I have a confession to make. For many years I blindly downloaded files from various web sites, some known but others less known and eagerly installed these packages on my computer. This is dumb. How do I know if this file is really the one that the site owner intended me to get? How do I know the file wasn’t maliciously replaced with malware ridden payload? How do I know if the download was really accurate and I got 100% of the data? Now, I’ve seen the file description showing the file size it should be and even the timestamp with a date I can match. But these two things alone aren’t enough to accurately verify the file I downloaded is the real deal. Here’s where my ignorance and embarrassment comes in. I didn’t know what to with the MD5 or SHA-1 information the website gave me. So consider this post as a PSA to check the integrity of files downloaded. It’s actually super easy and fast too. Here’s how I do it and gone are the days of ignorance and embarrassment.
Enter an older but trusty command line tool from Microsoft called File Checksum Integrity Verifier. I like this tool because 1) it’s free, 2) it’s command line based and 3) it’s easy to use. Microsoft offers no support for using this tool but don’t worry, it’s quite easy to install and use. FCIV will run on Windows Server 2000 and newer and desktops running Windows XP and newer. Here’s how to do the basics.