Calculating a hash value for a file with Get-FileHash

Have a dream? Start learning your way toward it with courses from $12.99. Shop now for extra savings1px

The PowerShell cmdlet Get-FileHash provides a cryptographic hash function that will allow you to determine a hash value of a file on a Microsoft Windows system. By default, the cmdlet uses the SHA-256 hash function, but you can specify other functions, such as MD5, using the -Algorithm parameter. You can change the output to a list format by piping the output of the cmdlet to Format-List.

PS C:\users\public\downloads> Get-FileHash ".\rel_x64_Xming-7-7-1-1-setup.exe"

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          B7B4C0A191E315686A2481DCC8BBB27D6D7A156FBF689768E48CF08207B86560       C:\users\public\downloads\rel...


PS C:\users\public\downloads> Get-FileHash ".\rel_x64_Xming-7-7-1-1-setup.exe" | Format-List


Algorithm : SHA256
Hash      : B7B4C0A191E315686A2481DCC8BBB27D6D7A156FBF689768E48CF08207B86560
Path      : C:\users\public\downloads\rel_x64_Xming-7-7-1-1-setup.exe



PS C:\users\public\downloads> Get-FileHash -Algorithm MD5 ".\rel_x64_Xming-7-7-1-1-setup.exe"

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
MD5             BA200636A596A84E0877901CE89D1C2E                                       C:\users\public\downloads\rel...


PS C:\users\public\downloads>

Other cryptographic hash functions are supported as well; the supported hash functions are as follows:

The calculated value should be unique to a particular file. Such values are often used to determine if a file contains malware. E.g., if a hash value has been determined previously for a file elsewhere and the calculated hash value matches for a file you want to check, then you can usually assume the files are identical and if a file with that hash value was found to contain malware then you don't need to scan the file in question as it should be identical to the one used for the previous scan. I say "usually" since with the MD5 and SHA1 algorithms there is the possibility of a "collision," i.e., it is possible that calculations done on dissimilar files might yield the same hash value, which is why using one of the other hash function is preferable.

Google's VirusTotal website at virustotal.com will scan files you upload to the site with multiple antivirus programs. When you upload a file to the site, VirusTotal will first calculate a hash value for the file to determine if it has previously scanned the file. If it has done so, you can view the results of the last previous scan, or you can choose to have the file reanalyzed. If you calculate the SHA256 hash with Get-FileHash, you can use the calculated value with the site's search by URL, IP address, domain or file hash option to determine if the file was previously scanned rather than uploading the file. If it was previously scanned, you can view the prior scan results. You can also put the value at the end of https://www.virustotal.com/gui/file/, e.g., https://www.virustotal.com/gui/file/B7B4C0A191E315686A2481DCC8BBB27D6D7A156FBF689768E48CF08207B86560 to check for prior scan results. You don't need to worry about the case of the letters in the hash value, i.e.. whether they are uppercase or lowercase letters.