If you have lost access to your Windows EC2 instance because the Administrator password is unknown, expired, or was changed and forgotten, you can reset it using the EC2Rescue tool without losing any data or reinstalling Windows.
This can happen for a number of reasons: the instance may have been set up by someone who is no longer available, the password may have been changed from the original AWS-generated one and not recorded, or the password may have simply expired due to Windows password policies.
This guide walks you through the process of temporarily detaching the instance’s root volume, attaching it to a secondary instance, and using EC2Rescue to reset the Administrator password so you can regain access.
Note that this guide applies to instances running Windows Server 2016 or newer.
-
Stop the Windows instance that you want to reset the password on.
-
Detach the root volume of the Windows instance. First, select the instance and click the “Storage” tab to find the root volume ID (starts with “vol-”) — it is usually listed as “/dev/sda1”. Note this volume ID for steps 4, 10, and 11. Then, in the left navigation pane, choose “Volumes”, select that volume, and choose “Actions”, then “Detach Volume”. Wait for the volume status to change to “available” before proceeding.
-
Create a new (or use an existing) Windows instance running Windows Server 2016 or newer. To avoid disk signature collisions, use a different version of Windows than the original instance (for example, if the original runs Windows Server 2022, use a Windows Server 2019 AMI for the temporary instance). The temporary instance must be in the same Region AND Availability Zone as the original. Us-east-1 is the Region and us-east-1a is the Availability Zone; the Availability Zone is shown as a column on the AWS Instances list. Use the “Edit” button for the “Network settings” and select the “Subnet” that is in the same Availability Zone.
-
Attached the detached volume to the new Windows instance by selecting the instance, then selecting “Actions”, “Storage”, then “Attach volume”. Select the volume from step 2, and select “xvdf” from the drop down list as the “Device name”.
-
Login to the new Windows instance and download the “EC2Rescue for Windows Server” program from https://s3.amazonaws.com/ec2rescue/windows/EC2Rescue_latest.zip
-
Unzip the downloaded EC2Rescue_latest.zip file and run “EC2Rescue” and select the “I Agree” button on the License Agreement. Select “Next” on the “Welcome to EC2Rescue” window.
-
On the “Select mode” window, select “Offline instance” then on the next window select the “xvdf” device. Select “Yes” when it asks to bring the drive online.
-
On the “Select Offline Instance Option” select “Diagnose and Rescue” option, select “Next” on the Summary.
-
On the “Detected possible issues” window check “Reset Administrator Password”, select “Next”, on the “Confirm” window select the “Rescue” button, and select “OK” when asked if you want to proceed. On the Done screen select “Finish” and close the EC2Rescue tool if it is still open.
-
Detach the volume from step 2 from the EC2Rescue instance, by selecting the instance, then selecting “Actions”, “Storage”, then “Detach volume”. On the drop down list, select the volume from step 2.
-
Attached the volume from step 2 to the original Windows instance by selecting the instance, then selecting “Actions”, “Storage”, then “Attach volume”. Select the volume from step 2, and select “/dev/sda1” from the drop down list as the “Device name”.
-
Once the volume is attached, start the original Windows instance. It can take several minutes for the new password to be accessible, we suggest waiting 10 minutes before proceeding.
-
Select the instance, then select the “Connect” button. Choose the “RDP client” tab and click the “Get password” link. Upload the original private key (.pem) file that was associated with this instance when it was first launched, and select “Decrypt password”. If everything worked and you waited enough time in step 12, the decrypted password should be the new Administrator password.
