Just a quick note in the interests of software trust and security: there’s a great builtin tool in Windows 10 that we can use to check files we download to make sure they haven’t been tampered with or otherwise adulterated. We don’t need to worry about using untrusted bits to check our untrusted bits any more, and we can toss the legacy FCIV.exe in the recycling bin. This built-in checker included in the Windows 10 distro will calculate all of the most common hashes used these days, such as MD5, SHA1, SHA256, and SHA512.

For example, at Command Prompt, just run

certutil -hashfile "C:\VeraCrypt Portable 1.23.exe" sha256

to check your portable Veracrypt file. The “certutil” tool is very powerful and has a myriad of other uses, but the full help info for “certutil -hashfile” is pretty straightforward:

Microsoft Windows [Version 10.0.17134.345]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>certutil -hashfile -?
Usage:
  CertUtil [Options] -hashfile InFile [HashAlgorithm]
  Generate and display cryptographic hash over a file

Options:
  -Unicode          -- Write redirected output in Unicode
  -gmt              -- Display times as GMT
  -seconds          -- Display times with seconds and milliseconds
  -v                -- Verbose operation
  -privatekey       -- Display password and private key data
  -pin PIN                  -- Smart Card PIN
  -sid WELL_KNOWN_SID_TYPE  -- Numeric SID
            22 -- Local System
            23 -- Local Service
            24 -- Network Service

Hash algorithms: MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512

CertUtil -?              -- Display a verb list (command list)
CertUtil -hashfile -?    -- Display help text for the "hashfile" verb
CertUtil -v -?           -- Display all help text for all verbs


C:\WINDOWS\system32>


For purposes of checksum verification (i.e., the “-hashfile” option), it seems to be portable (you can find certutil.exe in C:\Windows\System32), meaning we should be able to build it into WinPE images, discretely carry it in the event anyone should try to coerce us into installing untrustworthy software, etc.

Leave a Reply

Your email address will not be published. Required fields are marked *