[rainforest]

In a sense Windows (Vista) and 7 and 8 have encouraged targeting user-mode processes. The garden variety IRC bots that ship with the "hacking tools" available through various YouTube channels all run in user-mode.

The most common (at least based on my ~10 instance) technique is malware that installs itself into %APPDATA% and sets itself to start on boot. The executable then launches some process (like services.exe) and injects its own code (known as RunPE).

I'm not sure how prolific exploitation of user-mode binaries is, but the damage that can be done from user-mode is non-trivial.