Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!

Validate the Integrity of Installation Media


In this Ask the Admin, I’ll show you how to be sure the source media you use to install software in your business hasn’t been tampered with.


Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.


In a previous Ask the Admin, I talked about the clean source principle, which states that a system can be dependent on a higher trust system but not on a lower trust system. Part of implementing the principle is to determine the security dependencies systems have on each other, including servers, users, hardware, and management tools. Server and PC setup starts with the installation source, such as a downloaded file or physical media.

If the media used to install or update software has been modified by a malicious actor, then the device on which the software is installed will be compromised from the get-go, along with any systems dependent on it. So, it’s important to understand that installation media is also a security dependency.

Apply the clean source principle to installation media (Image Credit: Microsoft)
Apply the Clean Source Principle to Installation Media (Image Credit: Microsoft)

It’s best practice to validate the integrity of media before it’s used. Once the integrity has been confirmed, the media should be stored in a location that is restricted to systems with the same or higher level of trust as the devices where the software will be installed. For example, application installers should be protected against write access from Internet-connected hosts.


Certutil and Sigcheck

It might seem like overkill but you should check the validity of every installer file you download rather than assuming you have a genuine copy. Files could be downloaded from a site that appears to be the vendor’s but is, in fact, being diverted to a malicious server. This is especially important for mission-critical systems, such as Windows Server.

In the steps below, I’ll show you how to generate and compare the hash value of two files. A file’s hash value is a fixed-length number that uniquely identifies the file. You’ll download the file on two separate devices and generate hashes for each file. If the hash value is the same on both files, you can be reasonably sure that the file is genuine.

Generate a hash value using certutil (Image Credit: Russell Smith)
Generate a Hash Value Using Certutil (Image Credit: Russell Smith)
  1. Download the installer file on two separate devices that are isolated from each other. I.e. it is not connected to the same network or part of the same workgroup or domain. The devices should be connected to different Internet connections.
  2. Use certutil, a command-line tool built into Windows, to generate a hash for the file on both devices.

certutil -hashfile "C:\Users\Public\Downloads\MARSAgentInstaller.EXE"

It might sound like a pain to find two devices connected to different Internet connections but you could download the file at home and work and then compare the hash values.

It’s also worth checking the file’s digital signature. Not all software is digitally signed. But a signed installer package helps you to validate the file’s authenticity and integrity. To check the details of a file’s certificate, download Microsoft’s SysInternals sigcheck command-line tool. The command below will display basic information about the file’s digital signature.

Using SysInternals sigcheck to view a file's digital signature (Image Credit: Russell Smith)
Using SysInternals Sigcheck to View a File’s Digital Signature (Image Credit: Russell Smith)

sigcheck "C:\Users\Public\Downloads\MARSAgentInstaller.EXE"


In this Ask the Admin, I showed you how to check the integrity of installation media using certutil and sigcheck.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By