Recovering EC2 Window Passwords

Recovering a Lost Password on an EC2 Windows Machine

Have you ever ran into an issue that you are unable to recover a Windows password for an EC2 instance regardless of the circumstances? I know I was. In fact, I followed step by step all of the EC2 recovery tutorials, including using EC2config. Unfortunately, none of these worked for me due to, because I Was unaware that the EC2 recovery documentation only worked on instances that are based on a base AMI image – not those copied from other AMI’s (where I ran into my issue). Therefore I was locked out of an instance where I took over administration, with no way in.

Enter, CHNTPW: a tool designed to edit Windows NT registry values from Linux. The following steps allowed me to log into an Administrator account on my Windows EC2 instance without having the initial password. Beware though, steps suggested here are very insecure as they are being operated, and I would highly suggest setting up security groups to avoid any attempts of using RDP (as I used in this tutorial) other than authorized IP addresses.

Also, this tutorial is meant for your own recovery – NOT HACKING someone else’s instance. I hate putting this statement here, but figured with whats going on in the interwebs I want to make that VERY clear.

Lets Hack us a Windows Account

To simplify this tutorial, we are going to set up some default variables.

InstanceID Operating System Description
i-windows Windows Windows Machine that is Locked
i-linux Linux t2-micro machine with chntpw

Step 1: Create t2.micro Linux

  1. Select a linux variant with CHNTPW support. t2.micro is fine.
  2. SCP or download chntpw script into user’s path
  3. keep terminal open — move to step 2

Step 2: Backing up Windows

This step will require downtime for your Windows box (it took me about 10m total, and I took my sweet time, but will vary based on size of EBS)

  1. shutdown i-windows instance (need a clean shutdown from EC2 console)
  2. detatch root volume (vol-windows-root for simplicity)
  3. snapshot vol-windows-root volume

Step 3: Volume Mount

  1. Attach vol-windows-root to i-linux (record mount point)
  2. i-linux terminal > mount -t ntfs-3g /dev/xvdf1 /media/windows
  3. i-linux terminal > cd /media/windows/Windows/System32/config
  4. i-linux terminal > chntpw -u <User> SAM
  5. i-linux terminal > input: 1
  6. i-linux terminal > input: save and exit
  7. i-linux terminal > chntpw -e /mnt/Windows/System32/config/SYSTEM
  8. i-linux terminal > cd \CurrentControlSet\Control\Lsa
    • WARNING: you could have multiple CurrentControlSets. In my case, I did this same step on ALL of them
  9. i-linux terminal > ed LimitBlankPasswordUse
  10. i-linux terminal > input: 0
  11. i-linux terminal > input: save and exit
  12. i-linux terminal > cd ~ ; umount /media/windows

we are now done with linux (hopefully)

Summary: We mounted the Windows Registry, blanked out the ‘s password, and then enabled RDP on blank passwords into the machine. Once again, make sure you have security groups not allowing any anonymous traffic in on the RDP port.

Step 4: re-mount and launch windows

  1. detatch vol-windows-root from i-linux instance
  2. reattach vol-windows-root under /dev/sda1 to i-windows
  3. Boot up i-windows
  4. RDP in as user
  5. Change your Password
  6. Regedit the LSA values to ‘1’ again


Feel free to Share!Share on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn0