I wrote the attached script to recursively parse a WsusContent directory and compare the file name to the SHA1 hash of the file.  This performs a basic verification that the content is valid.  WSUS does this by itself, but when moving the content across to a disconnected network I recommend validating the content first to ensure it didn’t become corrupt in transit instead of waiting on WSUS to check it for you.

The syntax of the script is quite simple:

.\Check-WsusContentHash.ps1 -RootPath D:\WSUS\WsusContent

The RootPath parameter is required so that it knows where to start the search.

The output is basic: a single period (.) for every file it checks.  In the following example I copied six files into a temporary directory for a test scan:

PS C:\Scripts> .\Check-WsusContentHash.ps1 -RootPath C:\WSUS\Temp

PS C:\Scripts> 

Any time it encounters an invalid signature it still writes the period, but then displays the file and signature on a new line, and then continues with the scan.  In the following example I changed the last character of one file name from E to 1, causing the script to find it invalid.  (Typically if the file is corrupt, the signature will be significantly different, not just by one character.)

PS C:\Scripts> .\Check-WsusContentHash.ps1 -RootPath C:\WSUS\Temp
 C:\WSUS\Temp\22594247fdbd160a334015ec44ce69661231e081.exe      INVALID 22594247FDBD160A334015EC44CE69661231E08E

PS C:\Scripts>

Happy hashing!


Disclaimer: The information on this site is provided “AS IS” with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use.

Comments (1)

  1. Gandalf50 says:

    Thanks.  Will be very handy for a pending move.

Skip to main content