Recovering Access: A Guide for Lost EC2 Password in Windows

Lost your EC2 Windows password? Learn easy steps to regain access with EC2Launch, EC2 Config, and Systems Manager. Plus, get tips to prevent future issues!

Published May 7, 2024
In my previous blog post I have mentioned 5 methods to regain access to your Ec2 Linux instance if you have lost your Key Pair. Read it here if you haven’t read it already. In this blog I will discuss about how to regain access if you have lost your Password of EC2 windows instance.
Let’s add some spice to our blog by a storyline as usual.
Picture this: you're brewing coffee, ready to conquer your workday on your trusty EC2 instance. But then, dread strikes – you can't remember the password! Don't reach for the metaphorical eject button just yet. Regaining access to your Windows EC2 instance is possible, and this blog post will be your knight in shining armor.
The Four Wise Men: EC2Launch v2, EC2 Config, EC2Launch, Systems Manager

Recovery Method 1: Using EC2Launch v2

Let's delve into the steps to recover a Windows EC2 instance when the password is lost.
  1. Firstly, confirm that your EC2 instance employs an EBS root volume. If the Windows AMI utilizes the EC2Launch v2 service, the recovery process becomes straightforward.
  2. Detach the EBS root volume and attach it to a temporary EC2 instance running Windows.
  3. Access the secondary volume and delete the "run-once" file. This action prompts the old EC2 instance to initiate as if it's a fresh start.
  4. Reattach the volume to the original EC2 instance, restart it, and await the prompt for a new password.
  5. As the instance now believes it's booting for the first time, you'll be prompted to set a new password, thus successfully recovering the EC2 instance.

Recovery Method 2: Using EC2 Config

If you're using an older Windows AMI, like those before Windows Server 2016, it's considered an older AMI. For these, you need to use the EC2Config service. To work with this older AMI, you have to follow a similar process as before.
  1. Create a new EC2 instance temporarily. Detach the EBS root volume and attach the volume to a temporary instance as a secondary volume.
  2. However, this time, you need to modify a specific file - \ProgramFiles\Amazon\\Ec2ConfigService\Settings\config.xml. Inside this file, there's a setting called “EC2 set password” variable.
  3. If you set this variable to "enabled", you can reset the password. After making this change, restart the previous instance.
  4. Upon restart, you'll be prompted to set a new password, and then you can access the EC2 instance again.

Recovery Method 3: Using EC2Launch

This method of EC2Launch is used for Windows server 2016 and later AMIs which have not been upgraded to the newer version EC2Launch v2. This method is also a little like the previous one.
  1. You need to create a new EC2 instance temporarily. Detach the EBS root volume and attach the volume to a temporary instance as a secondary volume.
  2. To reset the administrator password, download and install the EC2Rescue Tool for Windows Server.
  3. Follow these steps: select Offline Instance Option -> Diagnose and Rescue -> Reset Administrator Password
  4. After resetting, reattach the volume to the EC2 instance, restart it, and the new admin password will be set.

Recovery Method 4: Using EC2 Systems Manager

You can also recover access to your EC2 instance using Systems Manager. Ensure the EC2 instance running Windows has the SSM Agent installed. There are total 3 methods available using Systems Manager.
Method 1: It automates the process we've discussed earlier in Method 3.
  1. Use AWSSupport-RunEC2RescueForWindowsTool Run Command Document
  2. Install and run EC2RescueTool for Windows Server
  3. Command is set to ResetAccess
Method 2: This automation document helps in resetting access.
  1. Use AWSSupport-ResetAccess Automation Document
  2. Works for both Windows and Linux
Method 3: This document allows you to set the administrator password to "Password@123" easily.
  1. Manually AWS-RunPowerShellScript Run Command Document
  2. Command: net user Administrator Password@123

Pro Tip

Preventative Measures are a Hero's Best Friend
While these recovery methods exist, prevention is always better than cure. Here are some ways to avoid future password-induced panic:
  • Store passwords securely: Use a password manager and enable multi-factor authentication.
  • Rotate passwords regularly: Keep those passwords fresh!
  • Consider IAM roles: For programmatic access, leverage IAM roles instead of local administrator accounts.

Conclusion

In this blog post I have explained four methods to recover from your lost EC2 Password for Windows Instance depending on your situation. You can use EC2Launch v2, EC2Config, EC2Launch or Systems Manager (if you have the SSM Agent installed) to reset your password. Remember, it's always better to be safe than sorry. Use a password manager and rotate your passwords regularly!
 

Comments