How to Hash a File on Windows: 3 Easy Methods

Introduction: three ways to hash a file on Windows

Hashing a file produces a short, fixed-length fingerprint of its exact contents. Change a single byte and the fingerprint changes completely, which is why a hash (also called a checksum) is the simplest reliable way to confirm a file is intact and unaltered — whether you are verifying a download, comparing two copies, or recording the state of evidence. The good news is that you do not need anything exotic. There are three practical ways to hash a file on Windows: the built-in certutil command, the built-in PowerShell Get-FileHash cmdlet, and a free graphical or in-browser tool for anyone who would rather not touch a command line. This guide walks through all three, with copy-paste commands and examples, then shows how to verify a download by comparing hashes.

Method 1 — certutil (Command Prompt, built in)

Every modern version of Windows includes certutil, a command-line utility that can compute a file hash with no installation. Open the Start menu, type cmd, and press Enter to launch Command Prompt. Then run:

certutil -hashfile file.zip SHA256

For example, to hash a file on your Desktop:

certutil -hashfile "C:\Users\You\Desktop\installer.exe" SHA256

certutil prints the SHA-256 hash on its own line, followed by a confirmation message. You can replace SHA256 with MD5, SHA1 or SHA512 to compute a different algorithm. Wrap the path in double quotes if it contains spaces. This method is handy when you are already at a command prompt or scripting a quick check.

Method 2 — PowerShell Get-FileHash (built in)

PowerShell ships with the Get-FileHash cmdlet, which is a little friendlier to read and defaults to SHA-256. Open the Start menu, type PowerShell, press Enter, and run:

Get-FileHash file.zip -Algorithm SHA256

For example:

Get-FileHash "C:\Users\You\Downloads\report.pdf" -Algorithm SHA256

PowerShell returns a neat table with three columns — Algorithm, Hash and Path — with the hash shown in uppercase. Because SHA-256 is the default, you can shorten the command to Get-FileHash file.zip. Use the -Algorithm switch to pick MD5, SHA1, SHA256, SHA384 or SHA512.

Method 3 — a free GUI app or in-browser tool (easiest, no command line)

Command-line tools are precise, but they are not for everyone — and they hash one file and one algorithm at a time. If you would rather just see a hash without remembering syntax, a graphical tool is the easiest option. e-Dex, a free offline Windows app from Innovativa SoftTech, lets you drag and drop a file (or a whole folder) and instantly shows MD5, SHA-1, SHA-256, SHA-512 and BLAKE3 side by side, with a one-click copy and a clear MATCH / MISMATCH comparison. It runs fully offline, so your files never leave your machine. Download the free e-Dex GUI app for desktop use. Prefer not to install anything? Use the free in-browser hash tool — drop a file onto the page and it is hashed locally in your browser, with nothing uploaded to a server. This is the friendliest route for non-technical users.

Which method should you choose?

All three produce the same hash for the same file and algorithm, so the choice is about convenience. Reach for certutil when you are already in Command Prompt or writing a batch script. Reach for PowerShell Get-FileHash when you want cleaner output or are scripting in PowerShell — it is the more modern built-in. Reach for a free GUI or in-browser tool when you want drag-and-drop simplicity, several algorithms at once, or an effortless side-by-side comparison — ideal for non-technical users and for anyone verifying many files. When you need a documented record of the result rather than a value on screen, a dedicated tool that can also produce a certificate is the better fit.

Verifying a download by comparing hashes

The most common reason to hash a file is to confirm a download arrived intact and untampered. The process is the same whichever method you use:

1. Find the official hash. Reputable download pages publish a checksum (usually SHA-256) next to the file. Note that value.
2. Hash your downloaded copy with the same algorithm using certutil, PowerShell or a free tool — for example certutil -hashfile setup.exe SHA256.
3. Compare the two values character by character. A GUI tool can do this comparison for you and report MATCH or MISMATCH.

If the hashes are identical, the file is exactly what the publisher released — safe to open. If they differ by even one character, the download is corrupted or has been tampered with in transit, and you should delete it and fetch a fresh copy from the official source. Comparing hashes is a quick habit that catches both accidental corruption and malicious substitution. For a deeper look at why this matters in investigations and legal contexts, see our guide to the role of hashing in digital forensics.

Frequently Asked Questions

How do I hash a file on Windows without installing anything?
Windows ships with two built-in ways to hash a file, so you do not need to install anything. In Command Prompt run certutil -hashfile file.zip SHA256, or in PowerShell run Get-FileHash file.zip -Algorithm SHA256. Both print the SHA-256 hash of the file. If you prefer not to use a command line, a free GUI app or an in-browser hash tool lets you drag and drop the file instead.

What is the certutil command to get a SHA-256 hash?
Open Command Prompt and run certutil -hashfile "C:\path\to\file.zip" SHA256. certutil prints the SHA-256 hash on its own line. You can swap SHA256 for MD5, SHA1 or SHA512 to compute a different algorithm. Quote the path if it contains spaces.

How do I hash a file in PowerShell?
Open PowerShell and run Get-FileHash file.zip -Algorithm SHA256. PowerShell returns a table with the algorithm, the uppercase hash value and the file path. SHA-256 is the default, so Get-FileHash file.zip alone also works. Use -Algorithm to choose MD5, SHA1, SHA256, SHA384 or SHA512.

Which hash algorithm should I use to verify a file?
Use SHA-256 for almost everything. It is the modern, collision-resistant standard and the value most download pages publish. SHA-512 and BLAKE3 are also strong choices. MD5 and SHA-1 are older and should be treated as compatibility-only for matching against legacy checksums, not as security guarantees.

How do I verify a downloaded file using its hash?
Find the official hash (checksum) published by the source, hash your downloaded copy with certutil, PowerShell or a free tool using the same algorithm, then compare the two values. If they are identical the file is intact and unaltered; if even one character differs the download is corrupted or has been tampered with and should not be trusted.

Conclusion

Hashing a file on Windows takes seconds. The built-in certutil and PowerShell Get-FileHash commands are perfect when you are at a prompt, while a free drag-and-drop tool is the easiest path for everyone else — and the quickest way to compare several algorithms or verify a download at a glance. For effortless, offline hashing with one-click comparison and exportable results, download e-Dex free — the Digital Evidence Integrity Suite, or try the in-browser hash tool right now with nothing to install.