Categories
How-To

Windows File Integrity Powershell Script

We’ve built a quick and dirty Windows file integrity powershell script to help you check file integrity on a directory (recursively). We call it (un-originally) our Windows File Integrity Powershell Script. What this powershell script does is allows you to generate file hashes and later compare them to the current hash of your files. This process validates file integrity and provides assurance that your file has not been altered (or corrupted) since it was stored.

DISCLAIMER: If you choose to use this, it’s done so at your own risk.

This version differs from the Linux Bash shell script we wrote for that operating system. This version uses a stronger (but slower) sha256 hashing algorithm compared to the weaker (but faster) MD5 hashing algorithm. This script can use the faster MD5 algorithm, but for the purpose of verifying file integrity either algorithm is suitable.

The Linux equivalent Bash script can be found here.

Step 1: Ensure that you can run powershell scripts on your computer. You may have to make an adjustment to your execution policy in powershell. Windows will tell you how to fix this restriction if required.

Step 2: copy/paste this code snippet into a file called filehash.ps1. Store that file in %HOME\

# filehash.ps1
# Date: 2022-01-12
#
# This script has two functions
# 1) Generate a list of file hashes for a given directory (recursively)
# 2) Verify that list against the current hashes for the files in that subdirectory
# 
# This script takes 4 arguments/parameters
# mode: one of "verify" or "generate"
# hashpath: the location to scan when generating a new hash catalogue
# file: the file to store the hashes in/when verifying, the file read known hashes from
# filter: the files to include in the catalogue, default is *.exe, use *.* for all files

# A common use of this script would be to determine if you executable files have changed.  If they have
# it could be due to a system update, and in which case generating a new hash list would be suitable.
# if it was not due to a system update, potentially the file was modified by a harmful program or a
# a security breach has occurred.

# The hash catalogue should be stored separately from the machine you are running the script on (ie: usb flash)
# this ensures that the hash catalogue maintains integrity (hasn't been modified).  If the hash
# catalogue is modified you will not be able to trust it.

# Catalogue generation should occur when contents change/files added/removed to ensure that they are added
# to the catalogue for comparison.

#Parameter/Argument defaults
param ($mode="verify", $hashpath="$HOME\", $file="$HOME\hash.sha256", $filter="*.exe")

if ($mode -eq "verify") {
# Verify known hashes in the hash catalogue against the current files.

 $match=0
 $nomatch=0
 import-csv $file | foreach-object {
	if ($(get-filehash $_.Path).Hash -eq ($_.Hash)) {
		$match++
	} else {
		write-host ($_.Path + " [ERROR] hash does not match")
		$nomatch++
	}
 } 
 write-host("Hash Match: " + $match + " Hashes not matching: " + $nomatch)
}

if ($mode -eq "generate") {
# Create new list of file hashes in <path> and store them in <file> based on <filter> criteria.

  get-childitem $hashpath -recurse -filter $filter -exclude $file | Get-FileHash | Export-csv $file
}

Step 3: launch powershell by typing “powershell” in the search box.

Step 4: run the script to generate the hash catalogue

c:\users\johnsmith>filehash.ps1 -mode generate -filter *.exe -hashpath c:\

The above example command will generate a hash catalogue file called hash.sha256 (stored in $HOME\) on all the .exe files on your hard drive.

Step 5: periodically run the script to verify your files against your hash catalogue at your discretion.

c:\users\johnsmith>filehash.ps1 -mode verify

This command will verify the hashes in the catalogue (stored in $HOME\hash.sha256) against the current hashes for those files.

NOTE: we do not advise disabling antivirus software and it is unnecessary to do so to use this script. However, it is significantly faster if you disable your antivirus software while running this.

This can take a while to run, and during that time you may notice some file access error messages. You can safely ignore messages related to permissions or open files.

Step 6: you can check for yourself all the scanned files by opening (default value) the $HOME\hash.sha256 file and reading it with Excel or a text editor. An example entry is below.

#TYPE Microsoft.Powershell.Utility.FileHash
"Algorithm","Hash","Path"
"SHA256","1B2C2B0EE2C1576E6124875E91005BC2DFC5938061B2711B5FEEFA3DF86863FE","C:\NVIDIA\DisplayDriver\362.00\Win8_WinVista_Win7_64\International\Display.Driver\dbInstaller.exe"

A great way to use this script is with automation. You can run the verify function scheduled during the evening and review the results in the morning. Changes listed should not be a surprise to you. If there are file changes you can re-catalogue the files perhaps once a week. Just know that until you re-catalogue, the verification process will continue to flag those files you may have already seen flagged previously.

Check out more of our How-To’s for additional great tips like this one.

Leave a Reply