Scripting: Calculate File Hashes
Windows has two easy ways to generate the hash of a file:
certutil -hashfile c:\windows\explorer.exe
SHA1 hash of c:\windows\explorer.exe:
CertUtil: -hashfile command completed successfully.
powershell get-filehash -algorithm sha1 c:\Windows\explorer.exe
Both are easy to parse in a command processor script.
But which is faster?
We ran a trial on 3,486 files totalling 1,633,122,384 bytes, using a Windows 10 system with an Intel Core i7-8550U 1.80GHz processor and solid state drive. The script output was not echoed to the console.
Certutil completed in 133 seconds, PowerShell took 1,368 seconds. However this test was conducted by calling each executable once per file in a loop. Despite powershell.exe being smaller than certutil.exe, it takes significantly longer to bootstrap, because “PowerShell” is not just a single executable. So calling powershell.exe in a loop is very inefficient. When using powershell get-filehash *.* (ie. with wildcards), the operation took less than 10 seconds because it was not necessary to bootstrap PowerShell each time. CertUtil does not support wildcards.
Therefore, in a script environment to hash a single file, CertUtil is faster. If hashing many files in a single session, PowerShell is faster. In a native PowerShell script, using get-filehash will be faster than spawning an instance of CertUtil.exe.