# Troubleshoot impaired Amazon EC2 Windows instance using EC2Rescue
EC2Rescue for Windows Server is an easy-to-use tool that you run on an Amazon EC2 Windows Server instance to diagnose and troubleshoot possible problems. It is valuable for collecting log files and troubleshooting issues and also proactively searching for possible areas of concern. It can even examine Amazon EBS root volumes from other instances and collect relevant logs for troubleshooting Windows Server instances using that volume. The following are some common issues that EC2Rescue can address:
+ Instance connectivity issues due to firewall, Remote Desktop Protocol (RDP), or network interface configuration
+ Operating system boot issues due to a stop error, boot loop, or corrupted registry
+ Issues that might need advanced log analysis and troubleshooting
EC2Rescue for Windows Server has two different modules:
+ A **data collector module** that collects data from all different sources
+ An **analyzer module** that parses the data collected against a series of predefined rules to identify issues and provide suggestions
The EC2Rescue for Windows Server tool only runs on Amazon EC2 instances running Windows Server 2012 and later. When the tool starts, it checks whether it is running on an Amazon EC2 instance.
**Note**
The `AWSSupport-ExecuteEC2Rescue` AWS Systems Manager Automation runbook uses the EC2Rescue tool to troubleshoot and, where possible, fix common connectivity issues with the specified EC2 instance. For more information, and to run this automation, see [ >AWSSupport-ExecuteEC2Rescue](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-awssupport-executeec2rescue.html).
If you are using a Linux instance, see [Troubleshoot impaired Amazon EC2 Linux instance using EC2Rescue](Linux-Server-EC2Rescue.md).
**Topics**
+ [Troubleshoot using EC2Rescue GUI](ec2rw-gui.md)
+ [Troubleshoot using EC2Rescue CLI](ec2rw-cli.md)
+ [Troubleshoot using EC2Rescue and Systems Manager](ec2rw-ssm.md)
# Troubleshoot impaired Windows instance with the EC2Rescue GUI
EC2Rescue for Windows Server can perform the following analysis on ** offline instances**:
| Option | Description |
| --- | --- |
| Diagnose and Rescue | EC2Rescue for Windows Server can detect and address issues with the following service settings: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-gui.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-gui.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-gui.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-gui.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-gui.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-gui.html) |
| Restore | Perform one of the following actions: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-gui.html) |
| Capture Logs | Allows you to capture logs on the instance for analysis. |
EC2Rescue for Windows Server can collect the following data from **active and offline instances**:
| Item | Description |
| --- | --- |
| Event Log | Collects application, system, and EC2Config event logs. |
| Registry | Collects SYSTEM and SOFTWARE hives. |
| Windows Update Log | Collects log files generated by Windows Update. In Windows Server 2016 and later, the log is collected in Event Tracing for Windows (ETW) format. |
| Sysprep Log | Collects log files generated by the Windows System Preparation tool. |
| Driver Setup Log | Collects Windows SetupAPI logs (setupapi.dev.log and setupapi.setup.log). |
| Boot Configuration | Collects HKEY\$1LOCAL\$1MACHINE\$1BCD00000000 hive. |
| Memory Dump | Collects any memory dump files that exist on the instance. |
| EC2Config File | Collects log files generated by the EC2Config service. |
| EC2Launch File | Collects log files generated by the EC2Launch scripts. |
| SSM Agent File | Collects log files generated by SSM Agent and Patch Manager logs. |
| EC2 ElasticGPUs File | Collects event logs related to elastic GPUs. |
| ECS | Collects logs related to Amazon ECS. |
| CloudEndure | Collects log files related to CloudEndure Agent. |
| AWS Replication Agent for MGN or DRS Log Files | Collects log files related to AWS Application Migration Service or AWS Elastic Disaster Recovery. |
EC2Rescue for Windows Server can collect the following additional data from **active instances**:
| Item | Description |
| --- | --- |
| System Information | Collects MSInfo32. |
| Group Policy Result | Collects a Group Policy report. |
## Analyze an offline instance
The **Offline Instance** option is useful for debugging boot issues with Windows instances.
**To perform an action on an offline instance**
1. From a working Windows Server instance, download the [EC2Rescue for Windows Server](https://s3.amazonaws.com/ec2rescue/windows/EC2Rescue_latest.zip?x-download-source=docs) tool and extract the files.
You can run the following PowerShell command to download EC2Rescue without changing your Internet Explorer Enhanced Security Configuration (ESC):
```
Invoke-WebRequest https://s3.amazonaws.com/ec2rescue/windows/EC2Rescue_latest.zip -OutFile $env:USERPROFILE\Desktop\EC2Rescue_latest.zip
```
This command will download the EC2Rescue .zip file to the desktop of the currently logged in user.
**Note**
If you receive an error when downloading the file, and you are using Windows Server 2016 or earlier, TLS 1.2 might need to be enabled for your PowerShell terminal. You can enable TLS 1.2 for the current PowerShell session with the following command and then try again:
```
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
```
1. Stop the faulty instance, if it is not stopped already.
1. Detach the EBS root volume from the faulty instance and attach the volume to a working Windows instance that has EC2Rescue for Windows Server installed.
1. Run the EC2Rescue for Windows Server tool on the working instance and choose **Offline Instance**.
1. Select the disk of the newly mounted volume and choose **Next**.
1. Confirm the disk selection and choose **Yes**.
1. Choose the offline instance option to perform and choose **Next**.
The EC2Rescue for Windows Server tool scans the volume and collects troubleshooting information based on the selected log files.
## Collect data from an active instance
You can collect logs and other data from an active instance.
**To collect data from an active instance**
1. Connect to your Windows instance.
1. Download the [EC2Rescue for Windows Server](https://s3.amazonaws.com/ec2rescue/windows/EC2Rescue_latest.zip?x-download-source=docs) tool to your Windows instance and extract the files.
You can run the following PowerShell command to download EC2Rescue without changing your Internet Explorer Enhanced Security Configuration (ESC):
```
Invoke-WebRequest https://s3.amazonaws.com/ec2rescue/windows/EC2Rescue_latest.zip -OutFile $env:USERPROFILE\Desktop\EC2Rescue_latest.zip
```
This command will download the EC2Rescue .zip file to the desktop of the currently logged in user.
**Note**
If you receive an error when downloading the file, and you are using Windows Server 2016 or earlier, TLS 1.2 might need to be enabled for your PowerShell terminal. You can enable TLS 1.2 for the current PowerShell session with the following command and then try again:
```
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
```
1. Open the EC2Rescue for Windows Server application and accept the license agreement.
1. Choose **Next**, **Current instance**, **Capture logs**.
1. Select the data items to collect and choose **Collect...**. Read the warning and choose **Yes** to continue.
1. Choose a file name and location for the ZIP file and choose **Save**.
1. After EC2Rescue for Windows Server completes, choose **Open Containing Folder** to view the ZIP file.
1. Choose **Finish**.
# Troubleshoot impaired Windows instance with the EC2Rescue CLI
The EC2Rescue for Windows Server command line interface (CLI) allows you to run an EC2Rescue for Windows Server plugin (referred as an "action") programmatically.
The EC2Rescue for Windows Server tool has two execution modes:
+ **/online**—This allows you to take action on the instance that EC2Rescue for Windows Server is installed on, such as collect log files.
+ **/offline:**—This allows you to take action on the offline root volume that is attached to a separate Amazon EC2 Windows instance, on which you have installed EC2Rescue for Windows Server.
Download the [EC2Rescue for Windows Server](https://s3.amazonaws.com/ec2rescue/windows/EC2Rescue_latest.zip?x-download-source=docs) tool to your Windows instance and extract the files. You can view the help file using the following command:
```
EC2RescueCmd.exe /help
```
EC2Rescue for Windows Server can perform the following actions on an Amazon EC2 Windows instance:
+ [Collect action](#ec2rw-collect)
+ [Rescue action](#ec2rw-rescue)
+ [Restore action](#ec2rw-restore)
## Collect action
**Note**
You can collect all logs, an entire log group, or an individual log within a group.
EC2Rescue for Windows Server can collect the following data from **active and offline instances**.
| Log group | Available logs | Description |
| --- | --- | --- |
| all | | Collects all available logs. |
| eventlog | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-cli.html) | Collects application, system, and EC2Config event logs. |
| memory-dump | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-cli.html) | Collects any memory dump files that exist on the instance. |
| ec2config | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-cli.html) | Collects log files generated by the EC2Config service. |
| ec2launch | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-cli.html) | Collects log files generated by the EC2Launch scripts. |
| ssm-agent | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-cli.html) | Collects log files generated by SSM Agent and Patch Manager logs. |
| sysprep | 'Log Files' | Collects log files generated by the Windows System Preparation tool. |
| driver-setup | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-cli.html) | Collects Windows SetupAPI logs (setupapi.dev.log and setupapi.setup.log). |
| registry | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-cli.html) | Collects SYSTEM and SOFTWARE hives. |
| egpu | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-cli.html) | Collects event logs related to elastic GPUs. |
| boot-config | 'BCDEDIT Output' | Collects HKEY\$1LOCAL\$1MACHINE\$1BCD00000000 hive. |
| windows-update | 'Log Files' | Collects log files generated by Windows Update. In Windows Server 2016 and later, the log is collected in Event Tracing for Windows (ETW) format. |
| cloudendure | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-cli.html) | Collects log files related to CloudEndure Agent. |
EC2Rescue for Windows Server can collect the following additional data from **active instances**.
| Log group | Available logs | Description |
| --- | --- | --- |
| system-info | 'MSInfo32 Output' | Collects MSInfo32. |
| gpresult | 'GPResult Output' | Collects a Group Policy report. |
The following are the available options:
+ **/output:** ‐ Required destination file path location to save collected log files in zip format.
+ **/no-offline** ‐ Optional attribute used in offline mode. Does not set the volume offline after completing the action.
+ **/no-fix-signature** ‐ Optional attribute used in offline mode. Does not fix a possible disk signature collision after completing the action.
### Examples
The following are examples using the EC2Rescue for Windows Server CLI.
#### Online mode examples
Collect all available logs:
```
EC2RescueCmd /accepteula /online /collect:all /output:
```
Collect only a specific log group:
```
EC2RescueCmd /accepteula /online /collect:ec2config /output:
```
Collect individual logs within a log group:
```
EC2RescueCmd /accepteula /online /collect:'ec2config.Log Files,driver-setup.SetupAPI Log Files' /output:
```
#### Offline mode examples
Collect all available logs from an EBS volume. The volume is specified by the device\$1id value.
```
EC2RescueCmd /accepteula /offline:xvdf /collect:all /output:
```
Collect only a specific log group:
```
EC2RescueCmd /accepteula /offline:xvdf /collect:ec2config /output:
```
## Rescue action
EC2Rescue for Windows Server can detect and address issues with the following service settings:
| Service group | Available actions | Description |
| --- | --- | --- |
| all | | |
| system-time | 'RealTimeIsUniversal' | System Time[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-cli.html) |
| firewall | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-cli.html) | Windows Firewall [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-cli.html) |
| rdp | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-cli.html) | Remote Desktop [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-cli.html) |
| ec2config | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-cli.html) | EC2Config [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-cli.html) |
| ec2launch | 'Reset Administrator Password' | Generates a new Windows administrator password. |
| network | 'DHCP Service Startup' | Network Interface [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2rw-cli.html) |
The following are the available options:
+ **/level:** ‐ Optional attribute for the check level that the action should trigger. Allowed values are: `information`, `warning`, `error`, `all`. By default, it is set to `error`.
+ **/check-only** ‐ Optional attribute that generates a report but makes no modifications to the offline volume.
**Note**
If EC2Rescue for Windows Server detects a possible disk signature collision, it corrects the signature after the offline process completes by default, even when you use the `/check-only` option. You must use the `/no-fix-signature` option to prevent the correction.
+ **/no-offline** ‐ Optional attribute that prevents the volume from being set offline after completing the action.
+ **/no-fix-signature** ‐ Optional attribute that does not fix a possible disk signature collision after completing the action.
### Rescue examples
The following are examples using the EC2Rescue for Windows Server CLI. The volume is specified using the device\$1id value.
Attempt to fix all identified issues on a volume:
```
EC2RescueCmd /accepteula /offline:xvdf /rescue:all
```
Attempt to fix all issues within a service group on a volume:
```
EC2RescueCmd /accepteula /offline:xvdf /rescue:firewall
```
Attempt to fix a specific item within a service group on a volume:
```
EC2RescueCmd /accepteula /offline:xvdf /rescue:rdp.'Service Start'
```
Specify multiple issues to attempt to fix on a volume:
```
EC2RescueCmd /accepteula /offline:xvdf /rescue:'system-time.RealTimeIsUniversal,ec2config.Service Start'
```
## Restore action
EC2Rescue for Windows Server can detect and address issues with the following service settings:
| Service Group | Available Actions | Description |
| --- | --- | --- |
| Restore Last Known Good Configuration | lkgc | Last Known Good Configuration ‐ Attempts to boot the instance into the last known bootable state. |
| Restore Windows registry from latest backup | regback | Restore registry from backup ‐ Restores the registry from \$1Windows\$1System32\$1config\$1RegBack. |
The following are the available options:
+ **/no-offline**—Optional attribute that prevents the volume from being set offline after completing the action.
+ **/no-fix-signature**—Optional attribute that does not fix a possible disk signature collision after completing the action.
### Restore examples
The following are examples using the EC2Rescue for Windows Server CLI. The volume is specified using the device\$1id value.
Restore last known good configuration on a volume:
```
EC2RescueCmd /accepteula /offline:xvdf /restore:lkgc
```
Restore the last Windows registry backup on a volume:
```
EC2RescueCmd /accepteula /offline:xvdf /restore:regback
```
# Troubleshoot impaired Windows instance with EC2Rescue and Systems Manager
Support provides you with a Systems Manager Run Command document to interface with your Systems Manager-enabled instance to run EC2Rescue for Windows Server. The Run Command document is called `AWSSupport-RunEC2RescueForWindowsTool`.
This Systems Manager Run Command document performs the following tasks:
+ Downloads and verifies EC2Rescue for Windows Server.
+ Imports a PowerShell module to ease your interaction with the tool.
+ Runs EC2RescueCmd with the provided command and parameters.
The Systems Manager Run Command document accepts three parameters:
+ **Command**—The EC2Rescue for Windows Server action. The current allowed values are:
+ **ResetAccess**—Resets the local Administrator password. The local Administrator password of the current instance will be reset and the randomly generated password will be securely stored in Parameter Store as `/EC2Rescue/Password/`. If you select this action and provide no parameters, passwords are encrypted automatically with the default KMS key. Optionally, you can specify a KMS key ID in Parameters to encrypt the password with your own key.
+ **CollectLogs**—Runs EC2Rescue for Windows Server with the `/collect:all` action. If you select this action, `Parameters` must include an Amazon S3 bucket name to upload the logs to.
+ **FixAll**—Runs EC2Rescue for Windows Server with the `/rescue:all` action. If you select this action, `Parameters` must include the block device name to rescue.
+ **Parameters**—The PowerShell parameters to pass for the specified command.
## Requirements
To run the **ResetAccess** action, your Amazon EC2 instance must have the a policy attached that grants permissions to write the encrypted password to Parameter Store. After attaching the policy, wait a few minutes before attempting to reset the password of an instance after you have attached this policy to the related IAM role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:PutParameter"
],
"Resource": [
"arn:aws:ssm:us-east-1:111122223333:parameter/EC2Rescue/Passwords/"
]
}
]
}
```
------
If you are using a custom KMS key, not the default KMS key, use this policy instead.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:PutParameter"
],
"Resource": [
"arn:aws:ssm:us-east-1:111122223333:parameter/EC2Rescue/Passwords/"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Encrypt"
],
"Resource": [
"arn:aws:kms:us-east-1:111122223333:key/"
]
}
]
}
```
------
## View the JSON for the document
The following procedure describes how to view the JSON for this document.
**To view the JSON for the Systems Manager Run Command document**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, expand **Change Management Tools** and choose **Documents**.
1. In the search bar, enter `AWSSupport-RunEC2RescueForWindowsTool`, and then select the `AWSSupport-RunEC2RescueForWindowsTool` document.
1. Choose the **Content** tab.
## Examples
Here are some examples on how to use the Systems Manager Run Command document to run EC2Rescue for Windows Server, using the AWS CLI. For more information about sending commands using the AWS CLI, see [send-command](https://docs.aws.amazon.com/cli/latest/reference/ssm/send-command.html).
**Topics**
+ [Attempt to fix all identified issues on an offline root volume](#ec2rw-ssm-exam1)
+ [Collect logs from the current Amazon EC2 Windows instance](#ec2rw-ssm-exam2)
+ [Reset the local Administrator password](#ec2rw-ssm-exam4)
### Attempt to fix all identified issues on an offline root volume
Attempt to fix all identified issues on an offline root volume attached to an Amazon EC2 Windows instance:
```
aws ssm send-command --instance-ids "i-0cb2b964d3e14fd9f" --document-name "AWSSupport-RunEC2RescueForWindowsTool" --parameters "Command=FixAll, Parameters='xvdf'" --output text
```
### Collect logs from the current Amazon EC2 Windows instance
Collect all logs from the current online Amazon EC2 Windows instance and upload them to an Amazon S3 bucket:
```
aws ssm send-command --instance-ids "i-0cb2b964d3e14fd9f" --document-name "AWSSupport-RunEC2RescueForWindowsTool" --parameters "Command=CollectLogs, Parameters='amzn-s3-demo-bucket'" --output text
```
### Reset the local Administrator password
The following examples show methods you can use to reset the local Administrator password. The output provides a link to Parameter Store, where you can find the randomly generated secure password you can then use to RDP to your Amazon EC2 Windows instance as the local Administrator.
Reset the local Administrator password of an online instance using the default AWS KMS key alias/aws/ssm:
```
aws ssm send-command --instance-ids "i-0cb2b964d3e14fd9f" --document-name "AWSSupport-RunEC2RescueForWindowsTool" --parameters "Command=ResetAccess" --output text
```
Reset the local Administrator password of an online instance using a KMS key:
```
aws ssm send-command --instance-ids "i-0cb2b964d3e14fd9f" --document-name "AWSSupport-RunEC2RescueForWindowsTool" --parameters "Command=ResetAccess, Parameters=a133dc3c-a2g4-4fc6-a873-6c0720104bf0" --output text
```
**Note**
In this example, the KMS key is `a133dc3c-a2g4-4fc6-a873-6c0720104bf0`.