What is the principle behind bypassing Windows Event Log by terminating threads?

The method targets the `svchost.exe` process that hosts the `eventlog` service. It identifies threads calling `wevtsvc.dll` (the DLL responsible for logging) and uses `TerminateThread` to end those threads. This stops log writing while keeping the service status 'running'. The article references Halil Dalabasmaz's technique and a PowerShell implementation called Invoke-Phant0m. Recovery requires restarting the service or terminating the svchost process.