If you enable the option "Detect File/Regstry Monitors" (in the Protection Options panel), Themida will detect common registry/file monitor tools loaded in memory. The problem with Regmon, FileMon and Process Monitor is that the driver is loaded all the time in memory even if you close the User Interface for Regmon, Filemon, etc. So, the File system and Registry are still hooked by the monitor driver until you restart the computer. Looks that the developers of those monitor tools are not unloading the driver to avoid system crashes in case that a packet request is in the middle of processing while unloading the driver. Summing up, you customer needs to restart the PC if they have launched Regmon, Filemon, etc. before launching your protected application.