Comic Collector and Themida

I installed Comic Collector 4.5.1 from on my wife's computer, so she could track her extensive comic collection. I monitored the installation with Total Uninstall 5, as I do with all installations, so that I have a record of the file and registry changes made to the system for security and future troubleshooting purposes. Then, prior to starting Comic Collector for the first time, I took another snapshot of the system with Total Uninstall, but also started Process Monitor v2.8. Process Monitor was developed by Mark Russinovich and Bryce Cogswell of Sysinternals, which was acquired by Microsoft in July 2006.

I wanted to also use it to see what registry changes were made for an account when I first ran the Comic Collector program. But, when I started Comic Collector, I saw a window with the title "Themida" with the message "A monitor program has been found running in your system. Please, unload it from memory and restart your program."

Themida Monitor Warning

I thought the message likely appeared because I was running Process Monitor, which can display the files and registry entries accessed by processes in real-time as processes run. At Error: A monitor program has been found running in your system., I found a posting by someone else encountering the same problem while running Process Monitor when he started another program. The poster, MentalPROblem, discovered the message appeared because he had Process Monitor running when he started the other application. He referenced a Softpedia webpage about the product. When I checked that page, I saw the following description of the software. A demo version of the software could be downloaded from the page. The cost listed for the full version was USD $199.00.

Powerful Windows Software Protector

Themida - powerful Windows Software Protector. Designed for software developers who wish to protect their applications against advanced reverse engineering and software cracking.

SecureEngine is an innovating and revolutionary technology for protecting Microsoft Windows applications against modern cracking. Its architecture and design is a completely new idea, never seen before on the security-world.

Themida is a program that helps you to protect your applications against software cracking.

SecureEngine has been designed with a different approach to avoid this common scenario. Its code is running on the same level with the operating system (kernel) with all privileges enabled.

That allows executing any kind of protection technique without being restricted by the operative system. On the other hand, current cracker tools are unable to detect, study and attack protection routines that have designed and implemented to run in the same level (kernel).

Ring0 Technologie - The Windows operative system, OS, architecture is designed to work in two levels of operation: Ring0 runs Windows kernel and device drivers code while Ring3 runs normal applications code.

Ring0 code supervises and controls normal Windows applications that execute in Ring3 level. This means that normal applications are not allowed to run high priority code.

Debugger Guard - DebuggerGuard technology introduces revolutionary techniques to detect a debugger in memory. These techniques cannot be bypassed by any known cracking tools and are almost impossible to bypass even if an attacker knows how they work.

This technology ensures that a protected application can only be run in safe environments, without the presence of debugging tools.

Here are some key features of "Themida":

· Anti-debugger techniques that detect/fool any kind of debugger
· Anti-memory dumpers techniques for any Ring3 and Ring0 dumpers
· Different encryption algorithms and keys in each protected application
· Anti-API scanners techniques that avoids reconstruction of original import table
· Automatic decompilation and scrambling techniques in target application
· Virtual Machine emulation in specific blocks of code
· Advanced Mutator engine
· SDK communication with protection layer
· Anti-disassember techniques for any static and interactive disassemblers
· Multiple polymorphic layers with more than 50.000 permutations
· Advanced API-Wrapping techniques
· Anti-monitors techniques against file and registry monitors
· Random garbage code insertion between real instructions
· Specialized protection threads
· Advanced Threads network communication
· Anti-Memory patching and CRC techniques in target application
· Metamorphic engine to scramble original instructions
· Advanced Entry point protection
· Dynamic encryption in target application
· Anti-tracing code insertion between real instructions
· Advanced Anti-breakpoint manager
· Real time protection in target application
· Compression of target application, resources and protection code
· Anti-"debugger hiders" techniques
· Full mutation in protection code to avoid pattern recognition
· Real-time simulation in target application
· Intelligent protection code insertion inside target application
· Random internal data relocation
· Possibility to customize dialogs in protected application
· Support of command line

Since one of the features listed was "Anti-monitors techniques against file and registry monitors", that would explain why it complained about Process Monitor running.

The software is developed by Oceans Technologies.

Software, such as Themida, may be used by developers to stop others from "cracking" their software to remove copy protection features, such as serial number checks, etc. Debuggers, such as SoftICE, can be used by crackers to analyze programs they wish to crack. Software, such as Themida, can be used to make that analysis impossible, or at least much more difficult.

I have no desire to crack Comic Collector or any of the other database programs from, though. I've purchased licenses for Book Collector, Comic Collector, Movie Collector, and Music Collector. The software from is reasonably priced for all of the features offered by the software and the developer offers a very reasonable license with only the stipulation that "the Software is not used at the same time on more computers than you have purchased licenses for." And the demo version of Comic Collector allows one to store information on 100 comics, which would be adequate for a small collection, but not ours.

My only desire was to be able to learn the registry values used by the program for the locations of files it uses, so that I can have the software store its database, images, etc. at a shared network location, so that all family computers would be using the same information, so that I don't have to worry about synchronizing the data between computers; we would never be using the software on more than one system at a time, though. I configured Movie Collector to use a shared network location for its files. I hadn't seen the message when I ran it, though, I initially presumed that was because I hadn't used Process Monitor with it, but I later found that wasn't the case.

I exited from Process Monitor, but left Total Uninstall 5 running. I took a snapshot of the system with Total Uninstall before starting Comic Collector. When I started Comic Collector, I again received the same Themida warning. I clicked on "Complete the monitoring process later" in Total Uninstall and again tried starting Themida. I again received the same Themida warning and the program refused to start. When Total Uninstall runs, the Task Manager shows a Tu.exe process running for the application. When I clicked on "Complete the monitoring process later", that process disappeared from the Task Manager, but Comic Collector still wouldn't start. I cancelled the monitoring of changes by Total Uninstall and tried running Comic Collector with Process Monitor running, just to be absolutely sure that either Process Monitor or Total Uninstall would produce the message. It appeared that having either monitor the system would produce the Themida message.

I took a look at both ComicCollector.exe and MovieCollector.exe with FileAlyzer. When I viewed the Import/Export table of MovieCollector.exe with FileAlyzer, I could see imported DLL's. I did not see anything listed for Import/Export table for ComicCollector.exe when I viewed it with FileAlyzer. One of the features listed for Themida is "Anti-API scanners techniques that avoids reconstruction of original import table", which may explain that difference. So, I think Comic Collector is protected by the Themida software, but Movie Collector is not. Both were apparently developed with Borland Delphi.

I then installed Advanced Registry Tracer (ART) from Elcomsoft. I scanned the registry with it and then tried opening Comic Collector. It would not open, producing the same Themida message as before. I exited from ART and tried again, but that made no difference.

Finally, I rebooted the system. I ran both Total Uninstall and Advanced Registry Tracer (ART). I found that Comic Collector would open without the Themida message when they were running, but as soon as I opened Process Monitor, it would not open, producing the Themida message. It didn't matter if Process Monitor was subsequently exited. I could only run Comic Collector if I rebooted after running Process Monitor. The issue did not occur with Movie Collector 6.4 Build 1 Pro Edition, only with Comic Collector 4.5.1.

I could locate the relevant information in the registry fairly easily in this case, even without ART or Total Uninstall, and I could change the location of files through the Options settings in the program, but I like to know all the registry settings programs create or modify for security purposes, should I later need to know what program created a registry key, and also for troubleshooting, such as cleaning up when a program's uninstall routine doesn't function properly, etc., so I'm glad using ART and Total Uninstall don't prevent Comic Collector from running.

It's not a big deal that I can't run the software, if Process Monitor has been run first, since I'm only rarely running Process Monitor; it just means I have to be aware that I'll have to reboot the system after running Process Monitor in order to be able to run Comic Collector.


  1. Error: A monitor program has been found running in your system.
    Date: February 22, 2007
    Glider Forums
  2. Themida 1.950
  3. SoftICE
    Wikipedia, the free encyclopedia
  4. Movie Collector 6.4.1 Customization
    Date: November 8, 2009
    MoonPoint Support

Valid HTML 4.01 Transitional

Created: Saturday November 14, 2009