Create a File Checksum Workflow in Windows 10/11 with CertUtil and PowerShell

Create a File Checksum Workflow in Windows 10/11 with CertUtil and PowerShell​

Difficulty: Intermediate | Time Required: 15 minutes
Verifying file integrity is one of those simple habits that can save a lot of trouble. Whether you are downloading ISO images, scripts, drivers, ZIP archives, or deployment packages, a checksum lets you confirm that the file you received matches the file the publisher intended. This helps detect corrupted downloads and can also alert you if a file has been unexpectedly modified.
In Windows 10 and Windows 11, you already have the tools needed to build a practical checksum workflow. CertUtil is built into Windows and works well from Command Prompt, while PowerShell provides a more flexible approach with Get-FileHash. In this guide, you will learn how to generate hashes, compare them, and turn the process into a repeatable workflow you can use every day.

Prerequisites​

Before you begin, make sure you have:

• A Windows 10 or Windows 11 PC
• A file you want to verify
• A published checksum from the software vendor, if available
• Permission to open Command Prompt, Windows Terminal, or PowerShell

Note: These tools are available by default in modern versions of Windows 10 and Windows 11. No third-party software is required.

Why use checksums?​

A checksum is a unique fingerprint of a file. If even one byte changes, the hash value changes.
Common uses include:

• Verifying downloaded installers or ISO files
• Checking whether a copied backup file matches the original
• Confirming that scripts or tools have not been altered
• Creating an audit trail for development or deployment workflows

The most common algorithms you will see are:

• SHA256 – recommended in most situations
• SHA1 – still seen on older download pages, but less preferred
• MD5 – fast but outdated for security-sensitive verification

Warning: For security and authenticity checks, prefer SHA256 or stronger algorithms when available.

Step 1: Locate the file you want to verify​

First, identify the file you want to hash.
For example:

• C:\Users\YourName\Downloads\Windows11.iso
• C:\Tools\app-installer.exe
• D:\Backups\archive.zip

A simple way to get the path is:

1. Open File Explorer
2. Navigate to the file
3. Hold Shift and right-click the file
4. Choose Copy as path

This gives you the full path, which makes command-line work much easier.

Step 2: Generate a checksum with CertUtil​

CertUtil is a built-in Windows utility that can calculate file hashes from Command Prompt or Windows Terminal.

1. Open Command Prompt or Windows Terminal
2. Run the following command:

certutil -hashfile "C:\Users\YourName\Downloads\Windows11.iso" SHA256

1. Press Enter

You should see output similar to this:

SHA256 hash of file C:\Users\YourName\Downloads\Windows11.iso:
d2c7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
CertUtil: -hashfile command completed successfully.

Other supported algorithms​

You can replace SHA256 with another supported algorithm if needed:

certutil -hashfile "C:\Path\To\File.zip" SHA1
certutil -hashfile "C:\Path\To\File.zip" MD5

Tip: Use SHA256 unless the publisher specifically provides a different hash.

Step 3: Generate a checksum with PowerShell​

PowerShell offers a cleaner and more script-friendly method using Get-FileHash.

1. Open PowerShell or Windows Terminal
2. Run:

Get-FileHash "C:\Users\YourName\Downloads\Windows11.iso" -Algorithm SHA256

1. Press Enter

Example output:

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          D2C7XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX       C:\Users\YourName\Downloads\Windows11.iso

This output is especially useful if you want to script, log, or automate your checksum checks later.

Save just the hash value​

If you only want the hash string:
(Get-FileHash "C:\Users\YourName\Downloads\Windows11.iso" -Algorithm SHA256).Hash
That makes comparison easier in scripts and batch workflows.

Step 4: Compare the file hash to the published checksum​

Once you generate the checksum, compare it with the one listed by the software vendor.
For example, if the vendor publishes:
D2C7XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And your PowerShell result shows the exact same value, the file matches.

Manual comparison tips​

• Ignore letter case; uppercase and lowercase do not matter
• Make sure there are no extra spaces
• Compare the entire hash, not just the first few characters

Warning: If the values do not match, do not run the file. Download it again from the official source and verify once more.

Step 5: Create a reusable PowerShell verification workflow​

Now let’s turn this into a repeatable process.
Use this simple PowerShell script to compare a file against an expected SHA256 hash:

$file = "C:\Users\YourName\Downloads\Windows11.iso"
$expectedHash = "D2C7XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

$actualHash = (Get-FileHash $file -Algorithm SHA256).Hash

if ($actualHash -eq $expectedHash) {
    Write-Host "Hash verified successfully." -ForegroundColor Green
} else {
    Write-Host "Hash mismatch! Do not trust this file." -ForegroundColor Red
    Write-Host "Expected: $expectedHash"
    Write-Host "Actual:   $actualHash"
}

What this script does​

1. Defines the target file
2. Stores the expected published hash
3. Calculates the actual file hash
4. Compares the two values
5. Displays a success or failure message

This is a great foundation for verifying downloads, deployment packages, or internal release files.

Step 6: Save the script for future use​

To make the workflow reusable:

1. Open Notepad or Visual Studio Code
2. Paste the PowerShell script
3. Save it as something like:

Verify-Checksum.ps1

1. Store it in a convenient folder such as:

C:\Scripts\
To run it later:
PowerShell -ExecutionPolicy Bypass -File "C:\Scripts\Verify-Checksum.ps1"

Note: If your environment restricts script execution, you may need a temporary execution policy override as shown above.

Step 7: Verify multiple files in a folder​

If you work with many installers, ZIP files, or release packages, you can hash multiple files at once.
Example:

Get-ChildItem "C:\Users\YourName\Downloads" -File |
Get-FileHash -Algorithm SHA256

This returns SHA256 hashes for every file in the folder.
You can also export the results:

Get-ChildItem "C:\Users\YourName\Downloads" -File |
Get-FileHash -Algorithm SHA256 |
Export-Csv "C:\Users\YourName\Downloads\FileHashes.csv" -NoTypeInformation

This is useful for:

• Software packaging
• Internal file validation
• Backup verification
• Developer release tracking

Step 8: Build a simple checksum manifest​

For a more complete workflow, create a manifest file containing filenames and hashes.
Example:

Get-ChildItem "C:\ReleaseFiles" -File |
ForEach-Object {
    $hash = (Get-FileHash $_.FullName -Algorithm SHA256).Hash
    [PSCustomObject]@{
        FileName = $_.Name
        SHA256   = $hash
    }
} | Export-Csv "C:\ReleaseFiles\ChecksumManifest.csv" -NoTypeInformation

This gives you a reusable record of file integrity at a specific point in time.
Later, you can compare current files to the saved manifest as part of a deployment or archive validation process.

Tips and troubleshooting​

Tip: Use Windows Terminal for convenience​

On Windows 11 and current Windows 10 builds, Windows Terminal makes it easy to switch between Command Prompt and PowerShell in one window.

Tip: Prefer PowerShell for automation​

CertUtil is excellent for quick checks, but PowerShell is better if you want to:

• Compare expected and actual hashes
• Process folders
• Export results
• Build automated verification scripts

Troubleshooting: “File not found”​

If you see a file path error:

• Confirm the file still exists
• Make sure the path is correct
• Enclose the full path in quotation marks

Example:
Get-FileHash "C:\My Files\setup.exe" -Algorithm SHA256

Troubleshooting: Script execution is blocked​

If PowerShell blocks your script, try running:
PowerShell -ExecutionPolicy Bypass -File "C:\Scripts\Verify-Checksum.ps1"
If you are in a managed business environment, your organization’s policy may restrict scripts.

Troubleshooting: Hash does not match​

If your hash differs from the published value:

• Re-download the file from the official source
• Make sure you used the correct algorithm
• Confirm the published checksum applies to the exact file version
• Avoid mirrors unless they are vendor-approved

Warning: A mismatch can mean corruption, tampering, or simply that you downloaded a different build. Always investigate before using the file.

Windows version notes​

This workflow applies to:

• Windows 10
• Windows 11

CertUtil has been available in Windows for many years, and Get-FileHash is included in modern PowerShell versions commonly shipped with Windows 10 and Windows 11.
If you are using PowerShell 5.1 or later, the commands in this guide should work as written on most systems.

Conclusion​

Creating a checksum workflow in Windows is a quick but valuable upgrade to your daily toolkit. With CertUtil, you can verify files in seconds using built-in commands. With PowerShell, you can go further by comparing expected hashes, checking entire folders, and exporting results for documentation or auditing.
For anyone working with downloads, deployments, backups, or development files, checksum verification adds confidence and helps catch problems before they become bigger issues.
Key Takeaways:

• Windows 10 and Windows 11 include built-in tools for file hash verification
• CertUtil is ideal for quick manual checksum checks
• Get-FileHash in PowerShell is better for automation and repeatable workflows
• SHA256 is the preferred algorithm for most verification tasks
• A saved script or manifest can turn one-off checks into a reliable integrity process

---

This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.