Event ID 3 — Process 'ProcessPath' (PID CallingProcessId) would have been blocked from creating a child process 'ChildImagePathName' with command line 'ChildCommandLine'.

{
  "system": {
    "provider": "Microsoft-Windows-Security-Mitigations",
    "guid": "FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF",
    "event_source_name": "",
    "event_id": 3,
    "version": 0,
    "level": 0,
    "task": 2,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-10-26T04:19:22.802481+00:00",
    "event_record_id": 6,
    "correlation": {},
    "execution": {
      "process_id": 2524,
      "thread_id": 452
    },
    "channel": "Microsoft-Windows-Security-Mitigations/KernelMode",
    "computer": "WIN-OQ6R0RVA4NF",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ProcessPathLength": 52,
    "ProcessPath": "\\Device\\HarddiskVolume4\\Windows\\System32\\spoolsv.exe",
    "ProcessCommandLineLength": 31,
    "ProcessCommandLine": "C:\\Windows\\System32\\spoolsv.exe",
    "CallingProcessId": 2524,
    "CallingProcessCreateTime": "2023-10-26T04:17:19.791140Z",
    "CallingProcessStartKey": 281474976710715,
    "CallingProcessSignatureLevel": 2,
    "CallingProcessSectionSignatureLevel": 2,
    "CallingProcessProtection": 0,
    "CallingThreadId": 452,
    "CallingThreadCreateTime": "2023-10-26T04:19:20.206505Z",
    "ChildImagePathNameLength": 32,
    "ChildImagePathName": "C:\\Windows\\SysWOW64\\regsvr32.exe",
    "ChildCommandLineLength": 73,
    "ChildCommandLine": "C:\\Windows\\SysWOW64\\regsvr32.exe /s \"C:\\Windows\\SysWOW64\\PrintConfig.dll\""
  },
  "message": ""
}