Menu
Amazon Elastic Compute Cloud
User Guide for Windows Instances

Resetting a Windows Administrator Password using EC2Config

If you have lost your Windows Administrator password and are using a Windows AMI prior to Windows Server 2016, you can use the EC2Config service to generate a new password.

Note

If you are using a Windows Server 2016 AMI, see Resetting a Windows Administrator Password Using EC2Launch for Administrator password reset steps.

Before You Begin

Before you attempt to reset the administrator password, use the following procedure to verify that the EC2Config service is installed and running. You will use the EC2Config service to reset the Administrator password later in this section.

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Instances and then choose the instance that needs a password reset. (This instance is referred to as the original instance in this procedure.)

  3. Choose Actions, Instance Settings, Get System Log.

  4. Locate the EC2 Agent entry. For example EC2 Agent: Ec2Config service v3.18.1118. If you see this entry, the EC2Config service is running.

    If the system log output is empty, or if the EC2Config service is not running, troubleshoot the instance using the Instance Console Screenshot service. For more information, see Troubleshoot an Unreachable Instance.

Resetting an Administrator password

To reset an Administrator password for an EC2 instance, you modify a configuration file on the instance boot volume. However, you can't modify this file if it is attached to the instance as a root volume. You must detach the volume and attach it to a temporary instance. After you modify the configuration file on the temporary instance, you reattach it to your original instance as the root volume, as described in the following procedure.

Important

The instance gets a new public IP address after you stop and start it as described in the following procedure. After resetting the password, be sure to connect to the instance using its current public DNS name. If the instance is in EC2-Classic, any Elastic IP address is disassociated from the instance, so you must reassociate it. For more information, see Instance Lifecycle.

To reset the Administrator password

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the EC2 console, choose Instances, and then choose the instance that needs a password reset.

  3. Choose Actions, Instance State, Stop.

    Warning

    When you stop an instance, the data on any instance store volumes is erased. Therefore, if you have any data on instance store volumes that you want to keep, be sure to back it up to persistent storage.

  4. In the Stop Instances dialog box, choose Yes, Stop. After the instance has stopped, proceed with the next step.

  5. (Optional) If you do not have the original key pair (the .pem file that was used to create this instance), complete the following steps to create an AMI of this instance (a copy of the original) and redeploy the instance using a known or a new key pair. If you have the key pair, you can skip to the next step.

    1. In the EC2 console, choose the instance that needs a new key pair, and then choose Actions, Image, Create Image.

    2. Type a name and a description for the instance and choose Create Image.

    3. In the Create Image page, choose View pending image ami-ID. When the status of the new AMI shows available, choose Instances in the navigation pane, and then choose the original instance.

    4. Choose Actions, Launch More Like This. The Instance Launch Wizard opens. The wizard is pre-populated with the setup specifications used to create the original instance, including the same VPC, subnet, and availability zone, but it is not pre-populated to use the AMI you just created.

    5. In the top navigation bar of the wizard, choose 1. Choose AMI.

    6. Choose My AMIs, clear the pre-populated filter, then locate the AMI you created earlier. Choose Select.

      
                                    AMI selection wizard
    7. In the You selected a different AMI page, choose Yes, I want to continue with this AMI, and then choose Next.

    8. In the top navigation bar of the wizard, choose 7. Review, and then choose Launch.

    9. In the Select an existing key pair or create a new key pair page, choose a key pair that you can access or create a new key pair.

    10. Choose the I acknowledge... option, and then choose Launch.

    Important

    For the remainder of this procedure, all references to the original instance apply to this instance that you just created. You can stop or terminate the old instance. If you do not stop or terminate the old instance, you might incur charges.

  6. In the EC2 console, choose Instances and launch a temporary Windows instance in the same availability zone as the original instance. (This instance is referred to as the temporary instance in this procedure.)

    Warning

    If your temporary instance is based on the same AMI that the original instance is based on, and the operating system is later than Windows Server 2003, you must complete additional steps or you won't be able to boot the original instance after you restore its root volume because of a disk signature collision. Alternatively, select a different AMI for the temporary instance. For example, if the original instance uses the AWS Windows AMI for Windows Server 2008 R2, launch the temporary instance using the AWS Windows AMI for Windows Server 2012 or Windows Server 2003. (To find an AMI for Windows Server 2003, search for an AMI using the name Windows_Server-2003-R2_SP2.)

  7. Detach the root volume from the original instance as follows:

    1. On the Description pane of the original instance, note the EBS ID of the volume listed as the Root device.

    2. In the navigation pane, choose Volumes.

    3. In the list of volumes, select the volume, and then choose Actions, Detach Volume. After the volume's status changes to available, proceed with the next step.

  8. Attach the volume to the temporary instance as a secondary volume as follows:

    1. Choose Actions, Attach Volume.

    2. In the Attach Volume dialog box, start typing the name or ID of your temporary instance in the Instances field, and then select it from the list of suggested options.

    3. In the Device box, type xvdf (if it isn't already there), and then choose Attach.

    4. Connect to the temporary instance, open the Disk Management utility, and bring the drive online using these instructions: Making the Volume Available on Windows.

  9. On the secondary volume, modify the configuration file as follows:

    1. From the temporary instance, navigate to the secondary volume, and open \Program Files\Amazon\Ec2ConfigService\Settings\config.xml using a text editor, such as Notepad.

    2. At the top of the file, find the plugin with the name Ec2SetPassword, as shown here. Change the state from Disabled to Enabled and then save the file.

      
                                    The area of the Config.xml file to change
  10. (Optional) If your temporary instance is based on the same AMI that the original instance is based on, and the operating system is later than Windows Server 2003, you must complete the following steps or you won't be able to boot the original instance after you restore its root volume because of a disk signature collision.

    Warning

    The following procedure describes how to edit the Windows Registry using Registry Editor. If you are not familiar with the Registry or how to safely make changes using Registry Editor, read about the Registry on Microsoft TechNet.

    1. Open a command prompt, type regedit.exe, and press Enter.

    2. In the Registry Editor, choose HKEY_LOCAL_MACHINE from the context menu (right-click), and then choose Find.

    3. Type Windows Boot Manager and then choose Find Next.

    4. Choose the key named 11000001. This key is a sibling of the key you found in the previous step.

    5. In the right pane, choose Element and then choose Modify from the context menu (right-click).

    6. Locate the four-byte disk signature at offset 0x38 in the data. Reverse the bytes to create the disk signature, and write it down. For example, the disk signature represented by the following data is E9EB3AA5:

      ...
      0030  00 00 00 00 01 00 00 00
      0038  A5 3A EB E9 00 00 00 00
      0040  00 00 00 00 00 00 00 00
      ...
    7. In a Command Prompt window, run the following command to start Microsoft DiskPart.

      Copy
      diskpart
    8. Run the following DiskPart command to select the volume. (You can verify that the disk number is 1 using the Disk Management utility.)

      Copy
      DISKPART> select disk 1 Disk 1 is now the selected disk.
    9. Run the following DiskPart command to get the disk signature.

      Copy
      DISKPART> uniqueid disk Disk ID: 0C764FA8
    10. If the disk signature shown in the previous step doesn't match the disk signature from BCD that you wrote down earlier, use the following DiskPart command to change the disk signature so that it matches:

      Copy
      DISKPART> uniqueid disk id=E9EB3AA5
  11. Detach the secondary volume from the temporary instance as follows:

    1. Using the Disk Management utility, bring the volume offline.

      Note

      The drive is automatically offline if the temporary instance is running the same operating system as the affected instance, so you won't need to bring it offline manually.

    2. From the Amazon EC2 console, in the navigation pane, choose Volumes.

    3. Select the volume, and choose Actions, Detach Volume. After the volume's status changes to available, proceed with the next step.

  12. Reattach the volume to the original instance as its root volume as follows:

    1. Select the volume, and choose Actions, Attach Volume.

    2. In the Attach Volume dialog box, start typing the name or ID of the original instance in the Instances list, and then select the instance.

    3. In the Device box, enter /dev/sda1.

    4. Choose Yes, Attach.

  13. Restart the original instance as follows:

    1. In the navigation pane, choose Instances.

    2. Select the original instance and then choose Actions, Instance State, Start.

    3. In the Start Instances dialog box, choose Yes, Start.

  14. Retrieve the new default password as follows:

    1. In the navigation pane, choose Instances.

    2. Select the original instance and then choose Actions, Get Windows Password.

    3. In the Retrieve Default Windows Administrator Password dialog box, choose Browse, and then select the .pem file that corresponds to the key pair that you specified when you launched the instance.

    4. Choose Decrypt Password. You'll use the decrypted password to connect to the original instance using the local Administrator account.

Note

(Optional) If you completed the optional steps in this procedure to resolve the issue of a missing key pair (Step 5), then note the following:

  • If your instance used an elastic IP address, you must reassign that elastic IP address to the new instance that you just created. For more information, see Associating an Elastic IP Address with a Running Instance.

  • Ensure that any DNS entries that referenced the public and/or private DNS or IP address point to the appropriate value.