All registry changes are done when the executable file runs, so in hardened mode or deepscreen it will be in an effective sandbox initially and if it is known malware it will not be able to run. Hence registry changes will be blocked. However for unknown malware or anything that manages to pass the other filters then the registry changes will occur