Read the BIOS keyboard buffer from userland. This is possible under Windows because NTDVM copies the First 1Mb of physical memory in userland (kernel leak).