getting the winlogon process

Let's check, if the process that is called by the login process is the "real" one or if it has been replaced by another one....

 

vol.exe -f vaio_mem.dmp --profile=Win7SP1x64 printkey -K "Microsoft\Windows NT\CurrentVersion\Winlogon" >winlogon.txt 

Datei "winlogon.txt"