Brandon shows you how to
regain admin access to an
Amazon EC2 Windows instance


How can I reset the administrator password on a Microsoft Windows Server instance in Amazon EC2?

You can reset the password for the Administrator account for your Windows Server instance using these methods:

  • AWS Systems Manager
  • Amazon EC2Rescue

Systems Manager Run Command AWSSupport-RunEC2RescueForWindowsTool (Online Method)

You can reset the admin password with Systems Manager by using the RunCommand instance management feature.

You must confirm these prerequisites before you can reset the password for a Windows Server instance using Systems Manager:

  • The instance must have internet access (for Systems Manager) using a public IP address or NAT, or must use an Amazon Virtual Private Cloud (Amazon VPC) configured for Systems Manager. For more information, see VPC Endpoints.
  • You must configure Systems Manager for your AWS account, and install the Systems Manager agent on the instance. For more information, see Setting Up Systems Manager.

After you confirm these prerequisites, follow these instructions:

1.    Attach this policy to the IAM role associated with the instance in order to write the encrypted password to Parameter Store.

  "Version": "2012-10-17", 
  "Statement": [ 
      "Effect": "Allow", 
      "Action": [ 
      "Resource": [ 

2.    From the Amazon EC2 console, in the navigation pane expand Systems Manager Services, and then choose Run Command.

3.    Choose Run a command.

4.    In the Command document section, choose Owned by Me or Amazon.

5.    In the document name list, choose AWSSupport-RunEC2RescueForWindowsTool.

6.    Verify that Select Targets by is set to Manually Selecting Instances.

7.    Select your instance.

8.    Verify Command is set to ResetAccess, and then choose Run.

9.    Select the Command ID for the instance, and then choose the Output tab.

10.   Choose View Output for instructions on how to retrieve the new password.

11.   After you regain access to your instance, we recommend you rotate the password and delete the parameter from Parameter Store.

For more information, see Using EC2Rescue for Windows Server with Systems Manager Run Command.

Systems Manager Automation AWSSupport-ResetAccess (Offline Method)

AWSSupport-ResetAccess is a Systems Manager Automation document that automates EC2Rescue offline password reset using AWS CloudFormation and AWS Lambda functions. This includes creating an instance to assist with recovery in your Availability Zone, attaching and detaching EBS volumes, and running the EC2Rescue utility. This method also creates an Amazon VPC for EC2Rescue to use that is isolated from your environment, and creates a backup AMI of the instance.

You can use the AWSSupport-ResetAccess document if:

  • You lost your EC2 key pair and want to create a password-enabled AMI from your EC2 instance, so you can launch a new instance with an existing key pair.
  • You lost your local Administrator password and want to generate a new password that you can decrypt with the current EC2 key pair.

1.    From the Amazon EC2 console, in the navigation pane expand Systems Manager Services, and then choose Automations.

2.    Choose Run Automation.

3.    In the Document name section, choose Owned by Me or Amazon.

4.    In the document name list, choose AWSSupport-ResetAccess.

5.    In the Input parameters section, enter the InstanceID of your EC2 instance.

6.    Choose Run automation.

7.    Wait until the execution's state changes to Success. Note that this can take up to 25 minutes.

  • To monitor the execution progress, choose the running automation, then choose the Steps tab.
  • To view the output of the automation, choose the Descriptions tab, and then choose View output.

8.    Use your existing key pair to decode the newly generated password from the EC2 console. For more information, see How do I retrieve my Windows administrator password after launching an instance?

If you lost your EC2 key pair:

1.    Stop your instance.

2.    From the Amazon EC2 console, in the navigation pane expand Images, and then choose AMIs.

3.    Search for your instance ID.

4.    Identify the AMI named AWSSupport-EC2Rescue: Password-enabled AMI from your instance ID.

5.    Select the AMI, then choose Launch.

6.    Follow the Launch Wizard to specify the configuration of your instance, and then select a key pair that you own.

7.    Verify that you can connect to the new instance and that your applications are working as expected before terminating the other instance.

EC2Rescue (Offline or Online Method)

Note: This process requires Windows Server 2008 R2 or later. For more information, see How can I troubleshoot issues with my EC2 Windows instance by using the EC2Rescue tool?

To regenerate the Administrator password at next boot, you can enable EC2SetPassword using EC2Rescue:

1.    Choose Diagnose and Rescue. The EC2Config section shows the current Ec2SetPassword setting. Choose Next.

2.    In Detect possible issues, select the Ec2SetPassword checkbox, and then choose Next.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2014-07-03

Updated: 2017-12-18