Troubleshoot impaired Windows instance with the EC2Rescue CLI - Amazon Elastic Compute Cloud

Troubleshoot impaired Windows instance with the EC2Rescue CLI

The EC2Rescue for Windows Server command line interface (CLI) allows you to run an EC2Rescue for Windows Server plugin (referred as an "action") programmatically.

The EC2Rescue for Windows Server tool has two execution modes:

  • /online—This allows you to take action on the instance that EC2Rescue for Windows Server is installed on, such as collect log files.

  • /offline:<device_id>—This allows you to take action on the offline root volume that is attached to a separate Amazon EC2 Windows instance, on which you have installed EC2Rescue for Windows Server.

Download the EC2Rescue for Windows Server tool to your Windows instance and extract the files. You can view the help file using the following command:

EC2RescueCmd.exe /help

EC2Rescue for Windows Server can perform the following actions on an Amazon EC2 Windows instance:

Collect action

Note

You can collect all logs, an entire log group, or an individual log within a group.

EC2Rescue for Windows Server can collect the following data from active and offline instances.

Log group Available logs Description
all Collects all available logs.
eventlog
  • 'Application'

  • 'System'

  • 'EC2ConfigService'

Collects application, system, and EC2Config event logs.
memory-dump
  • 'Memory Dump File'

  • 'Mini Dump Files'

Collects any memory dump files that exist on the instance.
ec2config
  • 'Log Files'

  • 'Configuration Files'

Collects log files generated by the EC2Config service.
ec2launch
  • 'Logs'

  • 'Config'

Collects log files generated by the EC2Launch scripts.
ssm-agent
  • 'Log Files'

  • 'Patch Baseline Logs'

  • 'InstanceData'

Collects log files generated by SSM Agent and Patch Manager logs.
sysprep 'Log Files' Collects log files generated by the Windows System Preparation tool.
driver-setup
  • 'SetupAPI Log Files'

  • 'DPInst Log File'

  • 'AWS PV Setup Log File'

Collects Windows SetupAPI logs (setupapi.dev.log and setupapi.setup.log).
registry
  • 'SYSTEM'

  • 'SOFTWARE'

  • 'BCD'

Collects SYSTEM and SOFTWARE hives.
egpu
  • 'Event Log'

  • 'System Files'

Collects event logs related to elastic GPUs.
boot-config 'BCDEDIT Output' Collects HKEY_LOCAL_MACHINE\BCD00000000 hive.
windows-update 'Log Files'

Collects log files generated by Windows Update.

Note

In Windows Server 2016 and later, the log is collected in Event Tracing for Windows (ETW) format.

cloudendure
  • 'Migrate Script Logs'

  • 'Driver Logs'

  • 'CloudEndure File List'

Collects log files related to CloudEndure Agent.

EC2Rescue for Windows Server can collect the following additional data from active instances.

Log group Available logs Description
system-info 'MSInfo32 Output' Collects MSInfo32.
gpresult 'GPResult Output'

Collects a Group Policy report.

The following are the available options:

  • /output:<outputFilePath> ‐ Required destination file path location to save collected log files in zip format.

  • /no-offline ‐ Optional attribute used in offline mode. Does not set the volume offline after completing the action.

  • /no-fix-signature ‐ Optional attribute used in offline mode. Does not fix a possible disk signature collision after completing the action.

Examples

The following are examples using the EC2Rescue for Windows Server CLI.

Online mode examples

Collect all available logs:

EC2RescueCmd /accepteula /online /collect:all /output:<outputFilePath>

Collect only a specific log group:

EC2RescueCmd /accepteula /online /collect:ec2config /output:<outputFilePath>

Collect individual logs within a log group:

EC2RescueCmd /accepteula /online /collect:'ec2config.Log Files,driver-setup.SetupAPI Log Files' /output:<outputFilePath>

Offline mode examples

Collect all available logs from an EBS volume. The volume is specified by the device_id value.

EC2RescueCmd /accepteula /offline:xvdf /collect:all /output:<outputFilePath>

Collect only a specific log group:

EC2RescueCmd /accepteula /offline:xvdf /collect:ec2config /output:<outputFilePath>

Rescue action

EC2Rescue for Windows Server can detect and address issues with the following service settings:

Service group

Available actions

Description

all
system-time 'RealTimeIsUniversal' System Time
  • RealTimeisUniversal ‐ Detects whether the RealTimeisUniversal registry key is enabled. If disabled, Windows system time drifts when the timezone is set to a value other than UTC.

firewall
  • 'Domain networks'

  • 'Private networks'

  • 'Guest or public networks'

Windows Firewall

  • Domain networks ‐ Detects whether this Windows Firewall profile is enabled or disabled.

  • Private networks ‐ Detects whether this Windows Firewall profile is enabled or disabled.

  • Guest or public networks ‐ Detects whether this Windows Firewall profile is enabled or disabled.

rdp
  • 'Service Start'

  • 'Remote Desktop Connections'

  • 'TCP Port'

Remote Desktop

  • Service Start ‐ Detects whether the Remote Desktop service is enabled.

  • Remote Desktop Connections ‐ Detects whether this is enabled.

  • TCP Port ‐ Detects which port the Remote Desktop service is listening on.

ec2config
  • 'Service Start'

  • 'Ec2SetPassword'

  • 'Ec2HandleUserData'

EC2Config

  • Service Start ‐ Detects whether the EC2Config service is enabled.

  • Ec2SetPassword ‐ Generates a new administrator password.

  • Ec2HandleUserData ‐ Allows you to run a user data script on the next boot of the instance.

ec2launch 'Reset Administrator Password' Generates a new Windows administrator password.
network 'DHCP Service Startup'

Network Interface

  • DHCP Service Startup ‐ Detects whether the DHCP service is enabled.

The following are the available options:

  • /level:<level> ‐ Optional attribute for the check level that the action should trigger. Allowed values are: information, warning, error, all. By default, it is set to error.

  • /check-only ‐ Optional attribute that generates a report but makes no modifications to the offline volume.

    Note

    If EC2Rescue for Windows Server detects a possible disk signature collision, it corrects the signature after the offline process completes by default, even when you use the /check-only option. You must use the /no-fix-signature option to prevent the correction.

  • /no-offline ‐ Optional attribute that prevents the volume from being set offline after completing the action.

  • /no-fix-signature ‐ Optional attribute that does not fix a possible disk signature collision after completing the action.

Rescue examples

The following are examples using the EC2Rescue for Windows Server CLI. The volume is specified using the device_id value.

Attempt to fix all identified issues on a volume:

EC2RescueCmd /accepteula /offline:xvdf /rescue:all

Attempt to fix all issues within a service group on a volume:

EC2RescueCmd /accepteula /offline:xvdf /rescue:firewall

Attempt to fix a specific item within a service group on a volume:

EC2RescueCmd /accepteula /offline:xvdf /rescue:rdp.'Service Start'

Specify multiple issues to attempt to fix on a volume:

EC2RescueCmd /accepteula /offline:xvdf /rescue:'system-time.RealTimeIsUniversal,ec2config.Service Start'

Restore action

EC2Rescue for Windows Server can detect and address issues with the following service settings:

Service Group

Available Actions

Description

Restore Last Known Good Configuration

lkgc Last Known Good Configuration ‐ Attempts to boot the instance into the last known bootable state.
Restore Windows registry from latest backup regback Restore registry from backup ‐ Restores the registry from \Windows\System32\config\RegBack.

The following are the available options:

  • /no-offline—Optional attribute that prevents the volume from being set offline after completing the action.

  • /no-fix-signature—Optional attribute that does not fix a possible disk signature collision after completing the action.

Restore examples

The following are examples using the EC2Rescue for Windows Server CLI. The volume is specified using the device_id value.

Restore last known good configuration on a volume:

EC2RescueCmd /accepteula /offline:xvdf /restore:lkgc

Restore the last Windows registry backup on a volume:

EC2RescueCmd /accepteula /offline:xvdf /restore:regback