Windows runner loses identity after self-update

Describe the bug

If the runner starts using impersonation (e.g. a scheduled task run under a logged out user) and the runner self-updates, the resulting process does not keep the full user profile loaded. Workflows using certain Windows cryptographic APIs will fail until the runner process is restarted.

To Reproduce

1. Create a local user account (e.g. runneruser)
2. Make sure that user is not logged in (so that their profile is not already loaded)
3. Install a version of the Actions Runner that is at least one version older than the latest
4. Configure the runner with GitHub.com using the config.cmd file
5. Launch the runner with impersonation (for example using a Scheduled Task, passing in the user’s credentials)
6. Run a workflow, which will cause the runner to self-update before execution
7. Any workflows run after this point will fail if they need access to certain Windows cryptographic APIs
8. Stop the currently executing runner process and launch it again using a scheduled task
9. Run the same workflow again. Note that the workflow now runs fine.

Expected behavior

Workflows should not fail or exhibit different behavior after the runner updates

Runner Version and Platform

Windows runner 2.277.1 (updating to 2.278.0)

What’s not working?

The update completes successfully, but workflows using certain Windows cryptographic APIs will fail when run by the new runner process. For example, this line of PowerShell:

New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("key.pfx", "")

Will fail with:

Exception calling ".ctor" with "2" argument(s): "The specified network password is not correct."

This example workflow is a good demonstration of the issue.