private void ParseAuditOperations2(ref Rec rec, AuditInfo audit, StringBuilder buffer, StringBuilder domainBuffer, StringBuilder userBuffer, ref int sentItems)
        {
            try
            {
                if (string.IsNullOrEmpty(rec.Description))
                    return;

                using (var reader = new StringReader(rec.Description))
                {
                    string line;
                    var state = -1;

                    var mask = 0;
                    var values = new string[9];

                    while (true)
                    {
                        using (Benchmark("ParseAuditOperations2 ReadLine"))
                        {
                            line = reader.ReadLine();
                        }
                        if (line == null)
                            break;

                        Match m;
                        switch (state)
                        {
                            case -1:
                                m = RegLine.Match(line);
                                if (m.Success)
                                {
                                    state = m.Groups[1].Success ? 2 : 3;
                                    /*
                                    for (state = 1; state < m.Groups.Count && !m.Groups[state].Success; ++state)
                                    {
                                    }
                                    if (state == m.Groups.Count)
                                        state = -1;
                                    else
                                        ++state;
                                     * */
                                }
                                break;
                            default:
                                m = ((Regex)RegExps[state][0]).Match(line);
                                if (m.Success)
                                {
                                    //WriteLine(line);
                                    var i = 1;
                                    var ms = 1;
                                    while (i < m.Groups.Count)
                                    {
                                        if (m.Groups[i].Success)
                                        {
                                            values[i / 2] = m.Groups[i + 1].Value;
                                            mask |= ms;
                                            break;
                                        }
                                        i += 2;
                                        ms <<= 1;
                                    }
                                    if (mask == ((int)RegExps[state][1]))
                                    {
                                        var username = string.IsNullOrEmpty(values[1]) || string.IsNullOrEmpty(values[2])
                                                       ? UserWithDomain(values[0], buffer, domainBuffer, userBuffer)
                                                       : values[1] + "\\" + values[2];
                                        AuditLogonEnv2 env;
                                        lock (_handles2)
                                        {
                                            if (!_handles2.TryGetValue(values[3], out env))
                                            {
                                                env = new AuditLogonEnv2(values[3]);
                                                _handles2[env.LogonId] = env;
                                            }
                                        }

                                        if (state == 3)
                                        {
                                            using (Benchmark("ParseAuditOperations2 DeleteHandle2"))
                                            {
                                                AuditDeleteHandle2(ref rec, env, username, values[0], values[4],
                                                                   values[5],
                                                                   ref sentItems);
                                            }
                                        }
                                        else if (audit.ObjectType == "File")
                                        {
                                            //Console.WriteLine(rec.Description);
                                            //var ln = Console.ReadLine();
                                            //if (ln.Equals("d"))
                                            //    DEBUG_BREAK = true;
                                            //else if (ln.Equals("q"))
                                            //    DEBUG_BREAK = false;

                                            using (Benchmark("ParseAuditOperations2 AuditObjectRequestHandle2"))
                                            {
                                                AuditObjectRequestHandle2(ref rec, env, values[3], username, values[0],
                                                                          values[5], values[6],
                                                                          values[8], values[4], values[7], ref sentItems);
                                            }

                                        }
                                        return;
                                    }
                                }
                                break;
                        }
                    }
                }
            }
            catch (Exception e)
            {
                L.Log(LogType.FILE, LogLevel.ERROR, "Error while parsing audit operations:" + e);
            }
        }
 public EventLogFileAuditRecorder()
 {
     _handles2["00000"] = new AuditLogonEnv2("00000");
     _handles2["00000"].ProcessLastAudit["-----"] = new AuditHandle2("12313", "-----", "test");
     cleanupTimer = new Timer { AutoReset = false, Interval = 60000 };
     cleanupTimer.Elapsed += new ElapsedEventHandler(cleanupTimer_Elapsed);
     cleanupTimer.Start();
     enc = Encoding.UTF8;
 }
        private void AuditObjectRequestHandle2(ref Rec rec, AuditLogonEnv2 env, string logonId, string username,
                                               string userSid, string handleId, string processId, string processName,
                                               string objectName, string accessMask, ref int sentItems)
        {
            if (!string.IsNullOrEmpty(objectName))
            {
                var kernel = RegKernelPath.Match(objectName);
                if (kernel.Success)
                    objectName = QueryDosPath(kernel.Groups[1].Value, kernel.Groups[2].Value);
            }
            var access = (AccessMask)GetPid(accessMask);
            //if ((access & NewFileDirMask) == NewFileDirMask)
            //{
            //    SendData(ref rec, "NEW", (access & AccessMask.AppendOrAddSubDir) == AccessMask.None ? "Directory" : "File",
            //             objectName, userSid, username, processName,
            //             GetPid(processId), accessMask, string.Empty);
            //    sentItems++;
            //    return;
            //}
            AuditHandle2 handle;
            lock (env)
            {
                if ((access & AccessMask.Synchronize) == AccessMask.Synchronize)
                {
                    if (env.ProcessLastAudit.TryGetValue(processId, out handle))
                        env.ProcessLastAudit.Remove(processId);
                    else
                        handle = null;
                    if ((access & (AccessMask.WriteOrAddFile | AccessMask.AppendOrAddSubDir)) != AccessMask.None)
                    {
                        if (handle != null)
                        {
                            if (handle.Name == objectName)
                            {
                                //handle.AccessType |= access;
                                env.ProcessLastAudit[processId] = handle;
                                ++sentItems;
                                return;
                            }

                            if (handle.Name.StartsWith(objectName))
                            {
                                if (handle.Name.Length > objectName.Length)
                                {
                                    if (objectName[objectName.Length - 1] == Path.DirectorySeparatorChar ||
                                        handle.Name[objectName.Length] == Path.DirectorySeparatorChar)
                                    {
                                        SendData(ref rec, "RENAME",
                                                 (access & AccessMask.AppendOrAddSubDir) ==
                                                 AccessMask.None
                                                     ? "Directory"
                                                     : "File",
                                                 handle.Name, userSid, username, processName,
                                                 GetPid(processId), accessMask, objectName);
                                        sentItems++;
                                        return;
                                    }
                                }
                            }
                            SendData(ref rec, "MOVE", string.Empty, handle.Name, userSid, username, processName,
                                     GetPid(processId), accessMask, objectName);
                            sentItems++;
                        }
                        else
                        {
                            SendData(ref rec, "NEW",
                                     (access & AccessMask.AppendOrAddSubDir) == AccessMask.None
                                         ? "Directory"
                                         : "File",
                                     objectName, userSid, username, processName,
                                     GetPid(processId), accessMask, string.Empty);
                            sentItems++;
                        }
                    }
                    else if ((access & AccessMask.Delete) == AccessMask.Delete)
                    {
                        if (handle == null)
                            handle = new AuditHandle2(handleId, processId, processName);

                        handle.AccessType = access;
                        handle.LogonId = logonId;
                        handle.Name = objectName;
                        handle.Owner = user;
                        handle.OwnerSid = userSid;
                        env.ProcessLastAudit[processId] = handle;
                        ++sentItems;
                    }
                }
                else if ((access & AccessMask.Delete) == AccessMask.Delete)
                {
                    env.ProcessLastAudit.Remove(processId);
                    SendData(ref rec, "DELETED", string.Empty,
                             objectName, userSid, username, processName,
                             GetPid(processId), accessMask, string.Empty);
                    sentItems++;
                }
            }
        }
 private void AuditDeleteHandle2(ref Rec rec, AuditLogonEnv2 env, string user, string userSid,
                                   string handleId, string processId, ref int sentItems)
 {
     AuditHandle2 handle;
     lock (env)
     {
         if (env.ProcessLastAudit.TryGetValue(processId, out handle) && handle.HandleId == handleId)
         {
             env.ProcessLastAudit.Remove(processId);
             SendData(ref rec, "DELETED", string.Empty, handle.Name, userSid, user, handle.ProcessName,
                      GetPid(processId), string.Format("{0:X}", handle.AccessType), string.Empty);
             sentItems++;
         }
     }
 }