SysAdmin Hacks
Forgot Your ESXi Root Password? Reset It Without Reinstalling (vCenter Hack) | Lazy Admin Blog
We’ve all been there. You go to log into the DCUI or SSH into a host only to find the root password doesn’t work, and nobody documented the change.
According to VMware’s official stance, the only “supported” way to recover is a complete wipe and reinstall. But if your host is still managed by vCenter and you have Enterprise Plus licensing, there is a “lazy” (and highly effective) way out using Host Profiles.
How it works
When a host is added to vCenter, a special user called vpxa is created with full root privileges. We can use this existing “backdoor” to push a new configuration to the host, effectively overwriting the lost root password.
Step-by-Step Recovery
1. Extract the Profile
Right-click the “locked” host in the vSphere Web Client. Navigate to All vCenter Actions > Host Profiles > Extract Host Profile. Follow the wizard to create a template of that specific host’s configuration.
2. Edit the Security Settings
Go to Home > Host Profiles (under Management). Right-click your new profile and select Edit.
- Expand Security and Services.
- Expand Security Settings.
- Click on Security Configuration.
- In the dropdown, select: “Configure a fixed administrator password”.
- Enter and confirm your new root password.
3. Attach and Remediate
- Go back to Hosts and Clusters, right-click the host, and select Host Profiles > Attach Host Profile. Select the one you just edited.
- Maintenance Mode: You must put the host into Maintenance Mode.
- Remediate: Right-click the host again, select Host Profiles > Remediate. If you skip Maintenance Mode, vSphere will block the operation.
4. Finish
Once the remediation task completes, the host will reboot. Your new root password is now active!
Important Limitations
- Licensing: This requires Enterprise Plus. Standard or Essentials kits do not include Host Profiles.
- Connectivity: The host must be currently “Connected” in vCenter. If the management agent has crashed or the host is “Not Responding,” this method will not work.
The “Lazy Admin” Verdict
Reinstalling an ESXi host means reconfiguring networking, storage, and scratch partitions. Using a Host Profile takes about 10 minutes and keeps your uptime (and sanity) intact.
How to Get Hardware Serial Numbers Remotely (WMIC & PowerShell)
As a SysAdmin, you often need a serial number or UUID for a warranty check or asset tracking. Instead of walking to the user’s desk or remoting into their session, you can pull this data directly from your workstation using these simple commands.
1. Using WMIC (Legacy Command Line)
WMIC is incredibly efficient for quick, one-off queries against remote systems.
To get a remote serial number:
DOS
wmic /node:"RemoteComputerName" bios get serialnumberTo export results to a central text file: If you are auditing multiple machines, use the /append switch to create a running list:
DOS
set myfile=\\Server\Share\Inventory.txtwmic /append:%myfile% /node:"RemoteComputerName" bios get serialnumber2. Using PowerShell (Modern Method)
PowerShell is the preferred method for modern Windows environments (Windows 10/11 and Server 2016+). It returns objects that are much easier to manipulate.
Standard Command:
PowerShell
Get-WmiObject -ComputerName "RemoteComputerName" -Class Win32_BIOSThe “Lazy” Short Version:
PowerShell
gwmi -comp "RemoteComputerName" -cl win32_bios3. Bonus Hardware Commands
Sometimes the serial number isn’t enough. Use these WMIC commands to get a deeper look at the hardware specs:
- CPU Details: Get the exact model and clock speeds.
wmic cpu get name, CurrentClockSpeed, MaxClockSpeed - System Product Info: Pull the motherboard name and the system’s unique UUID.
wmic csproduct get name, identifyingnumber, uuid - Full BIOS Audit: Get the BIOS name, version, and serial number in one go.
wmic bios get name, serialnumber, version
Troubleshooting Connectivity
If these commands fail with “Access Denied” or “RPC Server Unavailable,” check the following:
- Admin Rights: Your shell must be running with Domain Admin or local administrator permissions on the target.
- Firewall: Ensure “Windows Management Instrumentation (WMI)” is allowed through the Windows Firewall on the remote machine.
- WMI Service: Ensure the WinMgmt service is running on the target.
#SysAdmin #PowerShell #WMIC #WindowsServer #ITPro #TechTips #InventoryManagement #LazyAdmin #RemoteAdmin #HardwareHack
How to Enable Remote Logins in a Windows server
🛠️ The Registry Method (Headless Activation)
By default, Windows Server hardens itself by denying Terminal Server (TS) connections. You can flip this switch manually in the Registry Editor.
- Open Registry Editor: Press
Win + R, typeregedit, and hit Enter. - Navigate to the Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\ - Modify the Value: Locate the fDenyTSConnections DWORD.
- Value = 1: Remote Desktop is Disabled (Default).
- Value = 0: Remote Desktop is Enabled.
💻 The PowerShell Method (The Modern Way)
If you have PowerShell Remoting enabled, you don’t even need to open a GUI. You can push this change with a single line of code:
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0To verify the change:
Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections"🛡️ Important: Don’t Forget the Firewall!
Enabling the registry setting is only half the battle. If the Windows Firewall is active, it will still block port 3389. You must allow the RDP traffic:
Via PowerShell:
PowerShell
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"⚠️ Security Checklist
- NLA (Network Level Authentication): For modern security, ensure the value
UserAuthenticationin the same registry path is set to1. This requires users to authenticate before a session is even created. - Permissions: Simply enabling the service isn’t enough; the user account must be part of the Remote Desktop Users group or have Administrative privileges.
- BlueKeep & Vulnerabilities: Ensure your server is fully patched if you are exposing RDP, as unpatched legacy servers are prime targets for ransomware.
#WindowsServer #RDP #RemoteDesktop #SysAdmin #ITPro #PowerShell #RegistryHacks #LazyAdmin #TechTips #ServerSecurity
The “No-Install” Hack: Enable Disk Cleanup on Server 2008 R2
Need to free up space right now but can’t afford a reboot or a feature installation? Windows Server 2008 and 2008 R2 actually have the Disk Cleanup files hidden inside the System Component Store (WinSxS). You just have to move them to the right place.
The Manual “Copy-Paste” Method
By manually placing these two files into your System32 directory, you enable the cleanmgr command immediately.
1. Locate the Files
Search your C:\Windows\WinSxS directory for the following two files. Note: The long folder names may vary slightly based on your service pack level, so use the search bar if needed.
For Windows Server 2008 R2 (64-bit):
- The Executable:
amd64_microsoft-windows-cleanmgr_..._cleanmgr.exe - The Language Resource:
amd64_microsoft-windows-cleanmgr.resources_..._en-us_...\cleanmgr.exe.mui
2. Move to System32
Copy (don’t move, just in case) the files to these specific destinations:
- cleanmgr.exe →
%systemroot%\System32 - cleanmgr.exe.mui →
%systemroot%\System32\en-US
3. Run the Tool
You don’t need to register anything. Simply open a Command Prompt or the Run dialog (Win+R) and type: cleanmgr.exe
Why do it this way?
- Zero Downtime: No reboots, no “Configuring Windows” screens.
- Lightweight: You don’t pull in the rest of the “Desktop Experience” (like Media Player or desktop themes) that just adds more bloat to a server.
- Reliable: You are using the exact binaries Microsoft built for that specific OS version.
#WindowsServer #SysAdmin #ITPro #TechHacks #ServerMaintenance #DiskCleanup #LazyAdmin #Troubleshooting #WindowsAdmin #ZeroDowntime
Fixed: The VMRC Console has Disconnected (Error 2050470)
It’s a frustrating scenario: you go to check a virtual machine, and instead of a login screen, you get a black box with the message: “The VMRC Console has Disconnected… Trying to reconnect.” To make matters worse, the VM often appears unreachable on the network, leading you to believe the Guest OS has blue-screened or frozen. However, the issue is frequently just a hang-up in the VMware Remote Console (VMRC) process on your local management workstation.
The Quick Fix
You do not need to restart the VM or the ESXi host. Usually, the “stuck” process is living right on your own PC.
- Open Task Manager: Right-click your taskbar and select Task Manager (or press
Ctrl + Shift + Esc). - Find the Process: Go to the Processes or Details tab.
- Kill VMRC: Look for
vmware-vmrc.exe(orvmware-vmrc.exe*32on older systems). - End Task: Right-click the process and select End Task.
- Relaunch: Go back to your vSphere Client and attempt to open the console again.
Why does this happen?
This error usually occurs when the VMRC process loses its handshake with the ESXi host but fails to terminate properly. By killing the process, you force a fresh authentication and network handshake, which typically restores the video feed immediately.
What if the VM is still “Black Screened”?
If killing the local process doesn’t work and the VM is still unreachable via ping/RDP, the issue might be on the host side:
- Check the Hostd Service: Sometimes the management agent on the ESXi host needs a restart.
- Video Memory: Ensure the VM has enough Video RAM allocated in its “Edit Settings” menu to support the resolution you are using.
#VMware #vSphere #VMRC #SysAdmin #ITPro #Virtualization #TechSupport #LazyAdmin #ServerAdmin #WindowsTroubleshooting