Atomic I/O letters column #155Originally published 2014, in PC & Tech Authority
(in which Atomic magazine is now a section)
Reprinted here December 14, 2014 Last modified 09-Jan-2016.
At my work we've got some custom software that I won't identify because of possible trade-secret stuff, but let's call it BlargForce.
BlargForce is not good software, and hangs several times a day, usually doing something weird to a database connection that makes everybody else's BlargForce freeze, but not actually crash, until the hanged copy is killed in Task Manager.
This is tolerable (which is good because the people who made BlargForce do not appear to speak any human language), but it's occurred to me that it'd be nice if you didn't have to go Task Manager, Processes, sort by name, find blargforce.exe, End Process, confirm, every time, which everybody in this office can now do by feel in their sleep. Windows has a command-line process killer, right? Could you make a one-line batch file that kills the BlargForce process number in one step? How do you find the right process number? Does it change whenever you run a new BlargForce, or is it fixed for each program?
The standard command-line utilities you're looking for are "tskill" and "taskkill". Tskill is the basic version that comes (I think) with every flavour of Windows; taskkill is the more powerful one that doesn't come with "Home" editions. Both can do what you want.
Tskill and taskkill can indeed kill tasks by process ID (PID). You can display PIDs in Task Manager via View -> Select Columns. But that's the wrong way to go about it, because PIDs do indeed change when you run the same program again. If BlargForce is PID 10208 now and you make a batch file that kills that task, it could be PID 12260 next time and your batch file won't hit it - but whenever PID 10208 is given to a completely different program's task, your batch file will murder that random other program just fine.
Fortunately, both killer-commands can also kill tasks by name, and the task name will always be the same for a given executable. So in your case you just need a text file called killzombie.bat (or whatever, all it needs is the .bat suffix to make it run as a batch file), that says
taskkill /IM blargforce.exe
The simpler tskill needs no command switches or suffix on the process name. If there are spaces in the task name, the name has to be enclosed in quotes.
I upgraded my computer recently after the CPU on my old one carked it, and I've plugged the C drive from the old computer in as the X drive of the new one, which has made it pretty easy to transfer settings from old programs and such.
I'm at a loss for my video playing software, though, Media Player Classic Home Cinema. The only setting I care about for that is the huge list of bookmarked unfinished video files I had, but there doesn't seem to be a config file anywhere that I can copy to the new computer's MPC-HC folder (or another folder in C:\Users or whatever) to get the bookmarks back.
Everything's on the same drive letters it was before, so a bookmark to "e:\somemovie.mkv, 76 minutes 8 seconds" would still work, but I don't know where MPC-HC KEEPS all of those bookmarks.
Do you? How can you copy them over?
By default, MPC keeps its favourites settings in the registry. So to move them to the new computer, you have to extract them from the old computer's registry and insert them into the new. This is a mildly terrifying process - screw up your registry and you screw up your computer, though modern Windows versions should be able to roll back to a last-known-good state.
(Media Player Classic has an option, turned off by default, to store that stuff in a simple .ini file instead. Sometimes that option even works!)
Registry editing is well within the capabilities of a careful home user, though, and it can be a lifesaver if something really important is lurking in the registry on the still-working hard drive of a deceased computer. This can actually be the case depressingly frequently, since a lot of dodgy software stores all sorts of important data in the registry, and many people (see above) have to use dodgy software to do their job.
In a situation like that you may think you've got everything backed up properly, but if the registry's huge encoded Windows mystery files aren't backed up, then you actually don't. And even if the registry is backed up, you may have to do stuff like this to get the data back out if there's a major failure.
Aaaaanyway, here's how to solve this particular problem. It's highly questionable whether it's worth the effort for data like video bookmarks without which you will probably be able to summon the courage to go on living, but this serves as an excellent example of how to do the same thing for other registry data transplants.
First, you need to run Registry Editor - regedit.exe - and back up the whole registry by right-clicking "Computer", selecting "Export" and saving it wherever you want.
If you screw up the registry, double-clicking that file and telling Windows that yes, you do want to copy its data to the registry, should rescue you.
Now, select HKEY_USERS and load the registry hive (File -> Load Hive) from the old computer. The hive you want will be a file called "ntuser.dat" in the subdirectory of Users on the old C drive that matches the account-name you were using on that computer.
You now have to give the old registry a name to appear under in your own registry - make it something noticeable like "aaaaaa".
It'll appear under that name, and you'll now be able to drill down in it to the keys containing the data you need. In this case, the place where your current MPC-HC will save its bookmarks is HKEY_CURRENT_USER\Software\MPC\HC\Favorites\Files, and the old one's data should now be findable in HKEY_USERS\aaaaaa\Software\MPC\HC\Favorites\Files.
If you're having trouble finding the data for a given program, press F3 in regedit to search, and enter a string from the program name. Regedit will search the entire registry for that string. For this particular case, there are several different versions of Media Player Classic, which have different registry locations; the original ones from Gabest Software, for instance, keep their bookmarks in ...\Gabest\Media Player Classic\..., like so:
I'm showing you this, and not MPC-HC's registry location, because I happen to have an old NTUSER.DAT that had the old MPC installed, but I don't have one with MPC-HC.
(Oh, and apparently there's some malware thing that calls itself "Gabest Media Player Classic" too, which need not detain us here but which I thought was worth mentioning. Malware uses, or at least leaves footprints in, the registry just like all other Windows software, so if your computer's infected by this fake-media-player thing then you'll probably get search hits for the malware in the registry when you search for the real software.)
Now for the tricky bit.
Drill down to the Favorites\Files key in the MPC-HC section of the old registry hive (the old Gabest versions should have the same stuff in the same place), right-click it, and "Export" again. Save the exported data (which will be a much smaller file than your earlier gigantic export of the whole registry) as whateverfilenameyoulike.reg, and then have a look at it in a text editor. (Notepad is perfectly adequate.)
You'll see the text of all of the bookmark values, with at the top the version of Registry Editor that created the file, and then the registry address from which the data came. That registry address will be something like:
And the bookmark data will all look like this:
The name of the file, then a long number that's the precious timestamp that's pretty much the whole reason for this lengthy exercise, and then the path to the file, including its name again.
If you double-click this new registry file you've made, you'll get a warning asking if you really want to add that data to the registry. You don't, yet, because all it'd do is write the data back to the same HKEY_USERS\aaaaaa\... location it came from, which is not where your current Media Player Classic will look.
All you have to do, though, is edit that square-bracketed address at the top, from HKEY_USERS\aaaaaa\... to the correct address for your current MPC, which is HKEY_CURRENT_USER\Software\MPC\HC\Favorites\Files.
(You can probably transplant the data between different MPC versions that keep their data in different places, too, but I'm making no promises.)
Widening our field of view back out to registry-editing in general to transplant program data from one Windows install to another, if you're uncertain of the location of a program's data, you'll have to search by program-name or program-author-name again, to find it. In this case you could get there a bit faster by making a bookmark in your current Media Player Classic. Somewhere among the hits in recently-opened-file lists and such there will be the location of the current MPC's bookmarks. Or, for speed, rename a video file to qqqqqqqqqq.avi or something, play it in MPC, make a bookmark, and then search the registry for qqqqqqqqqq. (The same trick can be done with other applications, if you just save a similarly-distinctively-named data file.)
Other logical edits to the .reg file's text will also work, allowing you to, for instance, change the location of all of the files if your video drive used to be E but is now F, or whatever.
Once you've got the .reg file re-aimed at the right key, double-click it and tell Windows that this time you do want to continue. Now, the next time you run MPC, your old bookmarks should be back. You can now safely delete the hive you imported into your registry and named "aaaaaa", too - though it won't do any harm just sitting there. (And in the dry run of doing all this stuff myself to make the screenshots and make sure I wasn't telling you to do something impossible, I just discovered that the old ntuser.dat that I imported into my own registry had some SecuROM stuff that couldn't be deleted because the keys had null characters in their names - which Microsoft have a special utility to counter! Aaaaaannd there's some stuff to do with the Protected Storage System Provider and old encryption certificates that also can't be deleted regardless of permissions settings, perhaps because Windows thinks I'm trying to delete current encryption-related stuff and throw my data away.
Fortunately, this bit of left-over cruft shouldn't mess anything up. Generally speaking, it's not adding things to the registry that causes problems, it's changing or removing stuff that was already there and doing something important. You can leave the whole old hive you imported sitting there under "aaaaaa" and all it'll do is take up a bit of disk space.
As I said, all of this is too much trouble to go to for data whose loss is only a slight nuisance. But it can really get you out of a tight spot - or save you some hefty tech-support fees - if vitally important data is locked up in an old registry.
When I scanned through my son's chat history, checking to see if he was buying drugs or hiring prostitutes with my credit card (which I'd actually be pretty proud of, come to think of it, he's only nine), I found chunks of chat with some friends of his that all looked like this:
"yby ab qvqag qb vg z8 jung nobhg fro?" [this is one representative line from quite a lot submitted]
I don't think textspeak's gone quite that far yet, I presume this is a code. Do you know what kind of code it is?
[Name withheld, for security!]
In ROT13, every letter of the message is "rotated" thirteen steps through the alphabet, wrapping around at the ends. ROT13 the text again and you get the original message. So your example of "yby ab qvqag..." ROT13s back into "lol no didnt do it m8 what about seb".
ROT13 is so simple that you can do it somewhat laboriously with pencil and paper, or automatically in various text editors, or indeed by applying the "awesome powa" of rot13.com. Because it's so simple, it provides no real cryptographic security - people use ROT13 more just to conveniently obscure non-secret text, like spoilers in a discussion of a movie.
It's often easy to spot ROT13 when you know that it exists, because common words like "the" and "and" rotate into strings that you can come to recognise ("gur" and "naq"). Work with it enough and you'll actually be able to read it directly, like a newsagent who's learned how to read upside-down. ROT13ed curse words are also highly recognisable and often even moderately pronounceable, which can be useful if you want to talk filthy in polite society without learning a whole new language.
I now suggest you make like the Allies in World War II and do not reveal to your enemy that you have broken his codes, lest he move on to better encryption when discussing un-done homework, unhealthy lunch foods and video games.