The password of the root and Administrator accounts in Windows images get set to a known value stored in vcld.conf when an image is captured. These accounts' passwords are randomized after an image is loaded.
There is at least one script (autologon_enable.cmd) stored in Windows images which contains the default password. Windows.pm::sanitize_files attempts to remove the default password from this script and other files it finds under C:\Cygwin\home\root.
If the default password is changed in vcld.conf after an image is captured, the old password will not be removed from the files because the VCL process only searches for the current value. This should be improved.