https://www.em-soft.si/myblog/elvis/?p=975

1. Boot from DVD – you need to access to Windows system drive offline – installation DVD has all tools that you need.
2. From menu select Repair your computer. This will give you the ability to change some files.
3. In the next menu select Troubleshot.
4. Select Command prompt. This is what we need – we want to modify some files.
5. Now you need to replace the file:
   1. Go to C: (supposing that C: is your system drive)
   2. Type cd \Windows\System32 – to enter into the folder
   3. Type ren osk.exe osk.old – be smart, you need to preserve the original file and put it back at the end of the process! If you don’t replace it again it means that you leave open a surface attack!!!
   4. Replace the file with a copy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe osk.exe
6. Reboot the server in normal mode.
7. From the logon screen choose Onscreen keyboard (as in picture).
8. PowerShell window will be opened – and you are a local system user!!! You can do a lot of things.
9. Change the password with command Net user Administrator Password – where Administrator is the username of local or domain administrator and Password is the password that you want to set.
10. Login to server with the new password – just to test that it is working.
11. Reboot the server and redo all the steps from 1 to 5, but in the way to put back all things in the original state. You need to replace original onscreen keyboard:
    1. Go to C:
    2. Type cd \Windows\System32
    3. Type del osk.exe
    4. Replace a file with ren osk.old osk.exe
12. Reboot the server.