I’ll also be moving to Winlicense in the next month.

The module which detects those monitor tools will not be present. Just that protection is taken out, that should not affect the global security of your application.

Sounds like a good solution to the ProcMon issue then.
I will ask Ronald to switch off that setting for the next builds of all our programs.

Dear Alwin,

Thanks for the information.

Please, refer to the following KB article:
http://www.oreans.com/kb/?View=entry&EntryID=177

It seems that you have protected with the option “Monitor Blockers” enabled
(in Protection Options panel). If you want to allow execution of ProcMon by
your customers, you just need to protect unchecking those options.

If you have any questions, let us know please.

Thanks,
Rafael

I am not sure I like the “solution” of switching off the “Monitor Blockers” option. I mean, isn’t that going to decrease the strength of the protection?
Will ask them about that.

BTW: A quote from their knowledge base article explains the “reboot issue”:

If you enable Registry/File Monitors, Themida/WinLicense will detect common registry/file monitor tools loaded in memory. The problem with Regmon, FileMon and Process Monitor is that the driver is loaded all the time in memory even if you close the User Interface for Regmon, Filemon, etc. So, the File system and Registry are still hooked by the monitor driver until you restart the computer. Looks that the developers of those monitor tools are not unloading the driver to avoid system crashes in case that a packet request is in the middle of processing while unloading the driver. Summing up, you customer needs to restart the PC if they have launched Regmon, Filemon, etc before launching your protected application (with Monitors detection enabled)

Alwin, thanks for this post. I’m happy with what I use now, but it hasn’t been updated for a while and I’m aware that I’ll need to find another solution, sooner or later. Themida seems to fit quite nicely.

Thanks for your feedback on our usage of Themida and the ProcMon issue.
For your information, I have contacted Oreans support today, with the following email. Will keep you posted about their response.

We have been using Themida to protect our Collectorz.com software
since October 2009 and with great success.
(the long story on my blog here:
http://www.alwinhoogerdijk.com/2009/12/24/protecting-software-with-themida/ )

However, we have received reports from 3 users, that Themida-protected
programs refuse to start when ProcMon, “Process Monitor” from
SysInternals, is running. Now 3 users out of hundreds of thousands is
not a lot, but these users are quite upset (and maybe rightly so),
because ProcMon is just an advanced Task Manager utility (not a pirate
tool). Some of em indicate that this is a tool by someone at
Microsoft, so it must be safe and written well ( I don’t know about
that myself, but hey, that what my users are saying ).

Some user reports are here:
http://www.collectorz.com/phpbb2/viewtopic.php?f=5&t=15136
and there’s one in the comments on my blog post.

So I was wondering, is there any way this can be fixed? Maybe by
introducing an exception rule for ProcMon or even a setting in
Themida?
Or maybe there already is such a setting that I don’t know of.

Another issue is is that our software keeps refusing to start *after*
ProcMon has been shut down. A reboot is required to make it work
again.
Why is that? Can this be fixed?

Thanks for looking into this. I am looking forward to your response.

I understand that, you as the coder of commercial software, piracy prevention/protection is a MUST – people want everything for free those days, and honestity is not on their values. And software developers need to eat and such other essential needs.

TryingToEval has a good point – one user with problems among 50000 is not the big deal… but what about if that user loves the program and wants to recommend it to other people (their relatives and friends), and what about those people telling others about the program… You are not losing just ONE sale, but probably quite a few dozens, perharps even to hundreds… hundred of users that won’t be purchasing at all. Hundreds, maybe thousands of dollars that you’re saying “NO, DON’T WANT”. That’s not a smart way to making business…

And NO, I WON’T RESTART MY COMPUTER. What if i’m doing some critical stuff that can’t be aborted? (like uploading a important file, encoding a lengthy video, or God forbid, burning a DVD/BD…). Oreans Software (and all other commercial software developers) seriously should stop considering users as potential thieves (in some seriously screwed places, your company could even been sued!). If you don’t want people to pirate your app, simply DON’T SELL IT AT ALL – zero piracy rate, and zero problems with users… and zero money for you. The user experience and satisfaction should be your #1 goal (besides earning money , not only the “thou shall not pirate my program with Sysinternals”).

Rebooting will fix the problem.

Themida is working very well for us. It prevents cracks and we’ve
heard of only a couple of problems. The advantages far outweigh the
disadvantages here.
So I am afraid we’ll keep using it.

Sorry for the inconvenience.

The issue is almost certainly that at some point within the last few weeks since Windows Update rebooted my machine, I was using ProcMon to troubleshoot misbehaving software. I’m not running ProcMon now, but Movie Collector still won’t start. Soon I’ll be rebooting to see if that fixes the problem (likely).

This is a defect. It says I’m running a monitor program, but I am not. Please confirm that this issue will be fixed in an upcoming release of Movie Collector. i.e. raise the issue with the Themida folks / stop using Themida / work around the problem in some other way — I don’t really care how it’s fixed, so long as it is.

I do appreciate that you want to protect your software — I’m a developer myself. The only time I’ve seen the word “Themida” was earlier today, when an annoying popup incorrectly described the state of my system and raised my blood pressure. I don’t ever want to see the word “Themida” again. Please take the needs of power users and developers seriously. You may have 50,000 other people that never see this issue, but you won’t have 50,001 unless you commit to fixing this.

Besides, Procmon is not an important part of the cracker toolchain. As a software developer myself I wouldn’t be worried about people using it to crack my software. Procmon is a developer and power user tool distributed by Microsoft themselves. We’re not talking about ShadyReverseEngineeringProgram by Saltine the cracker, we’re talking about Procmon by Microsoft….and to reiterate, it’s not even running.

Please commit to a fix.