How to reset windows password (offline) on AWS Windows Instance

In simple word changing/resetting windows password is a very simple task using any third party free or paid tools as long as you able to access server console. Even on virtual platform like Hyper-V VMWare you have access to server console, but when it comes to AWS, there is no way to access console of a virtual instances. So, those tools will not work, as those required user input / virtual CD or USB boot, which is not available in AWS.

I have found a solution to reset the password of any AWS windows instance. If you know the local user id, then it will be very easy to reset the password of that account.

You have to perform the following steps.

• First you have to stop the instance.
• Then you have to identify the root volume (/dev/sda1) of that instance. You could get this information using one simple function I wrote (GetInstanceVolumeDetails InstanceID).
  
  GetInstanceVolumeDetails

  function GetInstanceVolumeDetails ([string] $fInstanceID) { $VolumeList = ((Get-EC2Volume).Attachment | where {$_.InstanceId -eq $fInstanceID}).VolumeId $VolumeDetails = @() foreach ($Volume in $VolumeList) { $MyObject = New-Object PSObject -Property @{ VolumeId = $Volume VolumeSize = (Get-EC2Volume $Volume).Size Zone = (Get-EC2Volume $Volume).AvailabilityZone VolumeDevice = ((Get-EC2Volume $Volume).Attachment).Device } $VolumeDetails += $MyObject } $VolumeDetails | Select VolumeId,VolumeDevice,VolumeSize,Zone }

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

  function GetInstanceVolumeDetails ([string] $fInstanceID) {     $VolumeList = ((Get-EC2Volume).Attachment | where {$_.InstanceId -eq $fInstanceID}).VolumeId     $VolumeDetails = @()     foreach ($Volume in $VolumeList)     {             $MyObject = New-Object PSObject -Property @{             VolumeId = $Volume             VolumeSize = (Get-EC2Volume $Volume).Size             Zone = (Get-EC2Volume $Volume).AvailabilityZone             VolumeDevice = ((Get-EC2Volume $Volume).Attachment).Device             }         $VolumeDetails += $MyObject     }     $VolumeDetails | Select VolumeId,VolumeDevice,VolumeSize,Zone }

• Once you identified the root volume, Took a snapshot backup of root volume.
  
• Now you have to dismount this volume and remount it on any other working instance as additional volume.

  

• This volume mounted as G: drive on working instance. Now you have to create one service using srvany.exe (http://support.microsoft.com/kb/137890) to rest the password of Administrator account during system startup. To configure this you have to load up the system registry hive of faulty instance from G:\Windows\System32\Config\SYSTEM as _SYS under HKEY_LOCAL_MACHINE and import the following registry
  Service

  INI

  Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE_SYSControlSet001ServicesPwdReset] "Type"=dword:00000010 "Start"=dword:00000002 "ErrorControl"=dword:00000001 "DisplayName"="PwdReset" "ObjectName"="LocalSystem" "ImagePath"="c:\\srvany.exe" [HKEY_LOCAL_MACHINE_SYSControlSet001ServicesPwdResetParameters] "Application"="c:\\windows\\system32\\cmd.exe" "AppParameters"="/k net user Administrator Password"

  1 2 3 4 5 6 7 8 9 10 11 12 13

  Windows Registry Editor Version 5.00   [HKEY_LOCAL_MACHINE_SYSControlSet001ServicesPwdReset] "Type"=dword:00000010 "Start"=dword:00000002 "ErrorControl"=dword:00000001 "DisplayName"="PwdReset" "ObjectName"="LocalSystem" "ImagePath"="c:\\srvany.exe"   [HKEY_LOCAL_MACHINE_SYSControlSet001ServicesPwdResetParameters] "Application"="c:\\windows\\system32\\cmd.exe" "AppParameters"="/k net user Administrator Password"

• Now placed srvany.exe under G: drive.

• If the operating system is later than Windows Server 2003, you have to complete the following steps or you won’t be able to boot the instance after changes in its root volume because of a disk signature collision.
• In the Registry Editor, load the following registry hive into a folder named BCD: F:bootbcd.
• Search for the following data value in BCD: “Windows Boot Manager”. You’ll find a match under a key named 12000004.
• Select the key named 11000001 that is sibling to the key you found in the previous step. View the data for the Element value.
• Locate the four-byte disk signature at offset 0x38 in the data. Reverse the bytes to create the disk signature, and write it down. For example, the disk signature represented by the following data is E9EB3AA5:

  0030 00 00 00 00 01 00 00 00
  0038 A5 3A EB E9 00 00 00 00
  0040 00 00 00 00 00 00 00 00
  

• In a Command Prompt window, run the following command to start Microsoft DiskPart.

  C:> diskpart

• Run the following DiskPart command to select the volume. (You can verify that the disk number is 1 using the Disk Management utility.)

  DISKPART> select disk 1
  Disk 1 is now the selected disk.
  

• Run the following DiskPart command to get the disk signature.

  DISKPART> uniqueid disk
  Disk ID: 0C764FA8
  

• If the disk signature shown in the previous step doesn’t match the disk signature from BCD that you wrote down earlier, use the following DiskPart command to change the disk signature so that it matches:

  DISKPART> uniqueid disk id=E9EB3AA5
  

• Once server booted up, you will able to logon to the server using new password.
• Re-joined the server to the domain and remove the service from registry.
• Remove the imported registry from using following command from command prompt.

  REG DELETE HKLMControlSet001ServicesPwdReset

• Author
• Recent Posts

Follow me

Saugata

Founder at Internet

I am an IT Professional with 13+ years of experience in Windows, Storage, Backup, AWS and Azure. I love writing scripts using PowerShell. I loved to share my experience with rest of the world via this blog. I love my Echo Dot (3G). I love playing with Raspberry Pi.

Follow me

Latest posts by Saugata (see all)

• Mange SOLIDserver EfficientIP IPAM form PowerShell - June 9, 2022
• S3 Bucket Audit Report using AWS PowerShell Script – Secure your S3 Buckets - June 16, 2020
• Do not trust any public VPN service, Create your own Secure SOCKS5 Proxy for just $5 – Be Free 🙂 - May 11, 2020

This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.