About security...
If you really have managed to lock yourself out of a VM password-wise and there is stuff you cannot afford to lose - consider using the various available tools to open the virtual disk of the VM in the host as a "pseudo hard disk". You can then immediately get at all the files that are not locked from reading by security descriptors and/or associated password-protected certification and encryption.
To get at those more difficult files, you really need to either get at the encryption certificates (which I believe you will need the VM running and logged-in to get at), or (duh) actually log in to the VM using the correct password (in which case you do not need to "get at" the certificates, as you are already using them!). Word to the wise: it is a good idea to save encryption certificates from your installation to a flash drive, so that you can use it to load said certificates to a future potential host system being used for recovery operations
. If you regularly encrypt entire hard drives, then this should be a must if you want them to be so easily recoverable!
So: the question remains, can you hack past the password of the Windows system in order to log in? Answer - yes of course you can, but social conscience forbids me explaining the details here. Suffice it to say that most of the easiest and simplest ones require access to the drive from a host system (or a boot drive that can run any explorer-like or CMD-like tool - e.g. a recovery disk). In the case of the VM, the afore-mentioned tools that allow you to mount the virtual disk as a hard drive will do. Then do your own internet research on hacking Windows logins.
For those who want to DEFEND against such hacking on your VMs or real machines (which can incidentally be turned into VMs, for those of you relying on simple BIOS password prompts), ENCRYPT THE ENTIRE DRIVE CONTAINING THE BOOT FILES & OS, as well as any data drives - which will prevent most of these hacks from being viable. (Oh, and remember to save the certificates to a flash drive when you do). The object of that amount of somewhat radical, painful, over-the-top encryption effort is to prevent access to encryption certificate file storage AND the login-executables of Windows, and not just your data files.
At the end of the day, password security is only as good as the level of encryption used to protect the password and password access tools (including admin), protect the encryption certificates, or the quality of the password itself - whichever is the weakest. Ironically, the password quality should be (and often is) the weakest link, but most people still leave their systems even less well-protected than that, because even that comparatively pathetic level of security can be bypassed if you have the nous. I guess most people are just not paranoid
enough 
And therein lies the true secret of data security: here are some old computing-related morals that still hold true, particularly in this new age of internet and cloud storage...
If you don't want something heard, then don't say it.
If you don't want something read, then don't write it.
If you don't want something seen, then don't do it.
And if you have to delete it, you've probably already failed.
(Its a variation on a variation on a...etc. of the Three Monkeys that can help you lead a paranoia-free life)
I can't remember using anything for a password when I set it up. 
So is there anyway to work around this and maybe set in a new password?