1

How To Generate File Hash Using Certutil

Posted on by Rhoderick Milne [MSFT]

Windows has the ability to easily generate a hash for a given file using the Certutil.exe utility.  Administrators may have previously used to this tool when they need to generate TLS certificates or to perform other tasks against AD Certificate Services.  As an example of the former, this was a common task for AD FS certificates as described in this post.

To generate the file hash we will use the HashFile parameter.

Certutil HashFile Options

To see the list of options run:

CertUtil.exe -HashFile -?

 

Certutil HashFile Options To Generate File Hash

The text is copied below as well to improve readability.

 

CertUtil.exe -HashFile -?
Usage:
CertUtil [Options] -hashfile InFile [HashAlgorithm]
Generate and display cryptographic hash over a file

Options:
-Unicode -- Write redirected output in Unicode
-gmt -- Display times as GMT
-seconds -- Display times with seconds and milliseconds
-v -- Verbose operation
-privatekey -- Display password and private key data
-pin PIN -- Smart Card PIN
-sid WELL_KNOWN_SID_TYPE -- Numeric SID
22 -- Local System
23 -- Local Service
24 -- Network Service

Hash algorithms: MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512

CertUtil -? -- Display a verb list (command list)
CertUtil -hashfile -? -- Display help text for the "hashfile" verb
CertUtil -v -? -- Display all help text for all verbs

Of particular interest is the different algorithms that are supported:

Hash algorithms: MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512

Note that this screenshot & list of algorithms was taken from a Windows 11 22H2 machine.

Certutil Hash Examples

Some examples to show the expected usage and output.  In the examples below a random text file was generated.  Helpfully this is called RandomFile.txt and contains a short amount of data.

 

Generating a SHA1 Jash

certutil.exe -HashFile .\RandomFile.txt  SHA1

 

Generate SHA1 File Hash Using Certutil

 

Generating a SHA256 Hash

certutil.exe -HashFile .\RandomFile.txt  SHA256

Generate SHA256 File Hash Using Certutil

 

Great – we have the hash.  What happens if we make only a single change to the file?  Does that tiny tweak really change the hash….

 

One Ping Only Please

<gratuitous link to Sir Sean Connery in the Hunt for Red October>

Recall that the original file has of RandomFile.txt was:

c49b090304e372f65deb765127916cdb2a3a24a6221b7e3e9aebe65948790185

 

The file’s content is shown below – note there are 19 characters and no punctuation.

Original File - 19 Characters Present

 

Then we change the file by adding a single character – the full stop at the end of the line.  This changes the character count of the file.  Notepad shows that we have gone from 19 to 20 characters.  You can see this along the bottom of each Notepad window.

Updated File - 20 Characters Present

 

After making that minor change to the file, note that the file hash is totally different.  The new hash is indicated by the red arrow.

Note Different File Hash After File Was Updated

 

Bootnote

It is expected that the simple change shown above would change the resultant hash.  For more details see the concept of diffusion here.

 

Cheers,
Rhoderick

Rhoderick Milne [MSFT]

More Posts

One Comment

  1. please include "" so
    certutil.exe -HashFile .\RandomFile.txt SHA256
    should be certutil.exe -HashFile ".\RandomFile.txt" SHA256
    windows power shell for it to work

Leave a Reply

Your email address will not be published. Required fields are marked *