private IEnumerable <AccessCheckResult> RunAuditCheck(NtToken token, NtType type, ObjectTypeEntry[] object_types) { _dict.GetValue("SubsystemName", out string subsystem_name); _dict.GetValue("HandleId", out IntPtr? handle_id); _dict.GetValue("ObjectTypeName", out string object_type_name); _dict.GetValue("ObjectName", out string object_name); _dict.GetValue("ObjectCreation", out SwitchParameter? object_creation); _dict.GetValue("AuditType", out AuditEventType? event_type); _dict.GetValue("AuditFlags", out AuditAccessCheckFlags? flags); var results = new List <AccessCheckResult>(); if (ResultList) { results.AddRange(NtSecurity.AccessCheckWithResultListAudit( subsystem_name, handle_id ?? IntPtr.Zero, object_type_name, object_name, object_creation ?? new SwitchParameter(), event_type ?? AuditEventType.AuditEventObjectAccess, flags ?? AuditAccessCheckFlags.None, GetSecurityDescriptor(), token, GetDesiredAccess(), Principal, type.GenericMapping, object_types)); } else { results.Add(NtSecurity.AccessCheckAudit( subsystem_name, handle_id ?? IntPtr.Zero, object_type_name, object_name, object_creation ?? new SwitchParameter(), event_type ?? AuditEventType.AuditEventObjectAccess, flags ?? AuditAccessCheckFlags.None, GetSecurityDescriptor(), token, GetDesiredAccess(), Principal, type.GenericMapping, object_types)); } return(results); }