If I open a file with FltCreateFile and then close the handle, just holding the reference to FILE_OBJECT, I can rename the directory in which the file name resides. But if I try to use this FO to FltReadFile, the operation fails with STATUS_FILE_CLOSED. If I mantain the handle opened, I can issue the read, but renaming the directory fails...
That said, my question is about how CC or MM deal with this situation. They might hold a reference to a FO, even when all handles to it have been closed. They can issue IO operations (IE: lazy writer) and at the same time, renaming the directory won't cause any issues.
I've been googling and found some info about IoCreateStreamFileObject, which seems to be used by the CC. This function closes internally the created handle and the FO is marked with FO_STREAM_FILE... So, a FO opened this way can be used for IO as if it had been created with FltCreateFile? Is that the "trick" of CC?