You need to verify the integrity of a downloaded file or check a checksum on Windows 11. PowerShell offers a built-in way to compute SHA-256 hashes without installing or importing any external modules. This article explains how to use the native Get-FileHash cmdlet and the underlying .NET classes to generate SHA-256 hashes directly from the command line. You will learn the exact commands, understand how they work, and avoid common mistakes that produce incorrect hash values.
Key Takeaways: Compute SHA-256 Hash in PowerShell on Windows 11
- Get-FileHash -Algorithm SHA256 -Path
: The native PowerShell cmdlet to compute a SHA-256 hash for any file without needing a module - [System.Security.Cryptography.SHA256]::Create().ComputeHash() method: The .NET class that PowerShell can call directly for advanced scenarios like hashing strings or streaming data
- Format-Hex or ToString conversion: Required to convert the raw byte output of .NET methods into the standard hexadecimal hash string
Understanding SHA-256 and PowerShell’s Native Capabilities
SHA-256 is a cryptographic hash function that produces a 256-bit 32-byte hash value. It is part of the SHA-2 family and is widely used for file integrity verification, digital signatures, and password storage. Windows 11 includes SHA-256 support in the .NET Framework, which PowerShell can access without any additional downloads.
PowerShell version 4.0 and later include the Get-FileHash cmdlet. This cmdlet uses the .NET cryptographic classes behind the scenes. You do not need to import a module such as Microsoft.PowerShell.Utility explicitly because it is loaded by default in PowerShell 5.1 and PowerShell 7.x. The cmdlet supports several algorithms: SHA1, SHA256, SHA384, SHA512, MD5, and RIPEMD160. SHA256 is the default algorithm for Get-FileHash in some PowerShell versions, but you should specify it explicitly for clarity.
For scenarios where you need to hash a string instead of a file, or where you want more control over the hashing process, PowerShell can call the .NET System.Security.Cryptography.SHA256 class directly. This method is also module-free because the .NET classes are part of the Windows base class library.
Steps to Compute SHA-256 Hash Using Get-FileHash
The Get-FileHash cmdlet is the simplest and most reliable way to compute a SHA-256 hash for a file. Follow these steps.
- Open PowerShell as Administrator or Standard User
Press the Windows key, type PowerShell, and select Windows PowerShell or PowerShell 7. You do not need administrator privileges to compute a hash for files you can read. - Navigate to the File’s Directory Optional
Use thecdcommand to change to the folder containing the file. For example:cd C:\Users\YourName\Downloads. This step simplifies the file path in the next command. - Run Get-FileHash with the SHA256 Algorithm
Type the following command and press Enter:Get-FileHash -Algorithm SHA256 -Path "filename.exe"
Replacefilename.exewith the actual file name. If the file is not in the current directory, provide the full path:C:\Path\To\file.iso. - Read the Output
PowerShell displays three columns: Algorithm shows SHA256, Hash shows the 64-character hexadecimal string, and Path shows the file path. Compare the hash value against the checksum provided by the file source. - Hash Multiple Files at Once
You can pass multiple file paths to the same command:Get-FileHash -Algorithm SHA256 -Path "file1.zip", "file2.zip"
PowerShell returns a hash for each file in a separate row.
Steps to Compute SHA-256 Hash Using .NET Classes Without Get-FileHash
Use this method when you need to hash a string, hash data from a stream, or work in an environment where Get-FileHash is unavailable. The .NET approach gives you full control over the input and output format.
- Create a SHA256 Object
Type the following command to create an instance of the SHA256 class:$sha256 = [System.Security.Cryptography.SHA256]::Create()
This command does not require any module import. - Compute Hash for a String
Convert the string to bytes, compute the hash, and convert the result to hexadecimal:$stringBytes = [System.Text.Encoding]::UTF8.GetBytes("YourString")$hashBytes = $sha256.ComputeHash($stringBytes)$hashHex = [System.BitConverter]::ToString($hashBytes) -replace '-', ''$hashHex
The variable$hashHexnow contains the SHA-256 hash as a 64-character uppercase hexadecimal string. - Compute Hash for a File Using .NET
Open a file stream and compute its hash:$stream = [System.IO.File]::OpenRead("C:\Path\To\file.exe")$hashBytes = $sha256.ComputeHash($stream)$stream.Close()$hashHex = [System.BitConverter]::ToString($hashBytes) -replace '-', ''$hashHex
Always close the stream to free system resources. - Dispose of the SHA256 Object
After computing all needed hashes, dispose of the object:$sha256.Dispose()
This step releases cryptographic resources.
Common Mistakes and Things to Avoid
PowerShell Shows a Different Hash Than Expected
The most frequent cause is using the wrong algorithm. Some websites provide MD5 or SHA-1 hashes. Verify that the source specifically states SHA-256. Also, ensure you are comparing the full 64-character hash. Truncated or partial hashes will not match.
Get-FileHash Command Not Found
This error occurs on very old PowerShell versions 3.0 or earlier. Windows 11 ships with PowerShell 5.1, which includes Get-FileHash. If you are using PowerShell 7, the cmdlet is also present. Run $PSVersionTable.PSVersion to check your version. If you see version 3.0 or lower, use the .NET class method instead.
Hash Output Is in Uppercase or Lowercase
The Get-FileHash cmdlet returns the hash in uppercase. The .NET method using BitConverter also returns uppercase. Many checksum sources display lowercase. Case does not affect the hash value. Use .ToLower() to convert if needed: $hashHex.ToLower().
Hash of a String Differs Between Systems
The hash depends on the byte encoding of the string. Always specify the encoding explicitly. The example above uses UTF8. If you use ASCII or Unicode, the hash will differ. Match the encoding used by the system that generated the original hash.
File Path Contains Spaces or Special Characters
Always enclose file paths in quotes. PowerShell interprets spaces as argument separators. Use single quotes 'C:\My Files\file.txt' or double quotes "C:\My Files\file.txt".
Get-FileHash vs .NET Class Method: Usage Differences
| Item | Get-FileHash Cmdlet | .NET SHA256 Class |
|---|---|---|
| Input type | File path only | Byte array, stream, or string |
| Output format | Object with Algorithm, Hash, Path | Raw byte array |
| Ease of use | Single command, no conversion needed | Multiple steps, requires hex conversion |
| Module requirement | None built into PowerShell 5.1+ | None .NET is part of Windows |
| Performance on large files | Good, uses streaming internally | Good, but you must manage the stream |
Use Get-FileHash for quick file integrity checks. Use the .NET class when you need to hash strings or control the encoding and streaming process.
You can now compute SHA-256 hashes in PowerShell on Windows 11 without importing any modules. Use Get-FileHash -Algorithm SHA256 for files and the .NET SHA256 class for strings or advanced scenarios. Always verify the algorithm and encoding match the source. For automated scripts, consider adding a -replace '-' to the .NET method to produce lowercase hashes consistently.