How do you programmatically find the PID of the svchost.exe process hosting the Eventlog service?

Since multiple svchost.exe processes exist, you must enumerate services using `EnumServicesStatusEx` with `SC_ENUM_PROCESS_INFO` and filter for the service named 'eventlog'. The returned `SERVICE_STATUS_PROCESS` structure contains the `dwProcessId` for that service. This technique is used in the C++ code examples in the article, and a PowerShell one-liner `Get-WmiObject -Class win32_service -Filter "name = 'eventlog'"` also works.