A Step-by-Step Guide to Resetting Passwords on Windows EC2 Instances Using SSM and EC2Rescue

Losing access to a Windows instance on Amazon EC2 can be a major roadblock, whether due to a forgotten password or an accidental lockout. Fortunately, AWS provides tools like AWS Systems Manager (SSM) and EC2Rescue for Windows Server to help you regain access without needing to recreate the instance. These tools allow you to reset passwords or unlock user accounts quickly, ensuring minimal disruption to your workflow.

In this article, we’ll walk through two effective methods to recover access to your Windows instance in EC2.

Method 1: Use AWS Systems Manager (SSM) to Reset Password

AWS Systems Manager (SSM) allows you to execute commands remotely on your instances. If your instance has the SSM Agent installed and is properly configured with IAM permissions, you can use SSM to run a PowerShell script that resets the password for your Windows instance.

Prerequisites

• SSM Agent installed on your Windows instance (most modern Windows AMIs come with this pre-installed).
• IAM Role attached to the instance with permissions for SSM, such as AmazonEC2RoleforSSM.
• Instance is running in a public or private subnet with outbound internet access.

Steps to Reset the Password with SSM

1. Go to AWS Systems Manager Console:
   • Navigate to the AWS Systems Manager console and select Run Command from the menu.
2. Choose the Run Command Document:
   • Select the AWS-RunPowerShellScript document. This allows you to execute a PowerShell script on the instance.
3. Choose the Instance:
   • From the list of available instances, select the locked Windows instance you want to regain access to.
4. Enter the Script to Reset Password:
   • In the Command Parameters box, enter the following PowerShell script to reset the Administrator password: net user Administrator NewPassword123!
5. Execute the Command: Choose Run. Systems Manager will execute the command on the instance. This may take a few moments to complete.
6. Log In: Once the command has successfully run, try logging into the instance using the new password.
7. Benefits of Using SSM for Password Reset
   • No Need to Stop the Instance: You don’t need to stop or restart the instance, so there’s minimal disruption.
   • Quick and Efficient: With the correct setup, you can reset passwords in minutes.
   • Secure and Controlled: Using IAM policies, you can control who has access to use Systems Manager commands.

Method 2: Use EC2Rescue for Windows Server to Reset Password

AWS provides a tool called EC2Rescue for Windows Server to troubleshoot and repair issues on Windows instances. This tool includes a password reset feature, making it highly useful if your instance is locked out and Systems Manager isn’t available or configured.

Prerequisites

• A helper Windows EC2 instance in the same Availability Zone as the locked instance.
• EC2Rescue for Windows Server downloaded on the helper instance.

Steps to Use EC2Rescue for Windows Server

1. Stop the Locked Instance:
   • In the AWS Management Console, select your locked instance and choose Stop (do not choose Terminate, as this will delete the instance).
2. Detach the Root Volume:
   • Go to Elastic Block Store (EBS) > Volumes in the console.
   • Find the root volume associated with your locked instance (it will typically be /dev/sda1 or /dev/xvda).
   • Select Actions > Detach Volume.
3. Attach the Volume to a Helper Instance:
   • Attach this root volume to a separate Windows EC2 instance (helper instance) as a secondary volume. Make note of the device name.
4. Log into the Helper Instance:
   • Log into the helper instance, open File Explorer, and ensure the secondary volume (the locked instance’s root volume) is visible.
5. Run EC2Rescue Tool:
   • Download and run the EC2Rescue tool for Windows on the helper instance.
   • In EC2Rescue, choose the Offline Instance option, then select the attached secondary volume.
   • Choose Reset Password or Unlock User Account, depending on your issue.
6. Detach and Reattach the Root Volume:
   • Once the process is complete, go back to the EBS console, detach the volume from the helper instance.
   • Reattach it to the original instance as the root volume (e.g., /dev/sda1 or /dev/xvda).
7. Start the Original Instance:
   • Go back to the EC2 Console and start your instance. You should now be able to log in with the new password or account access.
8. Benefits of Using EC2Rescue for Password Reset
   • Ideal for Offline Troubleshooting: EC2Rescue is very helpful when the instance is completely inaccessible.
   • Robust Troubleshooting: Besides password reset, EC2Rescue offers other troubleshooting tools, such as network configuration repair and system log analysis.
   • Works Without SSM: If Systems Manager isn’t configured, EC2Rescue provides a reliable fallback method.