Skip to Content

How to Reset Forgotten ESXi 7.x or 8.x Root Password Without Reinstalling?

By: Author Alex Lim

Posted on

Categories Virtualization

Home » Virtualization » How to Reset Forgotten ESXi 7.x or 8.x Root Password Without Reinstalling?

Struggling to Restore Lost Access? What’s the Simplest Way to Reset an ESXi Host Root Password?

Losing the ESXi root password can feel overwhelming, especially if your work depends on it. Making a recovery is possible, though the official solution from VMware is to reinstall ESXi. However, you have additional options if the host is managed by vCenter or joined to an Active Directory (AD) domain:

Officially Supported Recovery Methods

Managed by vCenter

Use vCenter Host Profiles to reset the password if you have an Enterprise Plus License.

AD Domain Membership

Log in with an AD account that has root-like privileges, then reset the root password directly from the ESXi Host Client.

If neither option is available, resetting the password on a standalone ESXi host becomes challenging because the root password hash is stored in an encrypted configuration file unreachable without root access. Direct editing—as in older ESXi versions—no longer works in ESXi 7.x or 8.x.

Unofficial Workaround: Step-by-Step Simple Guide

If you must restore access without reinstalling, and you’re ready for some hands-on steps, follow this workaround:

Step 1: Set Up a Virtual ESXi Host

  1. Deploy a new virtual ESXi machine matching your lost host’s version.
  2. Enable hardware-assisted virtualization support for the guest VM.
  3. Install ESXi using an ISO file.

Step 2: Backup the Physical Host’s State File

  1. Remove the physical host’s boot media (USB or drive) and connect it to a Linux machine.
  2. Mount partition 6 (often /dev/sdb6).
  3. Copy /mnt/bootbank/state.tgz to your backup destination.
  4. Always create a backup before making changes.

Step 3: Move the State File to the Virtual Host

  1. Use SCP or a similar tool to transfer state.tgz into the /tmp directory of your virtual ESXi VM.
  2. Extract state.tgz there.

Step 4: Edit and Inject the Encryption Key

  1. Copy, extract, and prepare the virtual host’s own state.tgz.
  2. Add the physical host’s encryption.info to the virtual host’s configuration.
  3. Repackage the modified configuration.

Step 5: Modify the Password Hash

  1. Mount the virtual ESXi’s VMDK on a Linux VM.
  2. Replace the original state.tgz with the modified version.
  3. Boot up the VM and transfer the physical host’s state.tgz for decryption.
  4. Unpack local.tgz.ve and then local.tgz.

Step 6: Replace the Password Hash

In /tmp/var/lib/vmware/configstore/backup/current-store-1, use sqlite3 to alter the root hash:

View the current hash:

/usr/lib/vmware/sqlite/bin/sqlite3 /tmp/var/lib/vmware/configstore/backup/current-store-1 "select * from config where Component='esx' and ConfigGroup = 'authentication' and Name = 'user_accounts' and Identifier = 'root'"

Generate a new hash:

openssl passwd -6

Update with the new hash:

/usr/lib/vmware/sqlite/bin/sqlite3 /tmp/var/lib/vmware/configstore/backup/current-store-1 "update config set UserValue='{\"name\":\"root\",\"password_hash\":\"NEW_HASH\",\"description\":\"Administrator\"}' where Component='esx' and ConfigGroup = 'authentication' and Name = 'user_accounts' and Identifier = 'root'"

Step 7: Reassemble and Restore the State File

  1. Package up the modified content as a new state.tgz.
  2. Replace the old state.tgz on both bootbank partitions of the physical host.
  3. Reboot the physical host. You should now be able to log in as root with the new password.

Key Points

  • If vCenter/AD available? Use them first—they’re the safest and most reliable routes.
  • For standalone hosts: The above workaround requires advanced skill and risks host misconfiguration. Always back up data.
  • Direct editing bypasses encryption only with the method above.
  • Older Linux-style hacks (editing /etc/shadow) do not work in ESXi 7.x/8.x due to encryption.
  • Reinstallation remains VMware’s only endorsed solution if supported methods fail.

Why Preparation Matters

  • Back up your configuration (state.tgz) before edits.
  • Only use matching ESXi versions for the recovery VM.
  • If unsure, seek expert assistance to avoid system failure.

By following these steps, regaining access is achievable—even if official channels insist on reinstalling. Proceed carefully, and your host will be usable again without losing your vital configuration.