A useful file integrity checker

If you’re thinking of downloading a program or update (cough, Vista SP1, cough) from a source other than the official one, you really want to make sure you’re getting the real deal and not some virus-infested fake.

One way to increase your chances of getting a legitimate download is to compare the MD5 checksum of the file you download against an MD5 checksum for the file, published by a known and trusted source.

An MD5 checksum is a mathematical hash of a file that reduces it to a series of numbers and letters. If even a single bit is changed, the hash won’t match and you should be suspicious.

So, how do you compute an MD5 checksum? There are lots of tools available. I use Microsoft’s File Checksum Integrity Verifier, which is a command line tool. Unzip it into your downloads folder or some other easy-to-access location, open a Command Prompt window, and run the FCIV command, adding the name of the file you downloaded as the only argument. The result looks like this:


Compare that long alphanumeric string to the one from the known good source. If they match, you can be confident that the file you got is the same as the one you read about it. If they don’t match, hit the Delete button.

Hint: My Vista SP1 FAQ at ZDNet has the checksums for the x86 and x64 versions of the newly released Vista SP1 standalone updater.

Update: As Peter Ortner notes in the comments, you can (and should) also check the digital signature of any executable file to make sure it’s from the source it claims to be from. The signature doesn’t tell you the file is safe, only that it hasn’t been tampered with since it was signed. If you right-click an executable file that has been digitally signed, you’ll see a Digital Signatures tab:


Click the Details button for more information. For the Vista SP1 standalone installer, you should see this:


Digital signatures are definitely your friend.

9 thoughts on “A useful file integrity checker

  1. Oh, and remember boys and girls, if the copy/paste “improvements” in Vista are still to slow for your needs, there’s always rocket-fast Robocopy which now comes included in Vista, or the great Syncback copy program, either the freeware version, or the reasonably priced paid version. (don’t be so cheap…support these folks!) No I do not work for them!

    It’s super-fast, and has a easy to use goof-proof GUI which has kept me from making some major boo-boos.

  2. One can also verify the digital signature to ensure the authenticity of a file. All the updates released by MS in the last few years are digitally signed, and a good percentage of other files are as well.

  3. Tomer, good question!

    The short answer is, I didn’t. However, it was (a) from a trusted source that I was confident had not been spoofed and (b) was digitally signed with a signature that I was able to verify. So I felt pretty good about it.

    In fact, those two steps alone would be sufficient for most downloads. The chksum requirement is really most crucial when downloading from a source that might not be trustworthy and when the download itself might be corrupted. Of course, if the digital signature passes the check, it’s a great sign, but the chksum verification goes another step further.

  4. Filealyzer (safer-networking.org) is also convenient. Verify a file with a right click menu option, Though the microsoft command line tool isn’t that much more effort. – good luck.

Comments are closed.