Safe way to verify that a Microsoft ISO has not been tampered with

9

2

I'd like to make sure an ISO (disc image) I have for a Microsoft Windows 10 OS is genuine. The way I usually do this with any file is by computing a hash of the file and comparing the result to the expected hash (typically provided by the software publisher).

The right resource would list the official ISO names along with that file's correct hash. For instance:

File: en-gb_windows_10_enterprise_2016_ltsb_n_x64_dvd_9058303.iso
SHA1: 0629BF04AA2A61E125EE6EDDF917DB471DCB8535

Something like this, but it would come directly from a Microsoft site. I do not wish to have to create a Microsoft account just to see the correct hash (eg. the hash is shown on the official download pages, but you need to have an account to get there). Any leads?

PS: By the way, if it helps anyone, I use the tiny MD5 & SHA Checksum Utility to compute hashes

BeetleJuice

Posted 2017-02-04T06:34:11.777

Reputation: 677

Quoting Microsoft: "After your download has completed, you can compare your download copy to the original to verify that the download was successful. For this purpose, the SHA-1 hash value is provided for each download available on Subscriber Downloads. To view the SHA-1 hash value, click “Details” in the download’s listing on Subscriber Downloads." – Alex – 2017-02-04T07:27:47.537

Thank you. I think this solution requires me to create a Microsoft account, which I do not wish to do. – BeetleJuice – 2017-02-04T07:40:29.527

I afraid it is the only way since you want it "directly from a Microsoft site." – Alex – 2017-02-04T07:42:33.093

1Just create an account using a throwaway email address. – DavidPostill – 2017-02-04T11:25:23.007

@DavidPostill: Microsoft locked me out of my throwaway Microsoft account literally due to “something (...) that violates the Microsoft Services Agreement”. They requested that I tell them my phone number to receive a security code via SMS. When I tried to use a throwaway mobile phone number to do that, Microsoft web site responded: “We cannot send a text message to this number.” I love when people like you hand out “clever” anonymity/privacy/safety “solutions” that either replace one problem with another or flat out don’t work. OP’s problem: so basic – still unsolved. – 7vujy0f0hy – 2017-12-08T23:52:30.877

@7vujy0f0hy I said use a throwaway email address, not a throwaway mobile number. – DavidPostill – 2017-12-09T06:16:17.113

@DavidPostill: (1) You will say it later. (2) If the mobile number you give them is not throwaway, your account is not throwaway. (3) Is a Microsoft Outlook account not an e-mail account? Because, quite clearly, that’s what I have... or rather had. – 7vujy0f0hy – 2017-12-09T09:44:48.960

@DavidPostill: In any case, I have created a permanent (not throwaway) Microsoft account which I must now keep until death. And there is no Windows 10 OS download available in the section “Subscriber Downloads”! And the link posted by +Hex redirects me to My Visual Studio home page.

– 7vujy0f0hy – 2017-12-09T10:01:27.397

Here is another third-party SHA1 database: Microsoft SHA1 Hash Archive from my.visualstudio.com.

– starfry – 2018-07-12T19:23:01.880

Answers

1

As of December of 2017 this doesn't work anymore.

Click on Details on MSDN, for example: Windows 10 Enterprise 2016 LTSB. You probably need to log in to your Microsoft account to look it up but you don't need to be MSDN subscriber.

Windows 10 Enterprise 2016 LTSB N MSDN page

Hex

Posted 2017-02-04T06:34:11.777

Reputation: 982

Thanks for the link. +1. I've already been to that site, but I don't wish to create a Microsoft account just to see the hash signatures. – BeetleJuice – 2017-02-04T07:39:08.340

Why not? You don't even need to remember the data, you can create one each time you need to look up them... This is the official way to do this, there is no other. – Hex – 2017-02-04T20:24:16.740

@Hex: For example because it violates the Microsoft Services Agreement. Read more in my other comment.

– 7vujy0f0hy – 2017-12-09T00:13:52.343

@Hex: Both your MSDN links (1, 2) just redirect me to https://my.visualstudio.com/, even though I’m logged in. No button named “Details” anywhere in sight. Waste of account.

– 7vujy0f0hy – 2017-12-11T05:12:52.070

Unfortunatelly, this doesn't work anymore. as Microsoft changed MSDN to My Visual Studio. – Hex – 2017-12-13T08:06:06.000

0

The only safe ways are to

  • download a new one from Microsoft. For home and pro for OEM and retail. Note there is no enterprise option for OEM/retail. From https://www.microsoft.com/en-us/software-download/windows10. While this is currently frustrating, as an IT admin there is normally a new semi-annual release that needs downloading anyway by the time I've forgotten where I saved the last iso I downloaded.
  • or log in to your current MSDN subscription and download a new one if you are elligible.
  • log in to your volume license portal https://www.microsoft.com/licensing/servicecenter/default.aspx and look up the hash for the image you are interested in. For Pro / Educational / Enterprise. If you don't have a volume license portal login, see the people that sold you license and they should be able to help set you up with one.
  • re-create the iso from your original install media and compare checksums.

Remember Microsoft is always trying to outsmart the software pirates, which makes life difficult for people that have paid for their license. For previous versions of MS products this has meant that each combination of OEM/retail/VLSC coupled with home/pro/edu/ent has had its own sha1 hash for the same version. Also you had to match up license key you were trying to use not only with the version of software but the channel through which the key was purchased. Plus, each OEM manufacturer (eg dell/hp/etc) would have separate sha1 codes for all of the versions. While win 10 is still not perfect in this regard, having a single installer compatible with all oem and retail is much better than the old system.

Oh, and I forgot to add in the last paragraph there are also different language regions having their own sets of iso <-> key pairs for all of the above combinations. I'm not sure yet how the language region issues relate to Windows 10 yet.

PS. If you're concerned about 3rd party info/software then FYI, Microsoft also has an MD5 / SHA1 tool called FCIV, available for download from their site.

BeowulfNode42

Posted 2017-02-04T06:34:11.777

Reputation: 1 629

0

You can't, because Microsoft now embeds a unique ID in each downloaded ISO. I've downloaded the Windows 10 x64 ISO 4 times in the past 2 days, and each download completed without errors, and each had a different md5 sum:

94413128e084237b291e8dcb6d66042a *Windows10-x64-A.iso
b4fe0950ce455035d4c69abcc57f6e22 *Windows10-x64-B.iso
0f97d05fc0dd407108c3dcf036b4a7b4 *Windows10-x64-C.iso
5787c173f8590cf48633ec20dc683131 *Windows10-x64-D.iso

WinMerge shows that the files that differ between the versions are

sources/boot.wim
sources/install.esd
sources/ws.dat

Checking just w.dat, I find each ISO has a different value of InstanceID. Possibly these should be confidential for key activation, so I'm not listing the one I'm going to use:

[in B:] InstanceId=f1a7e812-3f62-4457-9c7e-4f255d608e6c
[in C:] InstanceId=1e380011-8f50-49bd-9711-6c204f846e84
[in D:] InstanceId=f1a7e812-3f62-4457-9c7e-4f255d608e6c

Phil Goetz

Posted 2017-02-04T06:34:11.777

Reputation: 151

Asked: 2017-02-04T06:34:11.777

Viewed: 11 791 times

Active: 2020-02-09T03:08:39.217