certutil: Verify a File Checksum in Windows CMD

• →Built into Windows — works in cmd.exe, no PowerShell needed.
• →Always pass SHA256 — the default algorithm is SHA1.
• →No verify mode — use findstr to match a published hash.
• →One file at a time — folders need a manifest, not a loop.

Hash a file

certutil is a certificate utility that ships with every Windows install, and its -hashfile switch doubles as a checksum tool. Point it at a file and name the algorithm:

certutil -hashfile "C:\Downloads\app.zip" SHA256

SHA256 hash of C:\Downloads\app.zip:
9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
CertUtil: -hashfile command completed successfully.

The middle line is the hash. The first and last lines are status text — useful to a human, slightly annoying to a script (more on that below).

Choosing the algorithm

certutil supports MD5, SHA1, SHA256, SHA384, and SHA512. The catch: if you omit the algorithm, it defaults to SHA1 — outdated and not what you want for verification. Name it every time:

certutil -hashfile app.zip SHA256   :: secure default
certutil -hashfile app.zip MD5      :: fast, non-security only

Reach for SHA256 unless you have a specific reason not to. MD5 is fine as a quick non-security checksum but is cryptographically broken — see MD5 vs SHA-256 for the full trade-off.

Verify a download against a published hash

Unlike Linux's sha256sum -c, certutil can't check a file against an expected value on its own. The standard trick is to pipe the output into findstr and search for the published hash:

certutil -hashfile app.zip SHA256 | findstr /i "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"

9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08

/i makes the match case-insensitive. If the line prints, the file matches; if you get nothing back, it doesn't. In a batch script, %ERRORLEVEL% is 0 when findstr finds the hash and 1 when it doesn't, so you can branch on it.

Output quirks worth knowing

• ·Spaces in old Windows. Windows 7 and 8 printed the hash with spaces between byte pairs. Windows 10/11 print it clean. If you script against the output on older systems, strip spaces first.
• ·Three lines, not one. The header and "completed successfully" lines aren't part of the hash. findstr sidesteps this; if you need just the hash, grab the middle line.
• ·Lower case. certutil emits lower-case hex; many sites publish upper case. Comparisons should be case-insensitive (findstr /i).

certutil vs PowerShell Get-FileHash

Both produce the same hash. The difference is ergonomics. certutil shines when you're in plain Command Prompt, on Server Core, or in a locked-down environment where PowerShell isn't available. The moment you're in PowerShell, Get-FileHash is nicer: it returns a clean object, so comparing is a one-liner with no text parsing:

(Get-FileHash app.zip).Hash -eq '9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08'
True

On Linux the equivalent is sha256sum, which has the -c check mode certutil lacks.

When you need a whole folder

certutil hashes one file. To check a folder you'd write a FOR loop — and you'd still be left with a wall of hashes, no diff, no record of which files were added or removed, and no single pass/fail result a scheduled task can act on. That's a verification tool you're now maintaining by hand.

The FolderManifest CLI does the folder case in two commands. Capture a SHA-256 baseline once, then verify against it — it reports additions, deletions, and modifications, and exits 0 for unchanged and 1 for drift:

foldermanifest generate "C:\Project" --format json --out project-baseline
foldermanifest verify "C:\Project" --manifest project-baseline.json
echo exit=%ERRORLEVEL%

Keep certutil for the quick one-file check; reach for a manifest when "is this whole folder intact?" is the real question. To run it nightly, see automating folder verification with Task Scheduler.