Skip to main content

How to Verify File Integrity with Checksums in Batch Script

"Bit Rot," incomplete downloads, and malicious tampering can all change the content of a file without changing its name or its apparent size. To be 100% sure that the file on your disk is an exact copy of the original, you need to use a Checksum. This digital signature acts as a mathematical lock: if the file changes, the checksum breaks. A Batch script can use the certutil command to calculate various types of checksums, including MD5, SHA-1, and SHA-256, allowing you to build automated verification tools for your backups, installers, and secure document stores.

This guide will explain how to implement a complete file integrity audit using Batch.

Method 1: The Multi-Algorithm Checksum

certutil is the Swiss Army knife of checksums. You just need to change the final argument to choose your algorithm.

@echo off
set "File=C:\Backups\database_backup.bak"

:: Verify the file exists before attempting to hash it
if not exist "%File%" (
    echo [ERROR] File not found: %File%
    pause
    exit /b 1
)

echo [INTEGRITY] Generating Checksums for: %File%...
echo.

echo --- MD5 ---
certutil -hashfile "%File%" MD5 | findstr /V /C:"hash of" /C:"CertUtil:"

echo --- SHA1 ---
certutil -hashfile "%File%" SHA1 | findstr /V /C:"hash of" /C:"CertUtil:"

echo --- SHA256 ---
certutil -hashfile "%File%" SHA256 | findstr /V /C:"hash of" /C:"CertUtil:"

echo.
pause

Method 2: Automatic Verification (Silent Check)

In a deployment script, you don't want to "See" the hash; you just want to know if it's "OK" or "BAD."

@echo off
setlocal

set "Target=C:\App\update.exe"
set "KnownMD5=d41d8cd98f00b204e9800998ecf8427e"

:: Verify the file exists before attempting to hash it
if not exist "%Target%" (
    echo [ERROR] File not found: %Target%
    pause
    exit /b 1
)

echo [SCAN] Verifying checksum...

:: Clear any stale value from a previous run
set "actual_md5="

:: Extract the MD5 from the file
for /f "skip=1 tokens=*" %%a in ('certutil -hashfile "%Target%" MD5') do (
    if not defined actual_md5 set "actual_md5=%%a"
)
set "actual_md5=%actual_md5: =%"

:: Compare strings (case-insensitive for hex values)
if /i "%actual_md5%"=="%KnownMD5%" (
    echo [VALID] File integrity confirmed. Starting installation...
) else (
    echo [ALERT] CORRUPT FILE DETECTED! Aborting.
    echo Expected: %KnownMD5%
    echo Actual:   %actual_md5%
)

pause
endlocal

Method 3: Auditing an Entire Folder

This script loops through every file in a directory and saves their checksums to a "Manifest" file for future comparison.

@echo off
setlocal enabledelayedexpansion

set "Folder=C:\SecureDocs"
set "AuditDir=C:\Audit"
set "Manifest=%AuditDir%\manifest.txt"

:: Verify the source folder exists
if not exist "%Folder%" (
    echo [ERROR] Folder not found: %Folder%
    pause
    exit /b 1
)

:: Ensure the output directory exists
if not exist "%AuditDir%" mkdir "%AuditDir%"

echo [AUDIT] Generating integrity manifest for %Folder%...

(for %%f in ("%Folder%\*.*") do (
    set "hash="
    for /f "skip=1 tokens=*" %%h in ('certutil -hashfile "%%f" SHA256') do (
        if not defined hash set "hash=%%h"
    )
    set "hash=!hash: =!"
    echo %%~nxf : !hash!
)) > "%Manifest%"

echo [DONE] Log saved to %Manifest%
pause
endlocal

How to Avoid Common Errors

Wrong Way: Using "fc" (File Compare) as a checksum

The fc command compares two files that are both present on your machine. A checksum allows you to verify a file even if you don't have the original (assuming you have the original's hash string from a website or developer).

Correct Way: Use certutil (as shown in Method 1). It is the only way to perform cryptographic integrity checks natively in the Batch environment.

Problem: Filename Spaces

If your backup file is named My Backup.zip, the certutil command will fail because it sees two separate arguments.

Solution: Always use double quotes around your file variables: "%File%".

Best Practices and Rules

1. Match the Developer's Algorithm

If a download site provides an "MD5 Checksum," you must use MD5 to verify it. If you use SHA-256, the strings will never match, even if the file is perfect.

2. Identify "Ghost" Changes

Checksums are sensitive to everything. If you open a text file, add one space at the end, and save it, the checksum will change completely. This is why checksums are more reliable than file timestamps.

3. Log During Deployment

When distributing software to a fleet of computers, have the local install script check the checksum of the .msi file before running it. If a network glitch occurs during the copy, the checksum check will prevent the installation of a broken application.

Conclusions

Verifying file integrity using checksums via Batch script provides a professional level of trust in your digital environment. By moving from simple visual inspection to mathematical proof, you ensure that your critical backups and software remain exactly as they were intended. This automated verification is essential for sysadmins and developers who need to maintain 100% data accuracy in a complex, distributed infrastructure.

Table of Contents