How does handle enumeration for EVT logs differ between Windows XP and Windows 8+?
On Windows XP, you cannot use NtQuerySystemInformation with SystemHandleInformation; instead you must use SystemExtendedHandleInformation (supported from XP onward). The object type number for file handles is 0x1c on XP and Windows 7, but 0x1e on Windows 8+. Additionally, you must filter out handles that may cause hangs by calling WaitForSingleObject before duplicating. For the newer OS approach, see Windows XML Event Log (EVTX) Single Log Entry Deletion (Part 5).
handle enumerationNtQuerySystemInformationSystemExtendedHandleInformationobject type numberWindows XPWindows 8file handle type