within ShGetFolderPathW handles are queried without previously being opened

Question

I am monitoring some syscalls for ShGetFolderPathW(). To do that, I replaced ntdll's OpenKey, CreateKey, and QueryValueKey functions with my own via DLL injection:

NTSTATUS NTAPI MyNtOpenKey(PHANDLE KeyHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes,ULONG OpenOptions) {
    auto res = original_nt_open_key_ex(KeyHandle, DesiredAccess, ObjectAttributes, OpenOptions);
    printf("opened %lx\n", (DWORD) *KeyHandle);
    return res;
}

NTSTATUS NTAPI MyNtQueryValueKey(HANDLE KeyHandle, PUNICODE_STRING ValueName,
                                 KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, PVOID KeyValueInformation,ULONG Length, PULONG ResultLength) {
    printf("query %lx\n", (DWORD)KeyHandle);
    auto res = original_nt_query_value_key(KeyHandle, ValueName, KeyValueInformationClass,
                                             KeyValueInformation, Length, ResultLength);
    return res;
}

I see calls like:

opened 224
opened 228
...
queried 228
queried 228
opened 0
opened 224
opened 22c
opened 0
opened 22c
queried 22c
queried 230
queried 230
queried e4
queried 230
queried 230

How is it possible that handles 230 and e4 are queried without being open, when the documentation states that they must be opened beforehand?

Here are syscalls monitored with API Monitor between queried 22c and queried 230:

#   Time of Day Thread  Module  API Return Type Return Value    Duration
181 3:29:45.879 PM  1   KERNELBASE.dll  NtQueryValueKey ( 0x0000020c, 0x005bf470, KeyValuePartialInformation, 0x005bf3b0, 0x0000008e, 0x005bf388 )  NTSTATUS    STATUS_SUCCESS  0.0000044
182 3:29:45.879 PM  1   KERNELBASE.dll  memmove ( 0x0092c0a0, 0x005bf3bc, 0x00000068 )  void*   0x0092c0a0  0.0000001
183 3:29:45.879 PM  1   KERNELBASE.dll  RtlNtStatusToDosError ( STATUS_SUCCESS )    ULONG   ERROR_SUCCESS   0.0000001
184 3:29:45.879 PM  1   KERNELBASE.dll  RtlExpandEnvironmentStrings ( NULL, "%ProgramData%\Microsoft\Windows\Start Menu\Programs", 0x00000033, "䶑ʚ濾㥨", 0x00000800, 0x005be2d0 ) NTSTATUS    STATUS_SUCCESS  0.0000020
185 3:29:45.879 PM  1   KERNELBASE.dll  NtQueryInformationToken ( 0xfffffffc, TokenStatistics, 0x005be248, 0x00000038, 0x005be244 ) NTSTATUS    STATUS_SUCCESS  0.0000012
186 3:29:45.879 PM  1   KERNELBASE.dll  RtlAllocateHeap ( 0x00920000, HEAP_ZERO_MEMORY, 0x0000004c )    PVOID   0x0092c0a0  0.0000011
187 3:29:45.879 PM  1   KERNELBASE.dll  NtQueryInformationToken ( 0xfffffffc, TokenUser, 0x0092c0a0, 0x0000004c, 0x005be244 )   NTSTATUS    STATUS_SUCCESS  0.0000008
188 3:29:45.879 PM  1   KERNELBASE.dll  RtlEqualSid ( 0x0092c0a8, 0x7ef90fe0 )  BOOLEAN TRUE    0.0000003
189 3:29:45.879 PM  1   KERNELBASE.dll  RtlFreeHeap ( 0x00920000, 0x00000000, 0x0092c0a0 )  BOOLEAN TRUE    0.0000006
190 3:29:45.879 PM  1   KERNELBASE.dll  RtlAcquireSRWLockExclusive ( 0x7760888c )   VOID        0.0000002
191 3:29:45.879 PM  1   KERNELBASE.dll  RtlReleaseSRWLockExclusive ( 0x7760888c )   VOID        0.0000001
192 3:29:45.879 PM  1   KERNELBASE.dll  memset ( 0x005be050, 0x00000000, 0x00000208 )   void*   0x005be050  0.0000001
193 3:29:45.879 PM  1   KERNELBASE.dll  RtlIntegerToUnicodeString ( 0x000602ff, 0x00000010, 0x005bd7a0 )    NTSTATUS    STATUS_SUCCESS  0.0000005
194 3:29:45.879 PM  1   KERNELBASE.dll  RtlInitUnicodeString ( 0x005bdb98, "000602xx" ) VOID        0.0000001
195 3:29:45.879 PM  1   KERNELBASE.dll  memset ( 0x005bdde0, 0x00000000, 0x00000214 )   void*   0x005bdde0  0.0000001
196 3:29:45.879 PM  1   KERNELBASE.dll  NtQueryValueKey ( 0x000000f0, 0x005bdb98, KeyValueFullInformation, 0x005bdde0, 0x00000214, 0x005bdba4 ) NTSTATUS    STATUS_SUCCESS  0.0000052