getting the winlogon process
Let's check, if the process that is called by the login process is the "real" one or if it has been replaced by another one....
vol.exe -f vaio_mem.dmp --profile=Win7SP1x64 printkey -K "Microsoft\Windows NT\CurrentVersion\Winlogon" >winlogon.txt