defense+ small query

Sorry if this is covered elsewhere but I noticed that defense+ was learning what services.exe accessed in registry after I reboot the computer following the latest windows update (for IE8), is this what normally happens when Windows update changes things (ie patches etc) and how did it know that what it was learning was genuine and not malicious?

ps is it normal for it to learn many changes at a time as the defense+ pop ups (bubbles above notification area) were constantly changing and were on screen for a few minutes

sorry for such a mundane question, still have trouble getting my head round certain things :-[

This is perfectly normal when a Microsoft patch occurs. Various protected registry keys need to store information about what to change/run as the computer is re-booted (patch applied). Services is a signed Microsoft executable and the update which performed these actions will also have been digitallty signed.

If something that was deemed suspicious tried to alter a protected registry key you would receive an alert asking about it.