/// <summary>
        /// Creates a details window for the given EventEntry
        /// </summary>
        /// <param name="ee">The EventEntry for this window</param>
        public Details(EventEntry ee)
        {
            InitializeComponent();
            textBox_machine.Text = ee.Machine;
            textBox_objname.Text = ee.fileName;
            textBox_time.Text = ee.timestamp.ToString();
            textBox_user.Text = ee.userName;
            textBox_cat.Text = ee.fileType;
            textBox_action.Text = ee.action;

            if (ee.result.Equals("Success"))
            {
                textBox_message.Text = "The action was successful";
            }
            else
            {
                textBox_message.Text = "The action failed";
            }

            this.Show();
        }
        private bool IgnoreFile(FileAttributes attr, EventEntry e)
        {
            bool ignore = false;
            string filename = e.fileName.Substring(e.fileName.LastIndexOf('\\')+1);
            CLogger.WriteLog(ELogLevel.DEBUG, "IgnoreFile: The filename is " + filename +" imagePath: " + e.imagePath);
            string dbTempFile = @"[^\.]+\.laccdb";
            string db2k3TempFile = @"[^\.]+\.ldb";

            if (( ((attr & FileAttributes.Hidden) == FileAttributes.Hidden)
                && IsTempFile(filename)
                && IsProcessPartOfMSOffice(e.imagePath))
            || (System.Text.RegularExpressions.Regex.IsMatch(
                filename, dbTempFile, System.Text.RegularExpressions.RegexOptions.IgnoreCase))
            || (System.Text.RegularExpressions.Regex.IsMatch(
                filename, db2k3TempFile, System.Text.RegularExpressions.RegexOptions.IgnoreCase))
            || (e.fileName.Contains("$Recycle.Bin")) )
            {
                CLogger.WriteLog(ELogLevel.DEBUG, "IgnoreFile1");
                ignore = true;
            }
            return ignore;
        }
        private void HandleDeletion(EventEntry e)
        {
            using (SQLiteCommand checkRenameCmd = new SQLiteCommand())
            {
                checkRenameCmd.Connection = conn;

                checkRenameCmd.CommandText = "SELECT * FROM FAM WHERE pid = " + e.processID +
                            " AND filehandle = " + e.handleID +
                            " AND action = 'Rename'";

                SQLiteDataReader checkRenameReader = checkRenameCmd.ExecuteReader();
                if (checkRenameReader.HasRows)
                {
                    using (SQLiteCommand updateCmd = new SQLiteCommand())
                    {
                        updateCmd.Connection = conn;
                        updateCmd.CommandText = "UPDATE FAM set action = 'Delete' WHERE timestamp = " +
                                            "(SELECT max(timestamp) FROM FAM WHERE pid =" +
                                            e.processID + " AND filehandle = " + e.handleID +
                                            " AND action = 'Rename')";

                        int rows = updateCmd.ExecuteNonQuery();
                        if (rows != 1)
                            CLogger.WriteLog(ELogLevel.ERROR, "Updation for Delete affected more than one row");
                    }
                }
            }
        }
        /// <summary>
        /// Process WMI event of Win32_PrintJob instance
        /// </summary>
        /// <param name="managementObject"></param>
        /// <returns></returns>
        private static EventEntry processPrintJobEvent(ManagementBaseObject managementObject)
        {
            EventEntry evt = null;

            try
            {

                string fileName = managementObject.Properties["Document"].Value.ToString();
                string userName = managementObject.Properties["Owner"].Value.ToString();
                string printerName = managementObject.Properties["Name"].Value.ToString();
                string eventTimeGeneratedString = managementObject.Properties["TimeSubmitted"].Value.ToString();
                DateTime eventTimeGenerated = convertFromWMIDateTime(eventTimeGeneratedString);

                evt = new EventEntry();

                // set the fields for Print Job event
                evt.eventCode = OBJ_PRINT_EVENT;
                evt.userName = userName;
                evt.fileName = fileName;
                evt.fileType = printerName;    // storing the printer name in fileType field
                evt.action = "Print";
                evt.timestamp = eventTimeGenerated;
                evt.processID = INVALID;
                evt.handleID = INVALID;
                evt.accessMask = INVALID;
                evt.result = "Queued";
            }
            catch (Exception ex)
            {
                CLogger.WriteLog(ELogLevel.ERROR, ex.Message + "\n" + ex.StackTrace);
                evt = null;
            }

            return evt;
        }
        /// <summary>
        /// Process WMI event of Win32_NtLogEvent instance
        /// </summary>
        /// <param name="managementObject"></param>
        /// <returns></returns>
        private static EventEntry processEventLogEvent(ManagementBaseObject managementObject)
        {
            EventEntry evt = null;
            UInt32 recordID = 0;

            try
            {
                recordID = Convert.ToUInt32(managementObject.Properties["RecordNumber"].Value.ToString());
                //Console.WriteLine("Event arrived ");
                int eventID = Convert.ToInt32(managementObject.Properties["EventCode"].Value.ToString());
                string[] eventStrings = (string[])managementObject.Properties["InsertionStrings"].Value;
                string eventTimeGeneratedString = managementObject.Properties["TimeGenerated"].Value.ToString();
                string result = managementObject.Properties["Type"].Value.ToString();
                Byte eventType = Convert.ToByte(managementObject.Properties["EventType"].Value.ToString());

                DateTime eventTimeGenerated = convertFromWMIDateTime(eventTimeGeneratedString);

                evt = new EventEntry();

                // set the fields which are same for all event codes
                evt.eventCode = eventID;
                evt.timestamp = eventTimeGenerated;
                if (eventType == SECURITY_AUDIT_SUCCESS)
                {
                    evt.result = "Success";
                }
                else
                {
                    evt.result = "Failure";
                }

                if (osInfo.Version.Major == OS_VER_WIN_SERVER_2003)
                {
                    string eventUser = managementObject.Properties["User"].Value.ToString();
                    evt.userName = eventUser;
                    populateEventSpecificStrings(evt, eventStrings);
                }
                else
                    populateEventSpecificStrings_Win2008(evt, eventStrings);

                // now that we have all the information, let us see if this
                // event can be ignored
                if (ignoreEvent(evt) == true)
                {
                    CLogger.WriteLog(ELogLevel.DEBUG, "Ignoring event: " + recordID);
                    return null;
                }

                // For file open events, get the file type
                if (evt.eventCode == OBJ_OPEN_EVENT)
                {
                    populateFileType(evt);
                }
            }
            catch (Exception ex)
            {
                CLogger.WriteLog(ELogLevel.ERROR, "Exception for event: " + recordID + "\n" + ex.Message + "\n" + ex.StackTrace);
                evt = null;
            }

            return evt;
        }
        private static void populateFileType(EventEntry evt)
        {
            try
            {
                FileAttributes attr = File.GetAttributes(evt.fileName);

                if ((attr & FileAttributes.Directory) == FileAttributes.Directory)
                    evt.fileType = "Directory";
                else
                    evt.fileType = "File";
            //                CLogger.WriteLog(ELogLevel.INFO, "Populating file type: " + evt.fileType + "for filename :"+evt.fileName);
            }
            catch (FileNotFoundException)
            {
                // This is an expected exception for delete and rename cases
                CLogger.WriteLog(ELogLevel.INFO, "Expected exc for Rename/delete case File not found: " + evt.fileName);
                evt.fileType = "File";
            }
            catch (Exception exc)
            {
                CLogger.WriteLog(ELogLevel.ERROR, exc.Message + "\n" + exc.StackTrace);
                evt.fileType = "File";
            }
        }
        private static void populateEventSpecificStrings_Win2008(EventEntry evt, string[]eventStrings)
        {
            int eventIndex = INVALID;

            if (evt.eventCode == OBJ_OPEN_EVENT)
                //560 || evt.eventCode == OBJECT_OPEN_EVENT_WIN_2008)
            {
                eventIndex = EVENT_ID_560_INDEX;
            }
            else if (evt.eventCode == OBJ_ACCESS_EVENT)
                //567)
            {
                eventIndex = EVENT_ID_567_INDEX;
            }
            else if (evt.eventCode == OBJ_DELETE_EVENT)
                //564)
            {
                eventIndex = EVENT_ID_564_INDEX;
            }
            else if (evt.eventCode == OBJ_DUPLICATE_EVENT)
            {
                CLogger.WriteLog(ELogLevel.ERROR, "Event specific string eventcode : " + evt.eventCode);
                eventIndex = EVENT_ID_590_INDEX;
            }

            try
            {
                evt.userName = eventStrings[1]; // Username
                if (eventArray[eventIndex, OBJ_NAME_INDEX] != INVALID)
                {
                    evt.fileName = eventStrings[eventArray[eventIndex, OBJ_NAME_INDEX]];
                }

                if (eventArray[eventIndex, HANDLE_ID_INDEX] != INVALID && evt.result.Equals("Success"))
                {
            //                    CLogger.WriteLog(ELogLevel.DEBUG, "Handle in Insertion string" + eventStrings[eventArray[eventIndex, HANDLE_ID_INDEX]]);
                    evt.handleID = Convert.ToInt32(eventStrings[eventArray[eventIndex, HANDLE_ID_INDEX]].Substring(2), 16);
                }

                if (eventArray[eventIndex, PROCESS_ID_INDEX] != INVALID)
                {
                    evt.processID = Convert.ToInt32(eventStrings[eventArray[eventIndex, PROCESS_ID_INDEX]].Substring(2), 16);
                }

                if (eventArray[eventIndex, ACCESS_MASK_INDEX] != INVALID)
                {
                    string hexString = eventStrings[eventArray[eventIndex, ACCESS_MASK_INDEX]];
                    evt.accessMask = Int32.Parse(hexString.Substring(2), System.Globalization.NumberStyles.HexNumber);
                }

                if (eventArray[eventIndex, OBJ_TYPE_INDEX] != INVALID)
                {
                    evt.objType = eventStrings[eventArray[eventIndex, OBJ_TYPE_INDEX]];
                }

                if (eventArray[eventIndex, IMAGE_PATH_INDEX] != INVALID)
                {
                    evt.imagePath = eventStrings[eventArray[eventIndex, IMAGE_PATH_INDEX]];
                }

                if (evt.eventCode == OBJ_OPEN_EVENT)
                {
                    evt.action = "Open";
                }
                else if (evt.eventCode == OBJ_DELETE_EVENT)
                {
                    evt.action = "Delete";
                }
                else if (evt.eventCode == OBJ_ACCESS_EVENT)
                {
                    // OBJ_ACCESS_EVENT will only have one access permission

                    if ((evt.accessMask & AccessCodes.FILE_READ_DATA) != 0)
                    {
                        evt.action = "Read";
                    }
                    else if ((evt.accessMask & AccessCodes.FILE_WRITE_DATA) != 0)
                    {
                        evt.action = "Write";
                    }
                    else if ((evt.accessMask & AccessCodes.DELETE) != 0)
                    {
                        evt.action = "Rename";
                    }
                    else if ((evt.accessMask & AccessCodes.FILE_READ_ATTRIBUTES) != 0)
                    {
                        evt.action = "ReadAttribute";
                    }
                    else if ((evt.accessMask & AccessCodes.FILE_WRITE_ATTRIBUTES) != 0)
                    {
                        evt.action = "WriteAttribute";
                    }
                    else if ((evt.accessMask & AccessCodes.READ_CONTROL) != 0)
                    {
                        evt.action = "ReadControl";
                    }
                    else if ((evt.accessMask & AccessCodes.FILE_APPEND_DATA) != 0)
                    {
                        evt.action = "Write";
                    }
                    else if ((evt.accessMask & AccessCodes.WRITE_DAC) != 0)
                    {
                        evt.action = "WriteAttribute";
                    }
                    else if ((evt.accessMask & AccessCodes.FILE_EXECUTE) != 0)
                    {
                        evt.action = "Execute/Traverse";
                    }
                    else
                    {
                        evt.action = "Unknown";
                    }
                }
                else if (evt.eventCode == OBJ_DUPLICATE_EVENT)
                {
                    evt.action = "Open";
                    evt.objType = "File";
                    if (eventArray[eventIndex, DUPLICATE_HANDLE_INDEX] != INVALID && evt.result.Equals("Success"))
                    {
                        //                    CLogger.WriteLog(ELogLevel.DEBUG, "Handle in Insertion string" + eventStrings[eventArray[eventIndex, HANDLE_ID_INDEX]]);
                        evt.dupHandleID = Convert.ToInt32(eventStrings[eventArray[eventIndex, DUPLICATE_HANDLE_INDEX]].Substring(2), 16);
                    }
                }
            }
            catch (Exception e)
            {
                CLogger.WriteLog(ELogLevel.ERROR, e.Message + "\n" + e.StackTrace);
                throw (e);
            }
        }
        /// <summary>
        /// Adds one element to the grid
        /// </summary>
        /// <param name="ev">The element to be added</param>
        public void AddElementToGrid(EventEntry ev)
        {
            if (this.grid.InvokeRequired)
            {
                SetGridCallbackOne d = new SetGridCallbackOne(AddElementToGrid);
                this.Invoke(d, new object[] { ev });
            }
            else
            {
                //TODO: remove un necessary ?
                int row = grid.Rows.Count - 1;
                grid.Rows.Add(this.GetAllAttribsForGrid(ev));

            }
        }
        private void UpdateEntryInOpenAccess(EventEntry e)
        {
            using (SQLiteCommand updateCmd = new SQLiteCommand())
            {
                updateCmd.Connection = conn;
                updateCmd.CommandText = "UPDATE OPENACCESS set filename = '" + e.fileName +"'" +
                                    ", filetype ='" + e.fileType +"'" +
                                    ", accessmask ='" + e.accessMask + "'" +
                                    ", user ='******'" +
                                    " WHERE pid =" + e.processID +
                                    " AND filehandle = " + e.handleID;

                int rows = updateCmd.ExecuteNonQuery();
                if (rows != 1)
                    CLogger.WriteLog(ELogLevel.ERROR, "Updation for Open Access affected more than one row");
            }
        }
 /// <summary>
 /// 
 /// </summary>
 /// <param name="e"></param>
 private void ProcessPrintJobEventEntry(EventEntry e)
 {
     InsertEntryToFAM(e);
 }
        /// <summary>
        /// 
        /// </summary>
        /// <param name="e"></param>
        private void ProcessEventLogEventEntry(EventEntry e)
        {
            if (e.eventCode == OBJ_OPEN_EVENT) /*Check if EventID is 560 i.e. OPEN */
            {
                if (e.result.Equals("Failure"))
                {
                    if(IsProcessPartOfMSOffice(e.imagePath) == false)
                        InsertEntryToFAM(e);
                }
                else if (IsOpenTableEntryExist(e.processID, e.handleID))
                {
                    UpdateEntryInOpenAccess(e);
                }
                else
                    InsertEntryToOpenAccess(e);

                CLogger.WriteLog(ELogLevel.DEBUG, "Open FIle operation , Handle ID : " + e.handleID +
                                                " File Name : " + e.fileName);

            }
            else if (e.eventCode == OBJ_DUPLICATE_EVENT)
            {
                SQLiteDataReader reader = GetFileOpenRecords(e.processID, e.handleID);

                CLogger.WriteLog(ELogLevel.DEBUG, "Duplicate Operation, Handle ID : " + e.handleID +
                                                " Duplicate Id : " + e.dupHandleID);
                if (reader.HasRows && reader.Read())
                {
                    String temp = reader.GetString(OPENACCESS_FILENAME_INDEX);//FILENAME_COLUMN 0
                    e.fileName = temp;

                    temp = reader.GetString(OPENACCESS_FILETYPE_INDEX); // FILETYPE_COLUMN 1
                    e.fileType = temp;

                    int openAccessMask = reader.GetInt32(OPENACCESS_ACCESSMASK_INDEX); //ACCESMASK 2
                    e.accessMask = openAccessMask;
                    e.handleID = e.dupHandleID;

                    CLogger.WriteLog(ELogLevel.DEBUG, "File Name found for Duplicate: " + e.fileName);

                    if (IsOpenTableEntryExist(e.processID, e.handleID))
                    {
                        UpdateEntryInOpenAccess(e);
                    }
                    else
                        InsertEntryToOpenAccess(e);
                }
            }
            else
            {
                SQLiteDataReader reader = GetFileOpenRecords(e.processID, e.handleID);

                if (reader.HasRows && reader.Read())
                {
                    String temp = reader.GetString(OPENACCESS_FILENAME_INDEX);//FILENAME_COLUMN 0
                    e.fileName = temp;

                    temp = reader.GetString(OPENACCESS_FILETYPE_INDEX); // FILETYPE_COLUMN 1
                    e.fileType = temp;

                    int openAccessMask = reader.GetInt32(OPENACCESS_ACCESSMASK_INDEX); //ACCESMASK 2

                    {
                        FileAttributes attr = FileAttributes.Normal;
                        try
                        {
                            attr = File.GetAttributes(e.fileName);
                        }
                        catch (FileNotFoundException exc)
                        {
                            CLogger.WriteLog(ELogLevel.DEBUG, "File Not Found Exception while getting attributes " + exc.Message);
                            attr = FileAttributes.Hidden;
                        }
                        catch (Exception exc)
                        {
                            CLogger.WriteLog(ELogLevel.DEBUG, " Exception while getting attributes " + exc.Message);
                        }

                        if (IgnoreFile(attr, e) == false)
                        {
                            if (e.userName == "NT AUTHORITY\\SYSTEM")
                            {
                                CLogger.WriteLog(ELogLevel.DEBUG, "Replacing SYSTEM username with actual username for folder delete");
                                temp = reader.GetString(OPENACCESS_USERNAME_INDEX);
                                e.userName = temp;
                            }

                            /* Special Handling for Deletion */
                            if (e.eventCode == OBJ_DELETE_EVENT)
                            {
                                InsertEntryToFAM(e);
                            }
                            else
                            {
                                // Handle OBJ_ACCESS_EVENT

                                if (e.action.Equals("Rename"))
                                {
                                    if (((openAccessMask & AccessCodes.READ_CONTROL) != 0)
                                        && ((openAccessMask & AccessCodes.SYNCHRONIZE) == 0))
                                    {
                                        CLogger.WriteLog(ELogLevel.DEBUG, "Ignoring 567 delete access before 564");
                                    }
                                    else if ((openAccessMask & AccessCodes.SYNCHRONIZE) != 0)
                                    {
                                        if (isRenamePartOfDelete(e) == false)
                                        {
                                            if (IsProcessPartOfMSOffice(e.imagePath) == true)
                                            {
                                                /* This is done to handle stupid MS OFFICE suite.
                                                 * which first creates a temporary file and then renames it to the original file
                                                 * during a file write. This is ofcourse good for stability and reliability but
                                                 * bad from a logging perspective
                                                 */
                                                e.action = "Write";
                                            }
                                            CLogger.WriteLog(ELogLevel.DEBUG, "Rename operation being Logged , Handle ID : " +
                                                            e.handleID);
                                            InsertEntryToFAM(e);
                                        }
                                    }
                                }
                                else if (((e.action.Equals("Read")) || (e.action.Equals("Write")))
                                        && (e.fileType.Equals("Directory")))
                                {
                                    CLogger.WriteLog(ELogLevel.DEBUG, "Ignoring dir reads");
                                }
                                else if (e.action.Equals("WriteAttribute")
                                    || e.action.Equals("ReadAttribute")) //(osInfo.Version.Major == OS_VER_WIN_SERVER_2008 )
                                {
                                    CLogger.WriteLog(ELogLevel.DEBUG, "Action equals WriteAttribute");
                                    if ((openAccessMask == AccessCodes.FILE_CREATE) ||
                                        (openAccessMask == AccessCodes.FILE_CREATE_WIN_2008) ||
                                         (openAccessMask == AccessCodes.FILE_COPY) ||
                                         (openAccessMask == AccessCodes.FILE_REMOTE_COPY) ||
                                         (openAccessMask == AccessCodes.DIR_REMOTE_COPY))
                                    {
                                        e.action = "Create";
                                        if (IsProcessPartOfMSOffice(e.imagePath) == false)
                                            InsertEntryToFAM(e);
                                    }
                                    if (e.action.Equals("WriteAttribute"))
                                        InsertEntryToFAM(e);
                                }
                                else if (e.action.Equals("ReadControl"))
                                {
                                    CLogger.WriteLog(ELogLevel.DEBUG, "Action equals ReadControl");
                                    if ((openAccessMask == AccessCodes.DIR_REMOTE_COPY) ||
                                        (openAccessMask == AccessCodes.FILE_CREATE_WIN_2008) ||
                                        (openAccessMask == AccessCodes.FILE_REMOTE_COPY) ||
                                        (openAccessMask == AccessCodes.FILE_CREATE_WIN_XP) ||
                                        (openAccessMask == AccessCodes.FILE_COPY_WIN_XP))
                                    {
                                        e.action = "Create";
                                        InsertEntryToFAM(e);
                                    }
                                }
                                else
                                {
                                    InsertEntryToFAM(e);
                                }
                            }
                            // end if (reader.hasRows ....)
                        }// end if(fileName.Contains(".tmp"))
                    }// end if(action.Equals
                }
            }
        }
        /// <summary>
        /// 
        /// </summary>
        /// <param name="e"></param>
        /// <returns></returns>
        private bool isRenamePartOfDelete(EventEntry e)
        {
            try
            {
                using (SQLiteCommand cmd = new SQLiteCommand())
                {
                    cmd.Connection = conn;
                    cmd.CommandText = "SELECT * FROM FAM WHERE pid = " + e.processID +
                                    " AND filename = '" + e.fileName + "'" +
                                    " AND user = '******'" +
                                    " AND timestamp > @TS" +
                                    " AND action = 'Delete' ";

                    SQLiteParameter param = cmd.CreateParameter();
                    param.ParameterName = "@TS";
                    param.DbType = DbType.DateTime;
                    DateTime timestamp = e.timestamp.AddSeconds(-1);
                    param.Value = timestamp;
                    cmd.Parameters.Add(param);

                    CLogger.WriteLog(ELogLevel.DEBUG, cmd.CommandText);

                    SQLiteDataReader reader = cmd.ExecuteReader();
                    if (reader.HasRows && reader.Read())
                        return true;
                }
            }
            catch (SQLiteException ex)
            {
                CLogger.WriteLog(ELogLevel.ERROR, ex.Message + "\n" + ex.StackTrace);
            }
            return false;
        }
        public static BinarySearchTree<EventEntry> getEventsForFilters(List<InternalFilter> allFilters, Byte requestedDataType, 
            IPAddress reqIP, ref String lastTime, string dbPath)
        {
            SQLiteConnection conn = null;
            BinarySearchTree<EventEntry> resultTree = null;

            try
            {
                using (conn = new SQLiteConnection(dbPath))
                {
                    conn.Open();
                    using (SQLiteCommand myCommand = new SQLiteCommand())
                    {
                        string query = getQueryForFilters(myCommand, allFilters, requestedDataType, reqIP, lastTime);
                        if (query == null)
                        {
                            CLogger.WriteLog(ELogLevel.ERROR, "Null query returned");
                            return null;
                        }

                        myCommand.CommandText = query;
                        myCommand.Connection = conn;

                        SQLiteDataReader reader = myCommand.ExecuteReader();
                        resultTree = new BinarySearchTree<EventEntry>();
                        EventEntry entry;
                        bool firstRecord = true;

                        if (reader.HasRows)
                        {
                            while (reader.Read())
                            {
                                entry = new EventEntry();
                                try
                                {
                                    entry.timestamp = DateTime.Parse(reader.GetString(0));
                                    if (firstRecord == true)
                                    {
                                        if (requestedDataType == Common.INITIAL || requestedDataType == Common.UPDATE)
                                        {
                                            lastTime = reader.GetString(0);
                                            OperatingSystem osInfo = Environment.OSVersion;
                                            if (osInfo.Version.Major == 5) /* WIN_SERVER_2003 */
                                                lastTime += ".000";
                                        }
                                        else
                                        {
                                            lastTime = Common.DEFAULT;
                                        }
                                        firstRecord = false;
                                    }

                                }
                                catch (Exception ex)
                                {
                                    CLogger.WriteLog(ELogLevel.ERROR, ex.Message + "\n" + ex.StackTrace);
                                    entry.timestamp = new DateTime();
                                }
                                entry.fileName = reader.GetString(1);
                                entry.userName = reader.GetString(2);
                                entry.action = reader.GetString(3);
                                entry.fileType = reader.GetString(4);
                                entry.result = reader.GetString(5);
                                entry.Machine = System.Environment.MachineName;
                                resultTree.Add(entry);
                            }
                        }
                        else //if(reader.HasRoes)
                        {
                            if (requestedDataType == Common.INITIAL)
                            {
                                CLogger.WriteLog(ELogLevel.DEBUG, " Data Type is Initial, so setting Time to Default ");
                                lastTime = Common.DEFAULT;
                            }
                        }
                        conn.Close();
                    }
                }
            }
            catch (Exception ex)
            {
                CLogger.WriteLog(ELogLevel.ERROR, ex.Message + "\n" + ex.StackTrace);
                //throw(ex);
            }
            finally
            {
                if (conn != null)
                    ((IDisposable)conn).Dispose();
            }

            return resultTree;
        }
        /// <summary>
        /// Gets all information of an element in an array in the order the columns are there.
        /// </summary>
        /// <param name="ev">The evententry which we want to get information from</param>
        /// <returns>All needed information in the columns order</returns>
        public object[] GetAllAttribsForGrid(EventEntry ev)
        {
            object[] retVal = new object[grid.Columns.Count];

            for (int i = 0; i < grid.Columns.Count; i++)
            {
                if (grid.Columns[i].Name.Equals(MACHINE))
                    retVal[i] = ev.Machine;
                //if (grid.Columns[i].Name.Equals(MSGSRC))
                //    retVal[i] = ev.MsgSource;
                //if (grid.Columns[i].Name.Equals(INDEX))
                    //retVal[i] = ev.Index;
                if (grid.Columns[i].Name.Equals(CAT))
                    retVal[i] = ev.fileType;
                //if (grid.Columns[i].Name.Equals(CATNUM))
                //    retVal[i] = ev.Catnum;

                if (grid.Columns[i].Name.Equals(ENTRYTYPE))
                    retVal[i] = ev.result;

                /*
                if (grid.Columns[i].Name.Equals(SRC))
                    retVal[i] = ev.Src;
                if (grid.Columns[i].Name.Equals(IID))
                    retVal[i] = ev.IID;
                */
                if (grid.Columns[i].Name.Equals(TGEN))
                    retVal[i] = ev.timestamp;

                //if (grid.Columns[i].Name.Equals(TWRITTEN))
                //    retVal[i] = ev.TWritten;
                /*
                if (grid.Columns[i].Name.Equals(MSG))
                    retVal[i] = ev.Msg;
                 * */
                if (grid.Columns[i].Name.Equals(USER))
                    retVal[i] = ev.userName;
                //TODO: add sec user
                //if (grid.Columns[i].Name.Equals(SEC_USER))
                //  retVal[i] = ev.CallerDomain + "\\" + ev.CallerUserName;
                if (grid.Columns[i].Name.Equals(FILE))
                    retVal[i] = ev.fileName;
                if (grid.Columns[i].Name.Equals(ACTION))
                    retVal[i] = ev.action;
            }
            return retVal;
        }
        private void InsertEntryToFAM(EventEntry e)
        {
            try
            {
                using (SQLiteCommand cmd = new SQLiteCommand())
                {
                    cmd.Connection = conn;

                    cmd.CommandText = @"INSERT INTO FAM values
                                    (@timestamp, @pid, @filehandle, @filename, @user, @action, @accessmask, @filetype, @result)";

                    SQLiteParameter param = cmd.CreateParameter();
                    param.ParameterName = "timestamp";
                    param.DbType = DbType.DateTime;
                    param.Value = e.timestamp;
                    cmd.Parameters.Add(param);

                    param = cmd.CreateParameter();
                    param.ParameterName = "pid";
                    param.DbType = DbType.Int32;
                    param.Value = e.processID;
                    cmd.Parameters.Add(param);

                    param = cmd.CreateParameter();
                    param.ParameterName = "filehandle";
                    param.DbType = DbType.Int32;
                    param.Value = e.handleID;
                    cmd.Parameters.Add(param);

                    param = cmd.CreateParameter();
                    param.ParameterName = "filename";
                    param.DbType = DbType.String;
                    param.Value = e.fileName;
                    cmd.Parameters.Add(param);

                    param = cmd.CreateParameter();
                    param.ParameterName = "user";
                    param.DbType = DbType.String;
                    param.Value = e.userName;
                    cmd.Parameters.Add(param);

                    param = cmd.CreateParameter();
                    param.ParameterName = "action";
                    param.DbType = DbType.String;
                    param.Value = e.action;
                    cmd.Parameters.Add(param);

                    param = cmd.CreateParameter();
                    param.ParameterName = "accessmask";
                    param.DbType = DbType.Int32;
                    param.Value = e.accessMask;
                    cmd.Parameters.Add(param);

                    param = cmd.CreateParameter();
                    param.ParameterName = "filetype";
                    param.DbType = DbType.String;
                    param.Value = e.fileType;
                    cmd.Parameters.Add(param);

                    param = cmd.CreateParameter();
                    param.ParameterName = "result";
                    param.DbType = DbType.String;
                    param.Value = e.result;
                    cmd.Parameters.Add(param);

                    cmd.ExecuteNonQuery();
                }
            }
            catch (SQLiteException ex)
            {
                CLogger.WriteLog(ELogLevel.ERROR,"INSERT INTO FAM exception " + ex.Message + "\n" + ex.StackTrace);
            }
        }
        /// <summary>
        /// Apply filtering rules 
        /// </summary>
        /// <param name="evt"></param>
        /// <returns></returns>
        private static bool ignoreEvent(EventEntry evt)
        {
            int eventIndex = INVALID;
            bool ignore = false;

            // Order of checking is very important
            if (evt.eventCode == OBJ_DELETE_EVENT)
            {
                ignore = false;
            }
            else if (evt.userName == "NT AUTHORITY\\SYSTEM"
                    && (evt.accessMask != AccessCodes.READ_CONTROL))
            {
                ignore = true;
            }
            else if (evt.objType.ToLower().Contains("file") == false)
            {
                ignore = true;
            }
            else if (evt.eventCode == OBJ_ACCESS_EVENT)
            {
                if (evt.action.Equals("Execute/Traverse"))
                {
                    ignore = true;
                }
                else if (evt.action.Equals("Read"))
                {
                    /* Ignore reads, if the image path is windows\explorer.exe
                     * Being pessimistic here when comparing explorer.exe
                     * Better to report extra events than dropping
                     */
                    if (evt.imagePath.ToLower().Contains("windows\\explorer.exe"))
                    {
                        ignore = true;
                        CLogger.WriteLog(ELogLevel.DEBUG, "Ignoring reads by process: " + evt.imagePath);
                    }
                }
            }

            return ignore;
        }
        private void InsertEntryToOpenAccess(EventEntry e)
        {
            using (SQLiteCommand cmd = new SQLiteCommand())
            {
                cmd.Connection = conn;

                cmd.CommandText = @"INSERT OR IGNORE INTO OPENACCESS values
                    (@timestamp, @pid, @filehandle, @filename, @filetype, @accessmask, @user)";

                SQLiteParameter param = cmd.CreateParameter();
                param.ParameterName = "timestamp";
                param.DbType = DbType.DateTime;
                param.Value = e.timestamp;
                cmd.Parameters.Add(param);

                param = cmd.CreateParameter();
                param.ParameterName = "pid";
                param.DbType = DbType.Int32;
                param.Value = e.processID;
                cmd.Parameters.Add(param);

                param = cmd.CreateParameter();
                param.ParameterName = "filehandle";
                param.DbType = DbType.Int32;
                param.Value = e.handleID;
                cmd.Parameters.Add(param);

                param = cmd.CreateParameter();
                param.ParameterName = "filename";
                param.DbType = DbType.String;
                param.Value = e.fileName;
                cmd.Parameters.Add(param);

                param = cmd.CreateParameter();
                param.ParameterName = "filetype";
                param.DbType = DbType.String;
                param.Value = e.fileType;
                cmd.Parameters.Add(param);

                param = cmd.CreateParameter();
                param.ParameterName = "accessmask";
                param.DbType = DbType.Int32;
                param.Value = e.accessMask;
                cmd.Parameters.Add(param);

                param = cmd.CreateParameter();
                param.ParameterName = "user";
                param.DbType = DbType.String;
                param.Value = e.userName;
                cmd.Parameters.Add(param);

                cmd.ExecuteNonQuery();
            }
        }
 /// <summary>
 /// Gets triggered, whenever the grid gets doubleclicked. the doubleclicked element is taken and shown in a seperate window.
 /// </summary>
 /// <param name="sender"></param>
 /// <param name="e"></param>
 private void grid_CellDoubleClick(object sender, DataGridViewCellEventArgs e)
 {
     //int index = grid.SelectedRows[0].Index;
     int index = e.RowIndex;
     if (index == -1)
         return;
     EventEntry ee = new EventEntry();
     ee.timestamp = (DateTime)grid[TGEN, index].Value;
     ee.fileName = grid[FILE, index].Value.ToString();
     ee.Machine = grid[MACHINE, index].Value.ToString();
     ee.userName = grid[USER, index].Value.ToString();
     ee.action = grid[ACTION, index].Value.ToString();
     ee.fileType = grid[CAT, index].Value.ToString();
     ee.result = grid[ENTRYTYPE, index].Value.ToString();
     new Details(ee);
 }