[burner589432]

Last I checked hooking key events in Windows requires SYSTEM access.

Stealing session tokens can be as easy as just pulling the entire browser profile, which I doubt requires elevated access.

I imagine black market postexploitation kits would have session data theft as a feature.

Again, if somebody has system access, you're probably completely fucked from a different angle irrespective of your preferred authentication method so now we're talking about semantics of how you're getting fucked because most 'apt's are going to be grepping your disk for words key phrases like 'financial data', not caring about your facebook account.

[dfox]

While it is true that hooking _all_ keyboard input requires SYSTEM access (because it involves either impersonating the session manager or injecting code into kernel), you don’t really need that to exfiltrate passwords for random websites that are entered into web browser. Owner of session can hook any event that is passed to the session, which obviously includes any keyboard event that the browser is going to see.