WinLogin is a Windows component that loads a user profile right after authentication (amongst other things). The WinLogin initialization sequence is defined in the HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\ registry key. This will contain two values:
Userinit, which points to userinit.exe, andshellwhich usually points to explorer.exe.
Do not replace these files! Instead, follow the initial command with your payload, separating the two with a comma:
C:\Windows\System32\userinit.exe,C:\Windows\System32\evil.exe