File integrity monitoring (FIM) is one way to detect changes to a known filesystem's files, and in the case of Windows, the registry. Typically, when a system has malicious activity, either changes are made to existing files or harmful files are placed in critical areas of the filesystem. In order to detect these changes, FIM tools create a hash database of the known good versions of files in each filesystem location. The tool can then periodically or real-time scan the filesystem looking for any changes to the installation including known files and directories. Hashing is used because any variation in the file will result in a different hash value, and therefore confirm there has been a change to the file, directory, ...