The PowerShell cmdlet
Get-FileHash provides a
cryptographic hash function that will allow you to determine a
hash value of a file on a Microsoft Windows system. By default,
the cmdlet
uses the SHA-256 hash
function, but you can specify other functions, such as
MD5, using the
-Algorithm parameter. You can change the output to a list
format by
piping the output
of the cmdlet to Format-List.
PS C:\users\public\downloads> Get-FileHash ".\rel_x64_Xming-7-7-1-1-setup.exe" Algorithm Hash Path --------- ---- ---- SHA256 B7B4C0A191E315686A2481DCC8BBB27D6D7A156FBF689768E48CF08207B86560 C:\users\public\downloads\rel... PS C:\users\public\downloads> Get-FileHash ".\rel_x64_Xming-7-7-1-1-setup.exe" | Format-List Algorithm : SHA256 Hash : B7B4C0A191E315686A2481DCC8BBB27D6D7A156FBF689768E48CF08207B86560 Path : C:\users\public\downloads\rel_x64_Xming-7-7-1-1-setup.exe PS C:\users\public\downloads> Get-FileHash -Algorithm MD5 ".\rel_x64_Xming-7-7-1-1-setup.exe" Algorithm Hash Path --------- ---- ---- MD5 BA200636A596A84E0877901CE89D1C2E C:\users\public\downloads\rel... PS C:\users\public\downloads>
Other cryptographic hash functions are supported as well; the supported hash functions are as follows:
The calculated value should be unique to a particular file. Such values are often used to determine if a file contains malware. E.g., if a hash value has been determined previously for a file elsewhere and the calculated hash value matches for a file you want to check, then you can usually assume the files are identical and if a file with that hash value was found to contain malware then you don't need to scan the file in question as it should be identical to the one used for the previous scan. I say "usually" since with the MD5 and SHA1 algorithms there is the possibility of a "collision," i.e., it is possible that calculations done on dissimilar files might yield the same hash value, which is why using one of the other hash function is preferable.
Google's VirusTotal
website at virustotal.com will scan files
you upload to the site with multiple antivirus programs. When you upload a file
to the site, VirusTotal will first calculate a hash value for the file to
determine if it has previously scanned the file. If it has done so, you can
view the results of the last previous scan, or you can choose to have the
file reanalyzed. If you calculate the SHA256 hash with
Get-FileHash, you can use the calculated value with the site's
search by URL, IP address, domain or file hash option to determine if the file
was previously scanned rather than uploading the file. If it was previously
scanned, you can view the prior scan results. You can also put the
value at the end of https://www.virustotal.com/gui/file/, e.g.,
https://www.virustotal.com/gui/file/B7B4C0A191E315686A2481DCC8BBB27D6D7A156FBF689768E48CF08207B86560 to check for prior scan results. You don't need
to worry about the case of the letters in the hash value, i.e.. whether
they are uppercase or lowercase letters.