Abstract and introduction
PowerShell File Checksum Integrity Verifier (PsFCIV) is a enhanced PowerShell version of legacy Microsoft FCIV.exe tool. Native tool description can be found in the following article:
KB841290. Since original tool wasn’t developed for more than 5 years and there are needs to improve it’s functionality, I decided to write my own implementation of the tool by using native PowerShell
The main purpose of PsFCIV is to track your files integrity status by calculating cryptographic hashes over a file (or files) and writing them into FCIV-compatible XML database. You can verify whether files were changed since last check run. PsFCIV can be
useful for rarely-changed files (for example, installation packages or installation images), backups and archives that should not be changed. Additionally you can use PsFCIV to verify your files after they were moved over WAN links. Often some files
become corrupted after this copy process and you can use this tool to determine which files were corrupted.
The following features are included in PsFCIV 2.0:
- PsFCIV allows to use multiple hash algorithms when you create XML database. Only one (explicitly specified or automatically determined) hash algorithm can be used during integrity verification process;
- PsFCIV allows you to use native FCIV XML database and convert it to a new native PsFCIV format;
- PsFCIV allows you verify only single file, instead of entire XML database entries;
- PsFCIV allows you to use custom action for files that failed verification checks: rename for future investigation, or delete it immediately;
- PsFCIV supports a special mode called “Rebuild mode” to refresh XML database. Over a time certain files can be removed, but appropriate entries in the XML are not touched. Also, there might be new files added since XML database
was created. Rebuild mode removes unused entries and adds new entries for new files.
- PsFCIV creates global categorized file list and assigns each file entry to an appropriate category depending on file integrity verification status. For example, if the file passes all checks, it is moved to Ok group. If the file fails verification checks,
it is moved to Bad group. Also, there are special groups for files, when they can’t be verified. For example, if the file is locked by an external program, the file entry is moved to Locked group. When PsFCIV finishes it’s job, you can use $global:sum
variable to review file categories. Also you can use “-Show” parameter to show appropriate categories in familiar GUI.
Note: these groups are logical, real files are not modified in any way.
- After file file integrity check process a resulting statistics for each logical file category;
- Detailed verbose and debug information.
PsFCIV is database-based utility and it uses FCIV-compatible XML database file to keep all required information about a file:
- File path and name;
- File size;
- File last modification timestamp;
- One or more calculated hash values.
PsFCIV provides various cryptographic hashing algorithm support: MD5, SHA1, SHA256, SHA384 and SHA512. You can calculate multiple hashes over the same file and write all of them to XML database. When you run the command first time, it creates XML database
file for specified folder or folders. When you specify existing XML database, the command performs file checksum verification process as follows:
- PsFCIV attempts to find a file for each record in database;
- Once the file is found, file size and last modification timestamp are compared between real file values and values stored in the XML database;
- If real file size or modification timestamp do not match to corresponding values in XML database, then the file is marked as bad. No hashes are verified.
Note: when you move or copy file to another location, it's LastWriteTime property is not changed.
- If file size and last modification timestamp matches to corresponding values in XML database, PsFCIV calculates a hash over a file and verifies it’s value against a known good value in the XML database.
- If the file hash value comparison succeeds, the file is marked as good and PsFCIV switches to a next entry in XML database.
Here are few useful examples you can use:
- Start-PsFCIV -Path C:\tmp -XML DB.XML
Checks all files in C:\tmp folder by using SHA1 hash algorithm.
- Start-PsFCIV -Path C:\tmp -XML DB.XML -HashAlgorithm SHA1, SHA256, SHA512 -Recurse
Checks all files in C:\tmp folder and subfolders by using SHA1, SHA256 and SHA512 algorithms
- Start-PsFCIV -Path C:\tmp -Include InstallPackage.msi -XML DB.XML -HashAlgorithm SHA512
Checks only InstallPackage.msi file in C:\tmp folder by using SHA512 hash algorithm.
- Start-PsFCIV -Path C:\tmp -XML DB.XML –Rebuild
Rebuilds DB file, by removing all unused entries (when an entry exists, but the file does not exist) from the XML file and add all new files that has no records in the XML file using SHA1 algorithm. Existing files are not checked for integrity consistence.
- Start-PsFCIV -Path C:\tmp -XML DB.XML -HashAlgorithm SHA256 -Action Rename
Checks all files in C:\tmp folder using SHA256 algorithm and renames files with
Length, LastWriteTime or hash mismatch by adding
.BAD extension to them. The 'Delete' action can be appended to delete all bad files.
- Start-PsFCIV -Path C:\tmp -XML DB.XML -Show Ok, Bad
Checks all files in C:\tmp folder using SHA1 algorithm and shows filenames that match Ok or Bad category.
- Start-PsFCIV -Path C:\temp -HashAlgorithm SHA1, SHA256, SHA512 -Online
Performs file hash calculation and passes output objects to a pipeline without using XML database.
If you found bugs, have suggestions or questions, you are welcome in Q&A section.
03.04.2013: fixed "Include" parameter handler.
17.11.2013: fixed missing "Dispose" method on crypto provider class, fixed time zone issue and performance improvement.
12.12.2013: fixed minor bugs, several code paths moved to a C# wrapper for performance reasons.