Microsoft File Checksum Integrity Verifier (FCIV)
I recently came across a very useful Microsoft tool (FCIV) that can compute and store (as XML) checksums (MD5, SHA1 or both hashes) of folders/files you want and can also be used to later on verify the checksum lists to see if they’ve been tampered with.
Would be nice to have a GUI wrapper around that tool that would also cooperate with the task scheduler to run regular checks of sensitive files.
You can get FCIV from http://www.microsoft.com/download/en/details.aspx?id=11533 (after unpacking it at some folder you can checkout the tool parameters by typing fciv or fciv /? at the command line – of course you can use fciv | more to see the syntax page by page).
You can read more regarding that (unsupported) Microsoft tool at http://support.microsoft.com/kb/841290
Microsoft (R) File Checksum Integrity Verifier V2.05 README file
1.What is File Checksum Integrity Verifier (FCIV)?
4.Database storage format.
1.What is fciv?
Fciv is a command line utility that computes and verifies hashes of files.
It computes a MD5 or SHA1 cryptographic hash of the content of the file.
If the file is modified, the hash is different.
With fciv, you can compute hashes of all your sensitive files.
When you suspect that your system has been compromised, you can run a verification to determine which files have been modified.
You can also schedule verifications regularily.
– Hash algorithm: MD5 , SHA1 or both ( default MD5).
– Display to screen or store hash and filename in a xml file.
– Can recursively browse a directory ( ex fciv.exe c:\ -r ).
– Exception list to specify files or directories that should not be computed.
– Database listing.
– hashes and signature verifications.
– store filename with or without full path.
Usage: fciv.exe [Commands] <Options>
Commands: ( Default -add )
-add <file | dir> : Compute hash and send to output (default screen).
-r : recursive.
-type : ex: -type *.exe.
-exc file: list of directories that should not be computed.
-wp : Without full path name. ( Default store full path)
-bp : base path. The base path is removed from the path name of each entry
-list : List entries in the database.
-v : Verify hashes.
: Option: -bp basepath.
-? -h -help : Extended Help.
-md5 | -sha1 | -both : Specify hashtype, default md5.
-xml db : Specify database format and name.
To display the MD5 hash of a file, type fciv.exe filename
fciv.exe c:\ -r -exc exceptions.txt -sha1 -xml dbsha.xml
fciv.exe c:\mydir -type *.exe
fciv.exe c:\mydir -wp -both -xml db.xml
List hashes stored in database:
fciv.exe -list -sha1 -xml db.xml
fciv.exe -v -sha1 -xml db.xml
fciv.exe -v -bp c:\mydir -sha1 -xml db.xml
4.Database storage format:
The hash is stored in base 64.
<?xml version="1.0" encoding="utf-8"?>
You can build a hash database of your sensitive files and verify them regularily or when you suspect that your system
has been compromised.
It checks each entry stored in the db and verify that the checksum was not modified.
Fciv 1.2 : Added event log.
Fciv 1.21: Fixed bad keyset error on some computers.
Fciv 1.22: Added -type option. Support up to 10 masks. *.exe *.dll …
Fciv 2.0: xml as unique storage. Added -both option.
Fciv 2.01: Exit with error code to allow detections of problem in a script.
Fciv 2.02: Improved perfs. When both alg are specified, it’s now done in one pass.
Fciv 2.03: Added -wp and -bp options. Fciv now stores full path or relatives paths.
Fciv 2.04: Removed several options to simplify it.
Fciv 2.05: Added success message if the verification did not detect any errors.