yea, the winlogon would be the parent process of a logon script. a user ran script will show up under the shell (explorer, taskmgr, cmd.exe...).

I don't think that a user could spoof this.

Bryce