protected bool ReadLocal(string fileName)
        {
            L.Log(LogType.FILE, LogLevel.INFORM, "EventLogFileAuditRecorder In ReadLocal -- Started.");

            if (!callable.WaitOne(0))
            {
                L.Log(LogType.FILE, LogLevel.INFORM, "EventLogFileAuditRecorder In ReadLocal -- CALLED MULTIPLE TIMES STILL IN USE");
                callable.WaitOne();
                try
                {
                    throw new Exception("Parse already been processed by another thread while this call has made");
                }
                finally
                {
                    callable.ReleaseMutex();
                }
            }
            try
            {
                L.Log(LogType.FILE, LogLevel.INFORM, "EventLogFileAuditRecorder In ReadLocal -- Started with lastfile: " + lastFile);
                var eventLogLocation = fileName;

                var query = last_recordnum > 0 ? "*[System/EventRecordID > " + last_recordnum + "]" : null;

                var handle = IntPtr.Zero;
                var events = new IntPtr[] { IntPtr.Zero };

                var hRenderContext = IntPtr.Zero;
                var pRenderedValues = IntPtr.Zero;
                var hRenderContextEvtData = IntPtr.Zero;
                var metaDict = new Dictionary<string, IntPtr>();

                var dwBufferUsed = 0;
                var dwPropertyCount = 0;
                var dwBufferSize = 0;
                var status = UnsafeNativeMethods.ERROR_SUCCESS;

                var session = IntPtr.Zero;

                try
                {
                    var info = user == null ? null : user.Split('\\');
                    if (info != null && info.Length >= 2)
                    {

                        domain = string.IsNullOrEmpty(info[0]) ? null : info[0];
                        ip = info.Length == 2 ? remoteHost : (string.IsNullOrEmpty(info[1]) ? null : info[1]);
                        domainUser = string.IsNullOrEmpty(info[info.Length - 1]) ? null : info[info.Length - 1];

                        if (!string.IsNullOrEmpty(domain) && !string.IsNullOrEmpty(domainUser))
                        {
                            L.Log(LogType.FILE, LogLevel.DEBUG,
                                  "EventLogFileAuditRecorder In ReadLocal -- Remote Logger: " + user);
                            var login = new UnsafeNativeMethods.EvtRpcLogin()
                                {
                                    Domain = domain,
                                    User = domainUser,
                                    Password = CoTaskMemUnicodeSafeHandle.Zero,
                                    Server = ip
                                };
                            var secureString = new SecureString();

                            if (!string.IsNullOrEmpty(password))
                            {
                                foreach (var ch in password)
                                {
                                    secureString.AppendChar(ch);
                                }
                            }

                            login.Password.SetMemory(Marshal.SecureStringToCoTaskMemUnicode(secureString));
                            session = UnsafeNativeMethods.EvtOpenSession(UnsafeNativeMethods.EvtLoginClass.EvtRpcLogin,
                                                                         ref login, 0, 0);
                            L.Log(LogType.FILE, LogLevel.DEBUG,
                                  "EventLogFileAuditRecorder In ReadLocal -- UnsafeNativeMethods.EvtQueryFlags.EvtQueryChannelPath: " +
                                  UnsafeNativeMethods.EvtQueryFlags.EvtQueryChannelPath);
                        }
                    }

                    /*
                         flags = (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath;
                        L.Log(LogType.FILE, LogLevel.DEBUG, "EventLogFileAuditRecorder In ReadLocal -- UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath: " + UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath);
                    }
                    else
                    {
                     */
                    int flags;
                    if (location.Contains("\\"))
                    {
                        flags = (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath;
                        L.Log(LogType.FILE, LogLevel.DEBUG, "EventLogFileAuditRecorder In ReadLocal --EvtQueryFilePath");
                    }
                    else
                    {
                        flags = (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryChannelPath;
                        L.Log(LogType.FILE, LogLevel.DEBUG, "EventLogFileAuditRecorder In ReadLocal --EvtQueryChannelPath");
                    }

                    L.Log(LogType.FILE, LogLevel.DEBUG, "EventLogFileAuditRecorder In ReadLocal -- " + session + " - " + eventLogLocation + " - " + query + " - " + flags);

                    handle = UnsafeNativeMethods.EvtQuery(session, eventLogLocation, query, flags);

                    if (handle == IntPtr.Zero)
                    {
                        L.Log(LogType.FILE, LogLevel.ERROR,
                                "EventLogFileAuditRecorder In ReadLocal --  Error Opening Event File: " + Marshal.GetLastWin32Error());
                        return false;
                    }

                    hRenderContext = UnsafeNativeMethods.EvtCreateRenderContext(0, null,
                                                                                UnsafeNativeMethods
                                                                                    .EvtRenderContextFlags
                                                                                    .EvtRenderContextSystem);

                    if (hRenderContext == IntPtr.Zero)
                    {
                        L.Log(LogType.FILE, LogLevel.ERROR,
                                "EventLogFileAuditRecorder In ReadLocal --  Error Creating Render Context Failed: " +
                                Marshal.GetLastWin32Error() + ")");
                        return false;
                    }

                    var buffer = new StringBuilder();
                    var lineBuffer = new StringBuilder();
                    var tmpBuffer = new StringBuilder();
                    var domainBuffer = new StringBuilder();
                    var usernameBuffer = new StringBuilder();
                    var returned = 0;
                    var rec = new CustomBase.Rec();
                    var audit = new AuditInfo();
                    isFileFinished = false;

                    try
                    {
                        while (UnsafeNativeMethods.EvtNext(handle, 1, events, int.MaxValue, 0, ref returned))
                        {
                            PrintT(++total);
                            try
                            {
                                using (Benchmark("GetRender"))
                                {
                                    if (!GetRenderValues(hRenderContext, events[0],
                                                         UnsafeNativeMethods.EvtRenderFlags.EvtRenderEventValues,
                                                         ref dwBufferSize, ref pRenderedValues, ref dwBufferUsed,
                                                         ref dwPropertyCount, ref status))
                                    {
                                        L.Log(LogType.FILE, LogLevel.ERROR,
                                              "EventLogFileAuditRecorder In ReadLocal --  Error Getting Render Event Values Failed: " +
                                              status +
                                              ")");
                                        continue;
                                    }
                                }

                                string description;
                                using (Benchmark("GetFields"))
                                {
                                    string meta;
                                    using (Benchmark("GetFields P1"))
                                    {
                                        meta =
                                            Marshal.PtrToStringAuto(
                                                ((UnsafeNativeMethods.EvtVariant)
                                                 (Marshal.PtrToStructure(pRenderedValues,
                                                                         typeof(UnsafeNativeMethods.EvtVariant))))
                                                    .StringVal);
                                        if (meta == null)
                                        {
                                            L.Log(LogType.FILE, LogLevel.INFORM,
                                                  "EventLogFileAuditRecorder In ReadLocal --  Event has no meta data. Skipping");
                                            continue;
                                        }
                                    }
                                    using (Benchmark("GetFields P2"))
                                    {
                                        rec.EventId =
                                            ((UnsafeNativeMethods.EvtVariant)
                                             Marshal.PtrToStructure(
                                                 new IntPtr((Int32)pRenderedValues +
                                                            ((int)
                                                             UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemEventID) *
                                                            Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
                                                 typeof(UnsafeNativeMethods.EvtVariant))).UShort;
                                        L.Log(LogType.FILE, LogLevel.DEBUG, "EventId: " + rec.EventId);
                                    }
                                    IntPtr metaPtr;
                                    using (Benchmark("GetFields P3"))
                                    {
                                        if (!metaDict.TryGetValue(meta, out metaPtr))
                                        {
                                            metaPtr = UnsafeNativeMethods.EvtOpenPublisherMetadata(session, meta, null,
                                                                                                   LangId,
                                                                                                   0);
                                            if (metaPtr != IntPtr.Zero)
                                                metaDict[meta] = metaPtr;
                                        }
                                    }

                                    using (Benchmark("GetFields P4"))
                                    {
                                        if (!GetMessageString(metaPtr, events[0],
                                                              UnsafeNativeMethods.EvtFormatMessageFlags
                                                                                 .EvtFormatMessageEvent,
                                                              ref buffer,
                                                              out dwBufferUsed, ref status))
                                        {
                                            L.Log(LogType.FILE, LogLevel.ERROR, "Get Description failed:" + status);
                                            continue;
                                        }
                                    }
                                    using (Benchmark("GetFields P5"))
                                    {
                                        description = buffer.ToString();
                                        buffer.Remove(0, buffer.Length);

                                        //WriteLine(description);
                                        //continue;

                                        rec.Recordnum = (int)
                                                        ((UnsafeNativeMethods.EvtVariant)
                                                         Marshal.PtrToStructure(
                                                             new IntPtr((Int32)pRenderedValues +
                                                                        ((int)
                                                                         UnsafeNativeMethods.EvtSystemPropertyId
                                                                                            .EvtSystemEventRecordId) *
                                                                        Marshal.SizeOf(
                                                                            typeof(UnsafeNativeMethods.EvtVariant))),
                                                             typeof(UnsafeNativeMethods.EvtVariant))).ULong;

                                        last_recordnum = (long)rec.Recordnum;

                                        rec.ComputerName =
                                            Marshal.PtrToStringAuto(
                                                ((UnsafeNativeMethods.EvtVariant)
                                                 (Marshal.PtrToStructure(
                                                     new IntPtr((Int32)pRenderedValues +
                                                                ((int)
                                                                 UnsafeNativeMethods.EvtSystemPropertyId
                                                                                    .EvtSystemComputer) *
                                                                Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
                                                     typeof(UnsafeNativeMethods.EvtVariant))))
                                                    .StringVal);
                                    }
                                    using (Benchmark("GetFields P6"))
                                    {
                                        if (!GetMessageString(metaPtr, events[0],
                                                              UnsafeNativeMethods.EvtFormatMessageFlags
                                                                                 .EvtFormatMessageTask,
                                                              ref buffer,
                                                              out dwBufferUsed, ref status))
                                        {
                                            buffer.Remove(0, buffer.Length);
                                        }
                                        rec.EventType = buffer.ToString();
                                        if (!GetMessageString(metaPtr, events[0],
                                                              UnsafeNativeMethods.EvtFormatMessageFlags
                                                                                 .EvtFormatMessageLevel,
                                                              ref buffer,
                                                              out dwBufferUsed, ref status))
                                        {
                                            buffer.Remove(0, buffer.Length);
                                        }
                                        rec.EventCategory = buffer.ToString();

                                        ulong timeCreated =
                                            ((UnsafeNativeMethods.EvtVariant)
                                             Marshal.PtrToStructure(
                                                 new IntPtr((Int32)pRenderedValues +
                                                            ((int)
                                                             UnsafeNativeMethods.EvtSystemPropertyId
                                                                                .EvtSystemTimeCreated) *
                                                            Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
                                                 typeof(UnsafeNativeMethods.EvtVariant))).FileTime;

                                        rec.Datetime =
                                            DateTime.FromFileTime((long)timeCreated)
                                                    .ToString("yyyy/MM/dd HH:mm:ss", CultureInfo.InvariantCulture);
                                        rec.LogName =
                                            Marshal.PtrToStringAuto(
                                                ((UnsafeNativeMethods.EvtVariant)
                                                 (Marshal.PtrToStructure(
                                                     new IntPtr((Int32)pRenderedValues +
                                                                ((int)
                                                                 UnsafeNativeMethods.EvtSystemPropertyId
                                                                                    .EvtSystemChannel) *
                                                                Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
                                                     typeof(UnsafeNativeMethods.EvtVariant))))
                                                    .StringVal);

                                        rec.Description = description;
                                    }
                                }
                                var sentItems = 0;
                                using (Benchmark("ParseDescriptionForAudit"))
                                {
                                    if (
                                        !ParseDescriptionForAudit(audit, description, buffer, domainBuffer,
                                                                  usernameBuffer))
                                        continue;
                                }
                                using (Benchmark("ParseAuditOperations2"))
                                {
                                    ParseAuditOperations2(ref rec, audit, buffer, domainBuffer, usernameBuffer,
                                                          ref sentItems);

                                    if (sentItems > 0)
                                        continue;
                                    if (audit.Reasons.Count == 0 && audit.OriginalRights.Count == 0 &&
                                        audit.NewRights.Count == 0)
                                        continue;
                                }
                                rec.Description = description;
                                rec.CustomStr2 = audit.ObjectType;
                                rec.CustomStr3 = audit.ObjectName;
                                rec.CustomStr4 = audit.Sid;
                                rec.CustomStr5 = audit.Username;
                                rec.CustomStr6 = audit.Process;
                                rec.CustomInt6 = audit.ProcessId;
                                rec.CustomStr7 = audit.AccessMask;
                                using (Benchmark("ParseAuditOperations2"))
                                {
                                    if (audit.OriginalRights.Count > 0 && audit.NewRights.Count > 0)
                                        SendAccessRightChange(ref rec, audit);
                                    //else
                                    //   SendAudit(ref rec, audit);
                                }
                            }
                            finally
                            {
                                UnsafeNativeMethods.EvtClose(events[0]);
                                events[0] = IntPtr.Zero;
                            }
                        }
                    }
                    finally
                    {
                        foreach (var item in benchmark)
                        {
                            item.Value.Stop();
                        }
                        //BenchStat(Console.Out);
                        try
                        {
                            var customServiceBase = GetInstanceService("Security Manager Remote Recorder");
                            L.Log(LogType.FILE, LogLevel.DEBUG, " EventLogFileAuditRecorder In ReadLocal -->> Setting Registry.");
                            customServiceBase.SetReg(Id, last_recordnum.ToString(CultureInfo.InvariantCulture), "-", lastFile, "", LastRecordDate);
                            L.Log(LogType.FILE, LogLevel.DEBUG, " EventLogFileAuditRecorder In ReadLocal -->> Registry Set.");
                        }
                        catch (Exception exception)
                        {
                            L.Log(LogType.FILE, LogLevel.ERROR, " EventLogFileAuditRecorder In ReadLocal -->> Setting Registry Error." + exception.Message);
                        }
                    }

                    isFileFinished = true;
                    return true;
                }
                finally
                {
                    CleanupEvtHandle(handle);
                    CleanupEvtHandle(events[0]);
                    CleanupEvtHandle(hRenderContext);
                    CleanupEvtHandle(hRenderContextEvtData);
                    CleanupEvtHandle(metaDict);
                }
            }
            catch (EventLogNotFoundException e)
            {
                L.Log(LogType.FILE, LogLevel.ERROR, "EVTX Parser in ReadLocal ERROR." + e.Message);
            }
            finally
            {
                callable.ReleaseMutex();
            }
            return false;
        }
        private void SendAccessRightChange(ref CustomBase.Rec rec, AuditInfo audit)
        {
            foreach (var o in audit.OriginalRights.Keys)
            {
                if (audit.NewRights.Remove(o))
                {
                    audit.OriginalRights[o].Valid = false;
                }
            }
            rec.CustomStr1 = "RIGHT DELETED";
            foreach (var r in audit.OriginalRights.Values)
            {
                if (r.Valid)
                {
                    rec.CustomStr8 = r.Trustee;
                    rec.CustomStr9 = r.AceType;
                    rec.CustomStr10 = r.Right;
                    SendData(ref rec);
                }
            }

            rec.CustomStr1 = "RIGHT ADDED";
            foreach (var r in audit.NewRights.Values)
            {
                rec.CustomStr8 = r.Trustee;
                rec.CustomStr9 = r.AceType;
                rec.CustomStr10 = r.Right;
                SendData(ref rec);
            }
        }
 private void SendAudit(ref Rec rec, AuditInfo audit)
 {
     foreach (var a in audit.Reasons)
     {
         rec.CustomStr1 = a.AccessRight;
         rec.CustomStr8 = a.GrantedByUser;
         rec.CustomStr9 = a.GrantedBy;
         SendData(ref rec);
     }
 }
        private void Process(string file)
        {
            using (var fs = new StreamReader(file))
            {
                string description;
                var audit = new AuditInfo();
                var domainBuffer = new StringBuilder();
                var usernameBuffer = new StringBuilder();
                var buffer = new StringBuilder();
                var sb = new StringBuilder();
                var ln = string.Empty;
                int state = 1;
                while ((ln = fs.ReadLine()) != null)
                {
                    switch (state)
                    {
                        case 1:
                            if (ln == "=========== BEGIN =============")
                                state = 2;
                            break;
                        case 2:
                            if (ln == "=========== END =============")
                            {
                                description = sb.ToString();
                                sb.Remove(0, sb.Length);
                                state = 1;
                                var rec = new Rec();
                                rec.Description = description;
                                if (!ParseDescriptionForAudit(audit, description, buffer, domainBuffer, usernameBuffer))
                                    continue;
                                Console.WriteLine("{0}: {1}", description.Substring(0, description.IndexOf('\r')), audit.ObjectName);
                                var sentItems = 0;

                                ParseAuditOperations(ref rec, audit, buffer, domainBuffer, usernameBuffer, ref sentItems);
                            }
                            else
                            {
                                sb.AppendLine(ln);
                            }
                            break;
                    }
                }
            }
        }
 private bool ParseDescriptionForAudit(AuditInfo audit, string desc, StringBuilder buffer, StringBuilder domainBuffer, StringBuilder userBuffer)
 {
     try
     {
         audit.Reset();
         using (var reader = new StringReader(desc))
         {
             var line = string.Empty;
             bool consumeAgain = false;
             while (consumeAgain || (line = reader.ReadLine()) != null)
             {
                 consumeAgain = false;
                 var m = RegField.Match(line);
                 if (m.Success)
                 {
                     using (Benchmark("ParseDescriptionForAudit " + m.Groups[1].Value))
                     {
                         var value = m.Groups[2].Value.Trim();
                         switch (m.Groups[1].Value)
                         {
                             case "Security ID":
                                 audit.Sid = value;
                                 break;
                             case "Account Name":
                                 if (string.IsNullOrEmpty(audit.Username))
                                     audit.Username = value;
                                 else
                                     audit.Username += "\\" + value;
                                 break;
                             case "Account Domain":
                                 if (string.IsNullOrEmpty(audit.Username))
                                     audit.Username = value;
                                 else
                                     audit.Username = value + "\\" + audit.Username;
                                 break;
                             case "Object Type":
                                 audit.ObjectType = value;
                                 break;
                             case "Object Name":
                                 var kernel = RegKernelPath.Match(value);
                                 audit.ObjectName = kernel.Success
                                                        ? QueryDosPath(kernel.Groups[1].Value,
                                                                       kernel.Groups[2].Value)
                                                        : value;
                                 break;
                             case "Process ID":
                                 audit.ProcessId = GetPid(value);
                                 break;
                             case "Process Name":
                                 audit.Process = value;
                                 break;
                             case "Access Mask":
                                 audit.AccessMask = value;
                                 break;
                             case "Access Reasons":
                                 line = ParseAccessReasons(reader, value, audit, buffer, domainBuffer, userBuffer);
                                 consumeAgain = line != null;
                                 break;
                             case "Original Security Descriptor":
                                 audit.OriginalDaclFlags = ParseDescriptorsInto(value, audit.OriginalRights,
                                                                                buffer, domainBuffer, userBuffer);
                                 L.Log(LogType.FILE, LogLevel.DEBUG, "Original:[" + value + "]");
                                 if (audit.OriginalDaclFlags == null)
                                     return false;
                                 break;
                             case "New Security Descriptor":
                                 L.Log(LogType.FILE, LogLevel.DEBUG, "Original:[" + value + "]");
                                 audit.NewDaclFlags = ParseDescriptorsInto(value, audit.NewRights, buffer,
                                                                           domainBuffer, userBuffer);
                                 if (audit.NewDaclFlags == null)
                                     return false;
                                 break;
                         }
                     }
                 }
             }
             return true;
         }
     }
     catch (Exception e)
     {
         L.Log(LogType.FILE, LogLevel.ERROR, "ParseDescriptionForAudit Error:" + e.Message);
         return false;
     }
 }
        private void ParseAuditOperations2(ref Rec rec, AuditInfo audit, StringBuilder buffer, StringBuilder domainBuffer, StringBuilder userBuffer, ref int sentItems)
        {
            try
            {
                if (string.IsNullOrEmpty(rec.Description))
                    return;

                using (var reader = new StringReader(rec.Description))
                {
                    string line;
                    var state = -1;

                    var mask = 0;
                    var values = new string[9];

                    while (true)
                    {
                        using (Benchmark("ParseAuditOperations2 ReadLine"))
                        {
                            line = reader.ReadLine();
                        }
                        if (line == null)
                            break;

                        Match m;
                        switch (state)
                        {
                            case -1:
                                m = RegLine.Match(line);
                                if (m.Success)
                                {
                                    state = m.Groups[1].Success ? 2 : 3;
                                    /*
                                    for (state = 1; state < m.Groups.Count && !m.Groups[state].Success; ++state)
                                    {
                                    }
                                    if (state == m.Groups.Count)
                                        state = -1;
                                    else
                                        ++state;
                                     * */
                                }
                                break;
                            default:
                                m = ((Regex)RegExps[state][0]).Match(line);
                                if (m.Success)
                                {
                                    //WriteLine(line);
                                    var i = 1;
                                    var ms = 1;
                                    while (i < m.Groups.Count)
                                    {
                                        if (m.Groups[i].Success)
                                        {
                                            values[i / 2] = m.Groups[i + 1].Value;
                                            mask |= ms;
                                            break;
                                        }
                                        i += 2;
                                        ms <<= 1;
                                    }
                                    if (mask == ((int)RegExps[state][1]))
                                    {
                                        var username = string.IsNullOrEmpty(values[1]) || string.IsNullOrEmpty(values[2])
                                                       ? UserWithDomain(values[0], buffer, domainBuffer, userBuffer)
                                                       : values[1] + "\\" + values[2];
                                        AuditLogonEnv2 env;
                                        lock (_handles2)
                                        {
                                            if (!_handles2.TryGetValue(values[3], out env))
                                            {
                                                env = new AuditLogonEnv2(values[3]);
                                                _handles2[env.LogonId] = env;
                                            }
                                        }

                                        if (state == 3)
                                        {
                                            using (Benchmark("ParseAuditOperations2 DeleteHandle2"))
                                            {
                                                AuditDeleteHandle2(ref rec, env, username, values[0], values[4],
                                                                   values[5],
                                                                   ref sentItems);
                                            }
                                        }
                                        else if (audit.ObjectType == "File")
                                        {
                                            //Console.WriteLine(rec.Description);
                                            //var ln = Console.ReadLine();
                                            //if (ln.Equals("d"))
                                            //    DEBUG_BREAK = true;
                                            //else if (ln.Equals("q"))
                                            //    DEBUG_BREAK = false;

                                            using (Benchmark("ParseAuditOperations2 AuditObjectRequestHandle2"))
                                            {
                                                AuditObjectRequestHandle2(ref rec, env, values[3], username, values[0],
                                                                          values[5], values[6],
                                                                          values[8], values[4], values[7], ref sentItems);
                                            }

                                        }
                                        return;
                                    }
                                }
                                break;
                        }
                    }
                }
            }
            catch (Exception e)
            {
                L.Log(LogType.FILE, LogLevel.ERROR, "Error while parsing audit operations:" + e);
            }
        }
        private void ParseAuditOperations(ref Rec rec, AuditInfo audit, StringBuilder buffer, StringBuilder domainBuffer, StringBuilder userBuffer, ref int sentItems)
        {
            try
            {
                if (string.IsNullOrEmpty(rec.Description))
                    return;

                using (var reader = new StringReader(rec.Description))
                {
                    string line;
                    var state = -1;

                    var mask = 0;
                    var values = new string[9];

                    while ((line = reader.ReadLine()) != null)
                    {
                        Match m;
                        switch (state)
                        {
                            case -1:
                                m = RegLine.Match(line);
                                if (m.Success)
                                {
                                    for (state = 1; state < m.Groups.Count && !m.Groups[state].Success; ++state)
                                    {
                                    }
                                    if (state == m.Groups.Count)
                                        state = -1;
                                    else
                                        --state;
                                }
                                break;
                            default:
                                m = ((Regex)RegExps[state][0]).Match(line);
                                if (m.Success)
                                {
                                    //WriteLine(line);
                                    var i = 1;
                                    var ms = 1;
                                    while (i < m.Groups.Count)
                                    {
                                        if (m.Groups[i].Success)
                                        {
                                            values[i / 2] = m.Groups[i + 1].Value;
                                            mask |= ms;
                                            break;
                                        }
                                        i += 2;
                                        ms <<= 1;
                                    }
                                    if (mask == ((int)RegExps[state][1]))
                                    {
                                        var username = string.IsNullOrEmpty(values[1]) || string.IsNullOrEmpty(values[2])
                                                       ? UserWithDomain(values[0], buffer, domainBuffer, userBuffer)
                                                       : values[1] + "\\" + values[2];
                                        AuditLogonEnv env;
                                        if (!_handles.TryGetValue(values[3], out env))
                                        {
                                            env = new AuditLogonEnv(values[3]);
                                            _handles[env.LogonId] = env;
                                        }
                                        try
                                        {
                                            switch (state)
                                            {
                                                case 0:
                                                    AuditCloseHandle(ref rec, env, username, values[0], values[4], values[5], values[6], ref sentItems);
                                                    return;
                                                case 1:
                                                    AuditDuplicateHandle(ref rec, env, values[3], username, values[0], values[4], values[5],
                                                                         values[6], values[7], ref sentItems);
                                                    return;
                                                case 2:
                                                    if (audit.ObjectType == "File")
                                                        AuditObjectRequestHandle(ref rec, env, values[3], username, values[0], values[5], values[6],
                                                                                 values[8], values[4], values[7], ref sentItems);
                                                    return;
                                                case 3:
                                                    AuditDeleteHandle(ref rec, env, username, values[0], values[4], values[5], values[6], ref sentItems);
                                                    return;
                                            }
                                        }
                                        finally
                                        {
                                            if (env.Handles.Count == 0)
                                                _handles.Remove(env.LogonId);
                                            //WriteLine("===================================================");
                                        }
                                    }
                                }
                                break;
                        }
                    }
                }
            }
            catch (Exception e)
            {
                L.Log(LogType.FILE, LogLevel.ERROR, "Error while parsing audit operations:" + e);
            }
        }
 private string ParseAccessReasons(StringReader reader, string value, AuditInfo audit,
     StringBuilder buffer, StringBuilder domainBuffer, StringBuilder userBuffer)
 {
     while (!string.IsNullOrEmpty(value))
     {
         var m = RegGrantedByField.Match(value);
         if (!m.Success)
             return value;
         value = m.Groups[2].Value.Trim();
         var index = value.IndexOf("\t", StringComparison.CurrentCultureIgnoreCase);
         if (index >= 0)
             value = value.Substring(index).Trim();
         var reason = new AccessReason()
             {
                 AccessRight = m.Groups[1].Value,
                 GrantedBy = value
             };
         if (index >= 0)
             reason.GrantedByUser = ParseGrantedBy(reason, buffer, domainBuffer, userBuffer);
         audit.Reasons.Add(reason);
         value = reader.ReadLine();
     }
     return null;
 }