Amazon Elastic Compute Cloud
User Guide for Windows Instances

Using EC2Rescue

EC2Rescue is a easy-to-use tool that you run on an Amazon EC2 Windows Server instance to diagnose and troubleshoot possible problems. It is valuable for collecting log files and troubleshooting issues and also proactively searching for possible areas of concern. It can even examine EBS root volumes from other instances and collect relevant logs for troubleshooting Windows Server instances using that volume.

EC2Rescue has two different modules: a data collector module that collects data from all different sources, and an analyzer module that parses the data collected against a series of predefined rules to identify issues and provide suggestions.

The EC2Rescue tool only runs on EC2 instances running Windows Server 2008 R2 and later. When the tool starts, it checks whether it is running on an EC2 instance.


EC2Rescue is able to perform the following analysis on an offline instance:



Diagnose and Rescue

The following service settings can be detected and modified:

  • System Time

    • RealTimeisUniversal ‐ Detects whether the RealTimeisUniversal registry key is enabled. If disabled, Windows system time drifts when the timezone is set to a value other than UTC.

  • Windows Firewall

    • Domain networks ‐ Detects whether this Windows Firewall profile is enabled or disabled.

    • Private networks ‐ Detects whether this Windows Firewall profile is enabled or disabled.

    • Guest or public networks ‐ Detects whether this Windows Firewall profile is enabled or disabled.

  • Remote Desktop

    • Service Start ‐ Detects whether the Remote Desktop service is enabled.

    • Remote Desktop Connections ‐ Detects whether this is enabled.

    • TCP Port ‐ Detects which port the Remote Desktop service is listening on.

  • EC2Config

    • Installation ‐ Checks which EC2Config version is installed.

    • Service Start ‐ Detects whether the EC2Config service is enabled.

    • Ec2SetPassword ‐ Generates a new administrator password.

    • Ec2HandleUserData ‐ Allows you to execute a user data script on the next boot of the instance.

  • Network Interface

    • DHCP Service Startup ‐ Detects whether the DHCP service is enabled.

    • Ethernet detail ‐ Displays information about the network driver version, if detected.

    • DHCP on Ethernet ‐ Detects whether DHCP is enabled.


Perform one of the following actions:

  • Last Known Good Configuration ‐ Attempts to boot the instance into the last known bootable state.

  • Restore registry from backup ‐ Restores the registry from \Windows\System32\config\RegBack.

Capture Logs

Allows you to capture logs on the instance for analysis.

EC2Rescue is able to collect the following data from active and offline instances:

Item Description
Event Log Collects application, system, and EC2Config event logs.
Memory Dump Collects any memory dump files that exist on the instance.
EC2Config File Collects log files generated by the EC2Config service.
EC2Launch File Collects log files generated by the EC2Launch scripts.
SSM Agent File Collects log files generated by the SSM agent.
Sysprep Log Collects log files generated by the Windows System Preparation tool.
Driver SetupAPI Log Collects Windows SetupAPI logs ( and setupapi.setup.log).
Registry Collects SYSTEM and SOFTWARE hives.
System Information Collects MSInfo32.
Boot Configuration Collects HKEY_LOCAL_MACHINE\BCD00000000 hive.
Windows Update Log Collects information about the updates that are installed on the instance.


Windows Update logs are not captured on Windows Server 2016 instances.

Video Walkthrough

Brandon shows you how to use the Diagnose and Rescue feature of EC2Rescue for Windows

Analyzing an Offline Instance

The Offline Instance option is useful for debugging boot issues with Windows instances.

To perform an action on an offline instance

  1. From a working Windows Server instance, download the EC2Rescue tool and extract the files.

  2. Stop the faulty instance, if it is not stopped already.

  3. Detach the EBS root volume from the faulty instance and attach the volume to a working Windows instance that has EC2Rescue installed.

  4. Run the EC2Rescue tool on the working instance and choose Offline Instance.

  5. Select the disk of the newly mounted volume and choose Next.

  6. Confirm the disk selection and choose Yes.

  7. Choose the offline instance option to perform and choose Next.

The EC2Rescue tool scans the volume and collects troubleshooting information based on the selected log files.

Collecting Data from an Active Instance

You can collect logs and other data from an active instance.

To collect data from an active instance

  1. Connect to your Windows instance.

  2. Download the EC2Rescue tool to your Windows instance and extract the files.

  3. Open the EC2Rescue application and accept the license agreement.

  4. Choose Next, Current instance, Capture logs.

  5. Select the data items to collect and choose Collect....

  6. Read the warning and choose Yes to continue.

  7. Choose a filename and location for the ZIP file and choose Save.

  8. After EC2Rescue completes, choose Open Containing Folder to view the ZIP file.

  9. Choose Finish.