After stopping the Eventlog service, why must file handles be released, and how is that done?

Even after the Eventlog process is terminated, its file handles remain open until the process is fully cleaned up. To gain write access to the EVTX file, you must release those handles using `NtQuerySystemInformation` with `SystemHandleInformation` to enumerate all handles, then close the specific handles belonging to the terminated process. This step is essential to avoid sharing violations when opening the file for modification, as described in Part 2.