I decided to more carefully check my event log for suspicious events. Configuring custom views and setting up notifications gives me some useful information. I followed this steps to configure Audit Policies: http://www.monitorware.com/common/en/stepbystep/intrusion-detection-mwa12.php Here is some useful information and list of interesting event IDs from NSA [PDF]: https://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_windows_event_log_monitoring.pdf Option to create a task to show message when new event is logged was removed in Windows 8. You can use this workaround to get this functionality back: http://www.askvg.com/fix-cant-create-tasks-to-display-messages-in-windows-8-task-scheduler/ I would appreciate any info about additional IDs to monitor.