Tuesday, May 15, 2012

Check SHA-1 hash on a file from Windows

Ever wonder why there are MD5 or SHA-1 checksums listed on websites with large downloads like ISOs and stuff? In case you didn't already know, it's so you can use it to verify the integrity of your download in case there was corruption. Believe me, Chrome is the worst about corrupting downloads, but other browsers can corrupt them, too. If your wondering why that ISO you burned to a CD won't boot, you better verify the checksum. As matter of fact, if the file is over 100 MB I always check it immediately after download so I don't waste any time fiddling around with a corrupt download. You can use one of many utilities to calculate the checksum of the file you downloaded and then check it against the checksum listed on the website you downloaded it from. Some websites even have an accompanying plaintext checksum file which can be downloaded separately and queried for the checksum by some programs. If the website is lamer and doesn't list an MD5, sometimes you can get them to email it to you. Calculating checksums for files is also useful for forensics and checking the integrity of files suspected to have been compromised, etc.

There are a number of algorithms used to calculate checksums, including MD5, SHA-1, CRC32, etc. On Windows I've been using WinMD5Sum/portable for a while now to compute MD5 hashes for files, but I've been looking for a solution to verify SHA-1 hashes because a particular site I use has them. A while back I found Microsoft's fciv, but Microsoft = less cool so I recently looked at number of other tools. Below is a list of pretty good ones I found but for me portable, lightweight and simple is important so my very fave is Marxio File Checksum Verifier. I'll tell more about it in a second.

Here is a list of some other ones, though which are not my personal fave:
Corz checksum/simple checksum
SFV Ninja
Hash Generator
Multihasher (My 2nd fave)

So I like Marxio File Checksum Verifier the best because:

  • It's faster than most of the ones I tested (approximate tie with Multihasher)
  • It features drag and drop
  • It's clean and simple and free
  • It has a compare with field, where you can paste the original source's sum
  • It supports a number of algorithms, including the MD5 and SHA-1 I need.
  • It shows the percentage complete so you can see the status
  • It allows you to abort calculation
  • It's portable
  • It has an Explorer right-click menu option

Here's how to get and use the basic features of Marxio FCV:

  1. Download it from Marxio's website right here
  2. Initially it's just a lone exe but after you open it the first time, an accompanying ini is created so you may want to find a home for these 2 files.
  3. Open the program and choose your checksum type
  4. Drag and drop a file you need checked
  5. Paste the original checksum you got from the source website into the Compare with field
  6. If you see a checkmark, your file's sum matches that of the original and all is well

If you want things even simpler, you can click the green arrow and make Marxio FCV go into minibar mode. Or if you want to play with a bajillion tweaks, click the gear button and try things like unchecking Enable stay on top or choosing Other settings>Application thread priority. Also, try some of the other buttons like the clipboard transfer and the option to create a checksum file for more fun.

If you want to have an Explorer right-click menu item for Marxio FCV, enable this via Gear Menu>Shell integration and default action>Enable/Disable or change title. Beware if you do this, however, because the program becomes less portable. Moving the executable will then break your right-click menu.

So anyway, now I can check my SHA-1's along with my MD5's so that is happiness!


  1. Good thing you posted this when you did, and not yesterday...I'd've thought you were painstakingly looking up possible matches for (unsalted) SHA-1 hashes of unfortunate LinkedIn, eHarmony, and Last.fm users!

  2. LOL. Try this: https://lastpass.com/linkedin/

    You can see if your password was hacked in the recent breaches but more fun is to try random weak passwords like password123 and see if they're in the list!

    1. Ouch. Looks like all of my web passwords from the past three years are in that list.


Spammy/foul language comments or those with an explicit avatar will be tossed in a 55 gallon drum and a match thrown in after them. (Oooo, now I can warm my hands!!)