AWS Documentation » Amazon EC2 » Microsoft Windows Guide » Windows Amazon Machine Images (AMI) » Configuring a Windows Instance Using the EC2Config Service	« Previous Next »
	Did this page help you? Yes \| No \| Tell us about it...

Configuring a Windows Instance Using the EC2Config Service

Amazon Windows AMIs contain an additional service installed by Amazon Web Services—the EC2Config service. Although optional, this service provides access to advanced features that aren't otherwise available. This service runs in the LocalSystem account and performs tasks on the instance. Its binaries and additional files are contained in the %ProgramFiles%\Amazon\EC2ConfigService directory.

The EC2Config service is started when the instance is booted. It performs tasks during initial instance startup and each time you stop and start the instance. It can also perform tasks on demand. Some of these tasks are automatically enabled, while others must be enabled. EC2Config uses settings files to control its operation. You can update these settings files using either a graphical tool or by directly editing XML files.

The EC2Config service runs Sysprep, a Microsoft tool that enables you to create a customized Windows image that can be reused. For more information about Sysprep, see Sysprep Technical Reference.

When EC2Config calls Sysprep, it uses the settings files in EC2ConfigService\Settings to determine which operations to perform. You can edit these files indirectly using the Ec2 Service Properties dialog box, or directly using an XML editor or a text editor. However, there are some advanced settings that aren't exposed in the Ec2 Service Properties dialog box, so you must edit those entries directly.

If you create an AMI from an instance after updating its settings, the new settings are applied to any instance that's launched from the new AMI. For information about creating an AMI, see Creating an Amazon EBS-Backed Windows AMI.

Topics

Overview of EC2Config Tasks

EC2Config runs initial startup tasks when the instance is first started and then disables them. To run these tasks again, you must explicitly enable them prior to shutting down the instance, or by running Sysprep manually. These tasks are as follows:

Set the computer name (to match the private DNS name).
Set a random, encrypted password for the Administrator account.
Generate and install the host certificate used for Remote Desktop Connection.
Dynamically extend the operating system partition.
Execute the specified User Data (and CloudInit, if it's installed).

EC2Config performs the following tasks every time the instance starts:

Check for activation status and activate Windows as necessary.
Configure the Key Management Server (KMS) and activate Windows.
Format and mount any EBS volumes and instance store volumes, and map volume names to drive letters.
Synchronize the instance clock with a time server.
Write event log entries to the console to help with troubleshooting.
Write to the console that Windows is ready.
Display wallpaper information to the desktop background.
Add a custom route to the primary network adapter to enable the following IP addresses when multiple NICs are attached: 169.254.169.250, 169.254.169.251, and 169.254.169.254. These addresses are used by Windows Activation and when you access instance metadata.

While the instance is running, you can request that EC2Config perform the following task on demand:

Run Sysprep and shut down the instance so that you can create an AMI from it. (For more information, see Creating an Amazon EBS-Backed Windows AMI.)

Ec2 Service Properties

The following procedure describes how to use the Ec2 Service Properties dialog box to enable or disable settings.

To change settings using the Ec2 Service Properties dialog box

Launch and connect to your Windows instance.
From the Start menu, click All Programs, and then click EC2ConfigService Settings.
On the General tab of the Ec2 Service Properties dialog box, you can enable or disable the following settings.
Set Computer Name
Sets the hostname of the instance to a unique name based on the IP address of the instance and reboots once after booting. To set your own hostname, or to prevent your existing hostname from being modified, don't enable this setting.
User Data
User Data execution enables you to inject scripts into the instance metadata during the first launch. From an instance, you can read User Data at http://169.254.169.254/latest/user-data. This information remains static for the life of the instance, persisting when the instance is stopped and started, until it is terminated.
If you use a large script, we recommend that you use User Data to download the script, and then execute it.
For EC2Config to execute User Data, you must enclose the lines of the script within one of the following special tags:
<script></script>
Run any command that you can run at the cmd.exe prompt.
Example: <script>dir > c:\test.log</script>
<powershell></powershell>
Run any command that you can run at the Windows PowerShell prompt.
If you use an AMI that includes the AWS Tools for Windows PowerShell, you can also use those cmdlets. If you specify an IAM role when you launch your instance, then you don't need to specify credentials to the cmdlets, as applications that run on the instance can use the role's credentials to access AWS resources such as Amazon Simple Storage Service (Amazon S3) buckets.
Example: <powershell>Read-S3Object -BucketName myS3Bucket -Key myFolder/myFile.zip -File c:\destinationFile.zip</powershell>
If both script and powershell tags are present, the batch script is executed first, and then the PowerShell script, regardless of the order in which they appear.
EC2Config expects the User Data to be available in base64 encoding. If the User Data is not available in base64 encoding, EC2Config logs an error about being unable to find script or powershell tags to execute. If your encoding is not correct, the following is an example that sets the encoding using PowerShell.
```
$UserData = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($Script))
```
Initial Boot
By default, all Amazon AMIs have User Data execution enabled for the initial boot. If the user clicks Shutdown with Sysprep in Ec2Config, User Data execution is re-enabled, regardless of the setting of the User Data checkbox.
User Data execution happens under the local Administrator user only when a random password is generated. This is because Ec2Config generates the password and is aware of the credentials briefly (prior to sending to the console. Ec2Config doesn't store or track password changes, so when you don't generate a random password, User Data execution is performed by the Ec2Config service account.
Subsequent Boots
Because the User Data plugin automatically disables when run, you must do one of the following to persist User Data across reboots:
Programmatically create a scheduled task to run at system start using schtasks.exe /Create, and point the scheduled task to the userdata script (or another script) at C:\Program Files\Amazon\Ec2ConfigServer\Scripts\UserScript.ps1.
Programmatically re-enable the User Data plugin in Settings.xml using script similar to the following.
<powershell> $EC2SettingsFile="C:\Program Files\Amazon\Ec2ConfigService\Settings\Config.xml" $xml = [xml](get-content $EC2SettingsFile) $xmlElement = $xml.get_DocumentElement() $xmlElementToModify = $xmlElement.Plugins foreach ($element in $xmlElementToModify.Plugin) { if ($element.name -eq "Ec2SetPassword") { $element.State="Enabled" } elseif ($element.name -eq "Ec2HandleUserData") { $element.State="Enabled" } } $xml.Save($EC2SettingsFile) </powershell>
Starting with Ec2Config version 2.1.10, you can use <persist>true</persist> to re-enable the plugin after user data execution.
Event Log
Enables the display of event log entries on the console during boot for easy monitoring and debugging.
Click the Settings button to specify filters for the log entries sent to the console. By default, the three most recent error entries from the System event log are sent to the console.
Wallpaper Information
Enables the display of system information on the desktop background. The information displayed on the desktop background is controlled by the settings file EC2ConfigService\Settings\WallpaperSettings.xml.
The following is an example of the information displayed on the desktop background.
Click the Storage tab. You can enable or disable the following settings.
Root Volume
Dynamically extends Disk 0/Volume 0 to include any unpartitioned space. This can be useful when the instance is booted from a root device volume that has a custom size.
Initialize Drives
Formats and mounts all instance store volumes attached to the instance during startup.
Drive Letter Mapping
By default, the system maps the volumes that you attach to an instance to drive letters. The system can choose any available drive letter. To choose the drive letters for your volumes, click the Mappings button. In the DriveLetterSetting dialog box, specify the Volume Name and Drive Letter for each volume, and then click OK. We recommend that you select driver letters starting at the end of the alphabet (Z:, Y:, and so on) to avoid conflicts with drive letters that are already in use.
After you specify a drive letter mapping and attach a volume with same label as one of the volume names that you specified, EC2Config automatically assigns that volume the drive letter that you specified for it. However, the drive letter mapping fails if the drive letter is already in use. Note that EC2Config doesn't change the drive letters of volumes that were already mounted when you specified the drive letter mapping.
To save your settings and continue working on them later, click OK to close the Ec2 Service Properties dialog box.
Otherwise, if you have finished customizing your instance and are ready to create your AMI from this instance, click the Image tab. Select an option for the Administrator password, and then click Shutdown with Sysprep or Shutdown without Sysprep. EC2ConfigService edits the settings files based on the password option that you selected.
When you are asked to confirm that you want to run Sysprep and shut down the instance, click Yes. You'll notice that EC2ConfigService runs Sysprep. Next, you are logged off the instance, and the instance is shut down. If you check the Instances page in the EC2 console, the instance state changes from running to stopping, and then finally to stopped. At this point, it's safe to create an AMI from this instance.
You can manually invoke the Sysprep tool from the command line using the following command:
```
%ProgramFiles%\Amazon\Ec2ConfigService\ec2config.exe -sysprep
```
However, you must be very careful that the XML file options specified in the Ec2ConfigService\Settings folder are correct, otherwise, you might not be able to connect to the instance. For more information about the settings files, see EC2Config Settings Files. For an example of configuring and then running Sysprep from the command line, see Ec2ConfigService\Scripts\InstallUpdates.ps1.

EC2Config Settings Files

You can modify the following settings files located in the Ec2ConfigService\Settings directory:

ActivationSettings.xml—Controls product activation using a Key Management Server (KMS).
BundleConfig.xml—Controls how EC2ConfigService prepares an instance for AMI creation.
Config.xml—Controls the primary settings.
DriveLetterConfig.xml—Controls drive letter mappings.
EventLogConfig.xml—Controls the event log information that's displayed on the console while the instance is booting.
WallpaperSettings.xml—Controls the information that's displayed on the desktop background.

The settings in these files control the operation of the EC2Config service.

ActivationSettings.xml

SetAutodiscover—Indicates whether to automatically detect a KMS.
TargetKMSServer—The private IP address of a KMS. The KMS must be in the same region as your instance.
DiscoverFromZone—Discovers the KMS server from the specified DNS zone.
ReadFromUserData—Gets the KMS server from UserData.
LegacySearchZones—Discovers the KMS server from the specified DNS zone.
DoActivate—Attempt activation using the specified settings in the section. This value can be true or false.
LogResultToConsole—Displays the result to the console.

BundleConfig.xml

AutoSysprep—Indicates whether to automatically use Sysprep. Change the value to Yes if you want to use Sysprep.
SetRDPCertificate—Sets a self-signed certificate to the Remote Desktop server running on a Windows 2003 instance. This enables you to securely RDP into the instances. Change the value to Yes if you want the new instances to have the certificate.
This setting is not used with Windows Server 2008 or Windows Server 2012 instances because they can generate their own certificates.
SetPasswordAfterSysprep—Sets a random password on a newly launched instance, encrypts it with the user launch key, and outputs the encrypted password to the console. Change the value of this setting to No if you do not want the new instances to set a random encrypted password.

Config.xml

Ec2SetPassword—Generates a random encrypted password each time you launch an instance. This feature is disabled by default after the first launch so that reboots of this instance don't change a password set by the user. Change this setting to Enabled to continue to generate passwords each time you launch an instance.
This setting is important if you are planning to create an AMI from your instance.
Ec2SetComputerName—Sets the hostname of the instance to a unique name based on the IP address of the instance and reboots the instance. To set your own hostname, or prevent your existing hostname from being modified, you must disable this setting.
Ec2InitializeDrives—Initializes and formats all instance store volumes during startup. This feature is enabled by default, and initializes and mounts the instance store volumes as drives D:/, E:/, and so on. For more information about instance store volumes, see Amazon EC2 Instance Store in the Amazon EC2 User Guide.
Ec2EventLog—Displays event log entries in the console. By default, the three most recent error entries from the system event log are displayed. To specify the event log entries to display, edit the EventLogConfig.xml file located in the EC2ConfigService\Settings directory. For information about the settings in this file, see Eventlog Key in the MSDN Library.
Ec2ConfigureRDP—Sets up a self-signed certificate on the instance, so users can securely access the instance using Remote Desktop. This feature is disabled on Windows Server 2008 and Windows Server 2012 instances because they can generate their own certificates.
Ec2OutputRDPCert—Displays the Remote Desktop certificate information to the console so that the user can verify it against the thumbprint.
Ec2SetDriveLetter—Sets the drive letters of the mounted volumes based on user-defined settings. By default, when an Amazon EBS volume is attached to an instance, it can be mounted using the drive letter on the instance. To specify your drive letter mappings, edit the DriveLetterConfig.xml file located in the EC2ConfigService\Settings directory.
Ec2WindowsActivate—Indicates whether to search through the DNS Suffix List for appropriate KMS entries. When the appropriate KMS entries are found, the plug-in sets your activation server to the first server to respond to the request successfully. Starting with Windows Server 2008 R2, Windows Server is able to search the suffix list automatically. With Windows Server 2008 R2 and Windows Server 2012, the plug-in performs this search manually.
To modify the KMS settings, edit the ActivationSettings.xml file located in the EC2ConfigService\Settings directory.
Ec2DynamicBootVolumeSize—Extends Disk 0/Volume 0 to include any unpartitioned space.
Ec2HandleUserData—Creates and executes scripts created by the user on the first launch of an instance after Sysprep is run. Commands wrapped in script tags are saved to a batch file, and commands wrapped in PowerShell tags are saved to a .ps1 file.
RemoveCredentialsfromSysprepOnStartup—By default, the Administrator password is removed from Sysprep.xml the next time the service starts. To ensure that this password persists, edit this setting.

DriveLetterConfig.xml

DriveLetterMapping—Sets the drive letter mappings. Construct the following XML to create drive letter mappings.

<?xml version="1.0" standalone="yes"?>
<DriveLetterMapping>
  <Mapping>
    <VolumeName></VolumeName>
    <DriveLetter></DriveLetter>
  </Mapping>
  . . .
  <Mapping>
    <VolumeName></VolumeName>
    <DriveLetter></DriveLetter>
  </Mapping>
</DriveLetterMapping>

VolumeName—The volume label. For example, My Volume.
DriveLetter—The drive letter. For example, X:.

EventLogConfig.xml

Category—The event log key to monitor.
ErrorType—The event type (for example, Error, Warning, Information.)
NumEntries—The number of events stored for this category.
LastMessageTime—To prevent the same message from being pushed repeatedly, the service updates this value every time it pushes a message.
AppName—The event source or application that logged the event.

WallpaperSettings.xml

Instance ID—Displays the ID of the instance.
Public IP Address—Displays the public IP address of the instance.
Private IP Address—Displays the private IP address of the instance.
Availability Zone—Displays the Availability Zone in which the instance is running.
Instance Size—Displays the type of instance.
Architecture—Displays the setting of the PROCESSOR_ARCHITECTURE environment variable.
AddMemory—Displays the system memory, in GB.
AddECU—Displays the processing power, in ECU.
AddIO—Displays the I/O performance.

Installing the Latest Version of EC2Config

By default, the EC2Config service is included in each Amazon Windows AMI. When we release an updated version, we update all Amazon Windows AMIs with the latest version. However, you'll need to update your own Windows AMIs and instances with the latest version.

To find notifications of updates to EC2Config, go to the Amazon Elastic Compute Cloud forum.

To verify the version that is included with your Windows AMI, launch an instance from your AMI and connect to it. From Control Panel, select Programs and Features. Look for Ec2ConfigService in the list of installed programs. Its version number appears in the Version column.

To install the latest version of EC2Config

Go to Amazon Windows EC2Config Service
Click the Download button.
Download and unzip the file.
Run EC2Install.exe. The setup program stops the service, uninstalls it, and reinstalls the new version.
Reboot your instance.
Connect to your instance, run the Services administrative tool, and verify that the status of EC2Config service is Started.

For more information about the changes in each version, see the What's New section on the download page.

Stopping, Deleting, or Uninstalling EC2Config

You can manage the EC2Config service just as you would any other service.

If you want to apply updated settings to your instance, you can stop and restart the service. If you're manually installing EC2Config, you must stop the service first.

To stop the EC2Config service

Launch and connect to your Windows instance.
On the Start menu, point to Administrative Tools, and then click Services.
In the list of services, right-click EC2Config, and select Stop.

If you don't need to update the configuration settings or create your own AMI, you can delete the service. Deleting a service removes its registry subkey.

To delete the EC2Config service

Start a command prompt window.
Run the following command:
```
sc delete ec2config
```

If you don't need to update the configuration settings or create your own AMI, you can uninstall EC2Config. Uninstalling a service removes the files, the registry subkey, and any shortcuts to the service.

To uninstall EC2Config

Launch and connect to your Windows instance.
On the Start menu, click Control Panel.
Double-click Programs and Features.
On the list of programs, select EC2ConfigService, and click Uninstall .

Document Conventions	« Previous Next »
Terms of Use	Did this page help you? Yes \| No \| Tell us about it...