Thanks omega_red... I just found this thread and looked around Win32k.sys a bit last night and found four vulnerabilities, including the one you mentioned --Microsoft was wrong to assume this can only happen before Winlogon loads! (Sorry for being vague -- you know how disclosure works).

I sent reports to my friends over at MSFT, but these bugs are so fun I'd love to give a talk at Blackhat about them as soon as they release patches!