I have a confession to make. For many years I blindly downloaded files from various web sites, some known but others less known and eagerly installed these packages on my computer. This is dumb. How do I know if this file is really the one that the site owner intended me to get? How do I know the file wasn’t maliciously replaced with malware ridden payload? How do I know if the download was really accurate and I got 100% of the data? Now, I’ve seen the file description showing the file size it should be and even the timestamp with a date I can match. But these two things alone aren’t enough to accurately verify the file I downloaded is the real deal. Here’s where my ignorance and embarrassment comes in. I didn’t know what to with the MD5 or SHA-1 information the website gave me. So consider this post as a PSA to check the integrity of files downloaded. It’s actually super easy and fast too. Here’s how I do it and gone are the days of ignorance and embarrassment.
Enter an older but trusty command line tool from Microsoft called File Checksum Integrity Verifier. I like this tool because 1) it’s free, 2) it’s command line based and 3) it’s easy to use. Microsoft offers no support for using this tool but don’t worry, it’s quite easy to install and use. FCIV will run on Windows Server 2000 and newer and desktops running Windows XP and newer. Here’s how to do the basics.
- Download the installer. Grab the exe named Windows-KB841290-x86-ENU.exe
- Create a new folder where you want to run FCIVfrom. This could be something like c:\fciv or c:\users\downloads\fciv
- Double click on the installer file to launch it and agree to the end user license
- Extract the files into the folder you just made. FCIVis very lightweight and doesn’t really “install” but just runs a simple exe from a folder.
- The files are quickly extracted and you can click ok when finished
- You should see two files in the folder: a readme text file and the fciv.exe
- This step is optional but useful. Unless you want to navigate to the actual path where fciv.exe is located every time you run it, a time saver will be to add the filepath for fciv.exe to your system path so you can simply type fciv.exe
- To set the system path in Windows 10, go to System (Control Panel) > click Advanced system settings > Click Environment Variables > Under System Variables, select Path > Click Edit to add a new System Variable. Paste in the file path to where fciv.exe is located
- Open aCMD prompt and if everything is working at this point you can type fciv -? to run the help. (Remember to change directories to where you have fciv.exe if you didn’t set your path)
With the install done and verified, you’re now ready to start verifying checksums. Fistbump!
Let’s say you are downloading Xtract for VMs from the Nutanix portal. Among the file details like name, date and size, you will see the MD5 value of 0583d7438437cfd0382df1173556a1a0. FCIV will validate that the file downloaded matches the MD5 listed here to provide assurance you have the right file. Additionally, it will help ensure you have ALL of the file. More than once I’ve downloaded a file only to find it was incomplete generating an error when starting to install.
Once the file is downloaded, just note the directory it is in and follow these steps:
- Open a command promt
- type fciv.exe [path-to-file]\[filename] which in my case is fciv.exe C:\Users\GELHAR\Downloads\Nutanix\xtract-vm-1.1.4-release
- Press enter and the process of calculating the MD5 hash begins. In this example, no extra options were specified and by default FCIV uses MD5. If you have a SHA1 hash to verify, just add the -sha1 options like this: fciv.exe [path-to-file]\[filename] -sha1
Time to calculate varies by file size but in a few short moments, FCIV displays the hash value for the file
And with that, you can see that the MD5 value 0583d7438437cfd0382df1173556a1a0 originally given is the same as the output of FCIV and this file is now validated.
FCIV can do a few other pretty cool things. You can use it to get the hash of a file you’ve created, like source code text or an epic Excel sheet and store that hash in a database to ensure it stays secure and unmodified. See this link to get the info on this and more on FCIV.
With the brief info shown here, you can now be sure of the content being downloaded matches what the author intended and you’re doing admin 101 by performing the checksum validation. When it comes to MD5 or SHA1 checksums you can now keep calm and hash on!