Windows EC2 Instance 忘记密码如何重置

这个问题搞了我2天时间，所以要好好记录一下。对于Windows Server 2012之前和Server 2016之后的处理方式是不一样的，我在误打误撞中，用了2012的方法解决了2016的问题， 因为我不知道忘记密码的EC2是2016版本。
而且Windows的这类问题（忘记key pair和密码）的处理方式比Linux的要复杂。

1. 关闭该instance， 这个instance tag标记为original-instance

2. 到Volume处找到该instance的volume，然后Detach

3. 删除旧Key

4. 创建一个新的EC2 Instance，tag标记为new-instance
   

5. 新Instance要跟有问题的在同一个区域，例如us-east-1a，不然无法加载volume

6. Launch，然后弄一个跟之前（已经丢失忘记的key）一样的key名字，并下载保存key

以下这步很关键，之前的尝试我都弄错了

7. 把忘记密码的instance创建Image

8. 然后在IMAGES -- > AMI中查看进度，需要几分钟时间，完成后点Launch，这个步骤跟新建instance类似，为跟那个新建的instance区分开来，我们把这个instance命名为 image-instance

9. 创建好后关闭此Instance，然后把image-instance的volume挂载到new-instance上

10. 登入new-instance，并下载工具：https://s3.amazonaws.com/ec2rescue/windows/EC2Rescue_latest.zip （这个工具仅适用于2016及其后版本的 Windows Server）

另外我之前看文档说可以通过修改Ec2Config service来实现密码修改，后来摸索后才发现这在2012及之前的版本才可以，而我的忘记密码的服务器是2016版本，这也是我奇怪之前没有在路径下看到C:\Program Files\Amazon\Ec2ConfigService这个文件夹了，所以我从2012上copy了一个到这个路径，同时修改了config.xml文件，把EC2Password改为Enabled，不知道跟这个有没关系，权且记录在案。

11. 然后把这个volume在new-instance上offline，并从Volume上Deattach掉，然后重新挂回image-instance，注意要把Device设为 /dev/sda1，这样才是C盘

12. 获取image-instance的密码

13. 导入保存的key文件获取密码，（刚开始的时候是失败的，提示无法获取密码，验证不对，在此我又纠结了几个小时，在这个3个instance之前互相切换挂载，后来就可以获得密码了，不知哪里弄对了）

14. 然后再关闭这个image-instance, 把这个volume挂载回orignal-instance为C盘，启动，这样就用新的key获取新的密码

参考文档
适用于server 2012及其前版本：https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ResettingAdminPassword_EC2Config.html

适用于server 2016及其后版本：https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ResettingAdminPassword_EC2Launch.html

这个提到要完全按照步骤来，我也是受这个启发，重新看文档才发现我没有launch image，而是搞了launch new instance，这点很关键。https://stackoverflow.com/questions/50686939/resetting-administrator-password-for-aws-ec2-windows-server-2012-instance

后来收到AWS Support发来的邮件支持信息，不过我的问题已经自己解决，所以没有使用他们的方法，记录如下：
对于server 2016

1. In the Amazon IAM Console (https://console.aws.amazon.com/iam/), in the navigation pane, choose Roles, Create new role.

2. Choose Amazon EC2 Role for Simple Systems Manager, and then choose Select.

3. Under Policy Name, check AmazonEC2RoleforSSM, Next Step, enter a Role name that is meaningful to you and choose Create Role.

4. Open the Amazon EC2 console, https://console.aws.amazon.com/ec2/ and choose the appropriate region.

5. Select the affected instance, choose Actions, Instance Settings, Attach/Replace IAM role. This would attach the IAM role you just created to your instance.

6. From EC2 console select, "Run Command" and "Run a command" option.

7. Select "AWS-RunPowershellScript" from Command document

8. In Select Targets, Select the instance you want to reset password for. Should the instance not be populated in the list, please wait for some time so that the changes can be propagated.

9. Under Commands, run the following command while replacing "new_password" with your password.

   net user Administrator new_password

10. Click Run in the lower right, leaving all the settings at default.

Following the successful completion of the run command, you should now be able to log in with that local administrator password you just keyed in under step 9. Once you've regained access to the instance, change the password to a more permanent value by running the command from step 9 again in command prompt of the instance.

Another procedure you can follow to reset the password on the instance is to use the AWSSupport-ResetAccess Automation document from the Systems Manager console. This document is useful if you have lost your EC2 key pair and want to create a password-enabled AMI from your EC2 instance, so you can launch a new instance with an existing key pair. To perform this, you can follow the steps given on the link under the section headed "Systems Manager Automation AWSSupport-ResetAccess (Offline Method)":

[+] https://aws.amazon.com/premiumsupport/knowledge-center/reset-admin-password/