Why can't I directly open an EVTX log file for modification while the Eventlog service is running?

The Eventlog service opens its EVTX log files in exclusive mode, preventing other processes from opening them for writing. To modify a log record, you must either terminate the service process (releasing file handles) or obtain a handle from within the service process. This article covers the first approach, while subsequent parts discuss obtaining handles via injection or DuplicateHandle.