If you happen to forget your administrator password for an EC2 Windows instance and don’t have another windows account to log into the instance to reset it, the good news is you can easily regenerate it with a few simple steps:
- Shut down the Windows instance to detach the root volume
- Attach the detached root volume to another instance
- Change Ec2SetPassword to Enabled from another instance
- Re-attach the root volume to the original Windows instance
- Start the Windows instance to retrieve the new password
STEP 1: Shut Down the Windows Instance to Detach the Root Volume
It is always a good practice to shut down the instance before detaching the root volume to make sure I/O is suspended to prevent it from corrupted. It can be done through the EC2 Dashboard. All you need to do is to highlight the Windows instance and select the Stop option to shut down the instance completely.
STEP 2: Attach the Detached Root Volume to Another Instance
You will need to detach the root volume before you can attach it to another instance in the same availability zone. You can use the instance ID to locate the root volume and select the Detach Volume option to make it available for another instance. You may see a few volumes if you have other volumes for the Windows instance. You only need to detach the root volume, which is attached as /dev/sda1. Before detaching the root volume, you may want to write down the volume ID and even tag it to help you locate it later on.
I recommend to attach the volume to a running Linux instance. You probably can attach it to another Windows instance but doing so will make the volume non-bootable and prevent the original Windows instance from booting it up properly.
After attaching the volume to the Linux instance, you should be able to see a message in the /var/log/messages log file to indicate the volume is detected within the Linux instance. You can use the tail command to confirm it.
I attached the volume as /dev/sdf, so it was attached and mapped as xvdf1 in the messages log file.
Before you can mount the volume, you will need to create a local directory for the mount point. You can use mkdir to create an empty directory. Let’s call the directory /mnt/c-drive.
Now it is time to mount the volume assuming the device is xvdf1 and the mount point is /mnt/c-drive. Replace them accordingly to reflect your settings.
STEP 3: Change Ec2SetPassword to Enabled from Another Instance
Once the volume is mounted, change the current directory to the Settings directory.
In the config.xml, set the state of the Ec2SetPassword parameter to Enabled and save it.
Get out of the /mnt/c-drive directory and umount it so that you can detach it from the Linux instance gracefully.
STEP 4: Re-attach the Root Volume to the Original Windows Instance
The config.xml is edited and the volume is unmounted. The volume is ready to be detached from the Linux instance and re-attached back to the original Windows instance. You can perform these actions in the Volumes section of the EC2 Dashboard. When you re-attach the volume, make sure to set the Device field to /dev/sda1 to indicate this is a root volume. Otherwise, the Windows instance will not be able to start.
STEP 5: Start the Instance to Retrieve the New Password
The instance is still in the stopped state. You can start the instance from the EC2 Dashboard console. It may take 15-30 minutes to get the new password generated.
You can use your key pair to retrieve the new password with the Get Windows Password option and log into the Windows instance.