If the service was started prior to activation of logging in the initial

process (due to our file/url of interest code) then it's not interesting
and we shouldn't trigger an injection into services.exe

Also enable larger buffer sizes for RtlDecompressBuffer as suggested by
KillerInstinct

hook_misc.c

@@ -471,7 +471,7 @@ HOOKDEF(NTSTATUS, WINAPI, RtlDecompressBuffer,
 	NTSTATUS ret = Old_RtlDecompressBuffer(CompressionFormat, UncompressedBuffer, UncompressedBufferSize,
 		CompressedBuffer, CompressedBufferSize, FinalUncompressedSize);
 
-	LOQ_ntstatus("misc", "pbh", "UncompressedBufferAddress", UncompressedBuffer, "UncompressedBuffer",
+	LOQ_ntstatus("misc", "pch", "UncompressedBufferAddress", UncompressedBuffer, "UncompressedBuffer",
 		ret ? 0 : *FinalUncompressedSize, UncompressedBuffer, "UncompressedBufferLength", ret ? 0 : *FinalUncompressedSize);
 
 	return ret;

hook_services.c

@@ -190,7 +190,7 @@ HOOKDEF(BOOL, WINAPI, StartServiceA,
 	BOOLEAN dispret = servicename_from_handle(hService, servicename);
 	BOOL ret;
 
-	if (dispret && (wcsicmp(servicename, L"osppsvc") || !g_config.file_of_interest || !wcsicmp(our_process_path, g_config.file_of_interest)))
+	if (dispret && !g_config.suspend_logging && (wcsicmp(servicename, L"osppsvc") || !g_config.file_of_interest || !wcsicmp(our_process_path, g_config.file_of_interest)))
 		pipe("SERVICE:%Z", servicename);
 	ret = Old_StartServiceA(hService, dwNumServiceArgs,
         lpServiceArgVectors);
@@ -209,7 +209,7 @@ HOOKDEF(BOOL, WINAPI, StartServiceW,
 	BOOLEAN dispret = servicename_from_handle(hService, servicename);
 	BOOL ret;
 
-	if (dispret && (wcsicmp(servicename, L"osppsvc") || !g_config.file_of_interest || !wcsicmp(our_process_path, g_config.file_of_interest)))
+	if (dispret && !g_config.suspend_logging && (wcsicmp(servicename, L"osppsvc") || !g_config.file_of_interest || !wcsicmp(our_process_path, g_config.file_of_interest)))
 		pipe("SERVICE:%Z", servicename);
     ret = Old_StartServiceW(hService, dwNumServiceArgs,
         lpServiceArgVectors);