Recover EC2 Windows Password

Recover EC2 Windows Password

September 9, 2022 Off By Lennon

Sometimes we forget our passwords and have to log in to the server. This can be very important if the admin credential is lost. There is still a way to reset your password.
Here’s how you do it:
Before we begin, let’s assume you have an AWS EC2 Windows instance. We need a Linux machine to reset the password. We recommend an Ubuntu Server in the exact same AZ as your Windows instance. This requires that your EC2 windows instance be taken offline for a while.

Step 1: Verify that the windows instance responds to RDP requests. To verify, run the following command:
mstsc /
If RDP prompts for credentials, RDP is running on the instance.

Step 2: Stop windows and locate and detach root volume (/dev/sda1) from the same.

Step 3: Attach the volume to Ubuntu server and enable SSH in to the machine

Step 4: List the device names for volumes attached to the Linux instance. You can list them with the following command:
cat /proc/partitions

Step 5: Create a directory for your new volume and mount it to it. Replace the volume name with the original.
sudo mkdir /volume2
sudo mount /dev/ /volume2

Step 6: Change your directory by
cd /volume2/Windows/System32

Step 7: Use the following command to rename the file Utilman.exe into Utilman.bak. Sudo allows you to execute the command with administrator privileges.
sudo mv Utilman.exe Utilman.bak

Step 8: Copy the file cmd.exe, and paste it in the name Utilman.exe
sudo cp cmd.exe Utilman.exe

Step 9: Stop Ubuntu, detach the volume, and reconnect it to the windows instance using the mount point /dev/sda1.
Step 10: Open the windows instance and login with the username “guest” without a password.

Step 11: Next, go to the Windows login page and click on the Accessibility icon at the bottom left. The system opens cmd.exe with the SYSTEM account.

Step 12: If the instance does not reside in the domain controller type lusrmgr.msc to open the “Local Users & Groups” window. If it is in a domain type dsa.msc then “Active Directory Users and Groups” will open.
You can change the administrator password in any of the windows that open. Log in with the administrator account to access the instance.

Step 13: Once administrator has logged in, navigate to c:windowssystem32 to delete Utilman.exe. (Icon should look similar to cmd.exe).
Step 14: Locate the file “Utilman.bak” in the same folder, and make Administrator the file’s owner. Now, grant administrator account full control rights. This file should now be renamed as “Utilman.exe”.