How does the technique enumerate the handle for a specific EVTX log file in the Eventlog service process?

The technique uses `NtQuerySystemInformation` with `SystemHandleInformation` to enumerate all handles system-wide, then filters for those belonging to the Eventlog service process. It then calls `NtDuplicateObject` to retrieve the name and value of each handle, matching against the target log file path (e.g., `Security.evtx`). This method works on Windows 7 and later, and is similar to the approach used in Windows XML Event Log (EVTX) Single Log Deletion (Part 3) – Deleting a Single Log Record from the Current System by Releasing File Handles.