Measuring Windows Security Event Log Rate with PowerShell
Overview
This article explains how to use a PowerShell one-liner to calculate the average rate at which Windows Security events are being generated on a machine. This is expressed as Events Per Second (EPS).
Requirements
• PowerShell 3.0 or later.
• Must be run on the Windows machine being measured.
• Must be run from an elevated Windows PowerShell prompt as a user with read access to the Security event log (local Administrator or equivalent).
• The Security event log must contain at least two events.
The Script
Copy the following PowerShell Script:
$c = [int64]((wevtutil gli Security | Select-String 'numberOfLogRecords') -split '\s+')[-1]; $o = (Get-WinEvent -LogName Security -Oldest -MaxEvents 1).TimeCreated; $n = (Get-WinEvent -LogName Security -MaxEvents 1).TimeCreated; [int]($c / (($n.Ticks - $o.Ticks) / 10000000))
The script outputs a single integer representing the average number of Security events generated per second, for example:
How to Run it:
Option A: Run directly in PowerShell.
1. Open PowerShell as Administrator.
2. Paste the script and press Enter.
3. The result will be printed immediately.
Option B: Save as a script file.
1. Save the script as EventRate.ps1
2. Run it using:
.\EventRate.ps1
Note: The script need to be located in the same directory. In this example
C:\WINDOWS\system32
Limitations
• The result is averaged over the entire age of the log — which could be days, weeks, or months
• If the Security log has been cleared recently, the result reflects only the period since the last clear
