Check windows update file integrity
I have to update frequently offline windows systems.
So i download the update file (KB) on windows website and run the file on the systems.
I would like to know if there is a recommended way to check the integrity of a windows update file (kb). My purpose is to be sure that the file is correct and has not been modified in a way or another before applying it.
So i need something like an official MD5 signature as reference value to compare with the signature of the downloaded file, but i can't find anything like that.
Solution 1:
All Windows Update files (.exe, .msi, .msu, .cab) are signed using Authenticode – the data hash together with a digital signature are embedded into the file so Windows can verify it on its own.
-
Through PowerShell:
Get-AuthenticodeSignature foo.cab | Format-List
-
Through Cmd (only if you have the Windows 10 SDK installed):
signtool verify /v /pa foo.msi
-
Through GUI:
- Right-click the file, select "Properties" → "Digital Signatures".
- Select a signature from the list and click "Details".
In all three cases, make sure the signature is valid and comes from "Microsoft Code Signing PCA" (chaining to Microsoft Root Certificate Authority).
Note that MD5 or SHA1 hashes on their own aren't signatures. A signature is created by combination of a hash and a secret key (such as Authenticode signing certificate).
Solution 2:
If you downloaded the update files through Microsoft Update Catalog:
You will see SHA1 of the MSU package present in its file name:
The string highlighted in blue is its SHA-1 (Secure Hash Algorithm-1) value, which is always 40 characters long, this value will be changed if the file content is modified.
You can use this method to check if the file is authentic, you can use PowerShell to do this;
First, to open PowerShell:
Win+R>>type PowerShell
>>Ctrl+Shift+Enter
Then you need the full path of your file and filename, in this example, the file is downloaded to the default downloads folder, which is C:\Users\USERNAME\Downloads
folder, in PowerShell you can use this variable: $home
to represent C:\Users\Username
(your user profile) folder.
You can use Get-Filehash
cmdlet to get the hash of the file and check it against the hash in its filename by using -eq
operator, if the result is true
then the file is good. If it returns false
then the file is corrupted.
I will give you this example to describe the method better:
(get-filehash -path "$home\downloads\windows10.0-kb4592438-x86_95758bd6e2c3a4a98a19efaa4056213531f84f5c.msu" -algorithm SHA1).hash -eq "windows10.0-kb4592438-x86_95758bd6e2c3a4a98a19efaa4056213531f84f5c.msu".split("_")[1].substring(0,40)
It returns true
, means my file isn't corrupted.
When you use it, just replace the file name and file path with the real name and path of the file you want to check. And then you are good to go.
Solution 3:
Суомынона's answer is correct, I just want to add that you can wrap the code in a function:
function Check-Update {
Param(
[Parameter(Mandatory=$True, Valuefrompipeline=$True)] [Validatenotnullorempty()] [String]$Path
)
$IsGood=$false
if ($(Test-Path $Path) -and $Path.EndsWith(".msu")) {
$SHA1 = [System.IO.Path]::GetFileNameWithoutExtension($Path).Split("_")[1]
$Hash = (Get-FileHash -Path $path -Algorithm SHA1).Hash
$IsGood=$($SHA1 -eq $Hash)
Switch ($IsGood)
{
$true {Write-Host "Your update file: $path is NOT corrupted"}
$false {Write-Host "Your update file: $path IS corrupted"}
}
} else {
Write-Error -Message "Update file: $path doesn't exist as a valid update file"
}
}
Paste the function into a working PowerShell session, and then you can check integrity of an update file by calling the function, e.g.:
Check-Update "$home\downloads\windows10.0-kb4592438-x86_95758bd6e2c3a4a98a19efaa4056213531f84f5c.msu"
If everything is alright it will return:
Your update file: C:\Users\Estranger\downloads\windows10.0-kb4592438-x86_95758bd6e2c3a4a98a19efaa4056213531f84f5c.msu is NOT corrupted
I hope my answer helps you; Regards.