Windows has the ability to easily generate a hash for a given file using the Certutil.exe utility. Administrators may have previously used to this tool when they need to generate TLS certificates or to perform other tasks against AD Certificate Services. As an example of the former, this was a common task for AD FS certificates as described in this post.
To generate the file hash we will use the HashFile parameter.
Certutil HashFile Options
To see the list of options run:
CertUtil.exe -HashFile -?
The text is copied below as well to improve readability.
CertUtil.exe -HashFile -?
Usage:
CertUtil [Options] -hashfile InFile [HashAlgorithm]
Generate and display cryptographic hash over a file
Options:
-Unicode -- Write redirected output in Unicode
-gmt -- Display times as GMT
-seconds -- Display times with seconds and milliseconds
-v -- Verbose operation
-privatekey -- Display password and private key data
-pin PIN -- Smart Card PIN
-sid WELL_KNOWN_SID_TYPE -- Numeric SID
22 -- Local System
23 -- Local Service
24 -- Network Service
Hash algorithms: MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512
CertUtil -? -- Display a verb list (command list)
CertUtil -hashfile -? -- Display help text for the "hashfile" verb
CertUtil -v -? -- Display all help text for all verbs
Of particular interest is the different algorithms that are supported:
Hash algorithms: MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512
Note that this screenshot & list of algorithms was taken from a Windows 11 22H2 machine.
Certutil Hash Examples
Some examples to show the expected usage and output. In the examples below a random text file was generated. Helpfully this is called RandomFile.txt and contains a short amount of data.
Generating a SHA1 Jash
certutil.exe -HashFile .\RandomFile.txt SHA1
Generating a SHA256 Hash
certutil.exe -HashFile .\RandomFile.txt SHA256
Great – we have the hash. What happens if we make only a single change to the file? Does that tiny tweak really change the hash….
One Ping Only Please
<gratuitous link to Sir Sean Connery in the Hunt for Red October>
Recall that the original file has of RandomFile.txt was:
c49b090304e372f65deb765127916cdb2a3a24a6221b7e3e9aebe65948790185
The file’s content is shown below – note there are 19 characters and no punctuation.
Then we change the file by adding a single character – the full stop at the end of the line. This changes the character count of the file. Notepad shows that we have gone from 19 to 20 characters. You can see this along the bottom of each Notepad window.
After making that minor change to the file, note that the file hash is totally different. The new hash is indicated by the red arrow.
Bootnote
It is expected that the simple change shown above would change the resultant hash. For more details see the concept of diffusion here.
Cheers,
Rhoderick
