I wrote some seemingly innocuous filter code to create a stream within a file on an NTFS volume. Using a HANDLE to the file as the RootDirectory within the OBJECT_ATTRIBUTES, I tried to do a relative create on the file using IoCreateFileSpecifyDeviceObjectHint. Much to my surprise, the IRP_MJ_CREATE appeared at the top of the device stack. Googling a bit turned up a post on NTFSD from last year in which this was acknowledged as a bug.

The gist of the thread is that you're OK doing relative opens with IoCreateFileSpecifyDevice ObjectHint if the RootDirectory is a HANDLE to:

• A FILE_OBJECT that was also returned from a call to IoCreateFileSpecifyDeviceObjectHint
• A FILE_OBJECT that represents a volume open