Why are On*CloseFile events fired long after the file is actually closed?

When monitoring file operations, you may notice that a certain file was closed by a process, yet your application doesn't receive any On*CloseFile events for a long time (minutes or even hours!). How can this happen?

The problem has roots in how the OS works. After all handles to a file are closed, the OS keeps the file itself open for quite some time (which can be hours) to speed up the subsequent opening of the file. Another possible cause of the delayed file closing is memory-mapped files: a process can open a file handle, map the file into memory, close the handle, and continue to use the mapping. In this scenario, the file will remain open, although all of the handles have been closed.

CBFS Filter has no control over the file's lifetime.