MD5 Hash Check Tutorial

How to perform an MD5 hash check (for Windows users)

MD5 hash checks are performed in order to be sure that a file you have downloaded on your local computer is exactly the same as the original file. If the MD5 values for the original file and the copy on your computer are the same, this means that the file has not been hacked. Though it is not very likely, there's always a chance that someone may hack the file during the transfer from the server from which you're downloading it to the hard drive on your local computer.

In most cases you won't really have the opportunity to make such a check because in order to do it the site from which you're downloading the particular file has to provide also the MD5 checksum for the original file. Most sites don't provide the MD5 checksums for the files available for downloading. If the site has these checksums you'll be able to compare them with the MD5 checksum of the file that's already downloaded on your local computer.

Here we'll use as an example PuTTY, the application with which Windows users can connect to their hosting accounts through SSH (Secure Shell). The site of PuTTY's developer, from which you can download the application, also has the MD5 checksums for all the original files available for downloading. On the download page there is a link for the MD5 values for each of the files:

PuTTY Original MD5 Checksums

So, let's say, for example, that you want to download the installer package for all the PuTTY applications (putty-0.61-installer.exe): PuTTY, Pageant, PuTTYgen, etc. Then you want to check whether the installer file on your computer is the same (not hacked). After you download the file don't install and run the applications. First click on the md5sums link provided on the download page of the site to see the checksum for the original installer file:

PuTTY Original MD5 Checksums

As you can see from the screenshot above the MD5 checksum for the installer we downloaded in our example is the last in the list. It is a string of numbers and letters on the left side, next to the name of the file. You have to compare this string of numbers and letters with the string for the file downloaded on your local computer.

So the next step is to discover the MD5 checksum of the file on your local computer and to compare it with that of the original file. For Windows users (Windows 2000, Windows 7, XP, Vista, etc.) there is a tool that you can download from the support section of Microsoft's site. It's called File Checksum Integrity Verifier (FCIV). You can download it from there and also read the instructions on how to use it. Here we'll also give brief instructions on how to use it and perform the MD5 check.

Download the FCIV installer, run it and install FCIV in a folder on your local computer. You can use FCIV through your Windows command prompt. To start the command prompt, click on the Start button of your Windows (lower left corner), then click on Run, in the Run window that opens type cmd and click on OK.

In the command prompt the first thing you have to do is to run a command to add FCIV to the system path. If, for example, you installed FCIV in a folder called fciv on your C: drive, the command should look like this: set path=%path%;c:\fciv. If FCIV is in another directory or drive just change the path (e.g. set path=%path%;d:\programs\fciv). After you type the command in the command prompt press Enter on your keyboard to execute it.

To see the MD5 checksum of the desired file, in our example putty-0.61-installer.exe, type the following command together with the path to the file and the full name of the file itself, including the file type (e.g. .exe): fciv.exe d:\programs\putty-0.61-installer.exe. That's, of course, if putty-0.61-installer.exe is located in d:\programs. After you type the command press Enter and you'll see the checksum for the file. If you did everything right in the command prompt, the commands and the result should look similar to this:

Command Prompt

You can compare the checksum for the file on your local computer with the checksum for the original file on the site. If they are the same, everything is fine.

As we mentioned, most sites don't provide the MD5 checksums of the files they offer for downloading. It's also not likely that the file will be hacked during the download, but if the site provides the MD5 checksums of the original files, as is the case with PuTTY, and you want to be on the safe side, you can perform the check.