Some applications will try to perform a service access attempt, as seen in the following security event, where a process called joiedevivre.exe has injected its own thread in notepad.exe's address space to perform this action:

Thread injection in a notepad process

A service access attempt is usually performed when an application is trying to achieve persistence in Windows Services.

Legitimate and non-legitimate applications do so by first opening a connection to the Service Control Manager database, using the OpenSCManager function, which is exported from sechost.dll: OpenSCManagerA function (winsvc.h)

In this case, sechost.dll is observed in the call stack of the event:

sechost.dll contained in callstack leading up to service access attempt

Dumpbin output of sechost.dll for exported functions