off
setlocal

set "FileToCheck=C:\System\config.txt"
set "ExpectedHash=a3b2c1d0e9f87a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f9a8b7c6d5e4f3a2b"

:: Verify the file exists before attempting to hash it
if not exist "%FileToCheck%" (
    echo [ALERT] File is MISSING: %FileToCheck%
    pause
    exit /b 1
)

echo [GUARD] Verifying System Integrity...

:: Clear any stale value from a previous run
set "actual_hash="

for /f "skip=1 tokens=*" %%a in ('certutil -hashfile "%FileToCheck%" SHA256') do (
    if not defined actual_hash set "actual_hash=%%a"
)
set "actual_hash=%actual_hash: =%"

:: Use /i for case-insensitive comparison (hex can be upper or lowercase)
if /i "%actual_hash%"=="%ExpectedHash%" (
    echo [OK] File is authentic.
) else (
    echo [ALERT] FILE HAS BEEN MODIFIED!
    echo Expected: %ExpectedHash%
    echo Actual:   %actual_hash%
)

pause
endlocal

How to Avoid Common Errors

Wrong Way: Using MD5 for security

While certutil supports MD5, it is considered cryptographically "Broken." An attacker can create two different files that have the same MD5 hash (a "Collision").

Correct Way: Always use SHA-256 (or higher) for security-sensitive tasks like verifying installers or password files.

Problem: Large Files

Calculating the hash of a 50GB database file will take several minutes and use significant CPU power.

Solution: If you are hashing large files, inform the user with an "In Progress" message so they don't think the script has frozen.

Best Practices and Rules

1. Identify "Hidden" Changes

Hackers often replace common tools (like cmd.exe) with a version they've modified. Even if the filesize is exactly the same, the SHA-256 hash will reveal the fraud.

2. Standardize Output

certutil output formats the hash with spaces (e.g., a1 b2 c3) on older Windows versions. Most websites provide hashes as one long string. Use the string replacement logic (Method 2) to remove these spaces before comparing.

3. Log the Fingerprint

Log the SHA-256 hash of every critical system file when you first set up a server. This gives you a "Baseline" to compare against during a post-hack forensic investigation. certutil -hashfile "C:\Windows\System32\cmd.exe" SHA256 >> system_baseline.log

Conclusions

Generating the SHA-256 hash via Batch script is an essential technique for ensuring digital trust and integrity. By moving from "Visual" checks to cryptographic verification, you gain the absolute proof needed to maintain a secure environment. This precision is vital for system administrators, developers, and security professionals who need to guarantee that their data remains exactly as it was intended to be.

Table of Contents