BioIDSvc

BWS Windows Service

The BioIDSvc is a version of the BioID Web Service (BWS), where the Azure WorkerRole is replaced by a Microsoft Windows service with an identical implementation of the BWS APIs. The main difference is the use of a MongoDB database instead of the Azure Storage service.

Differences to the BioID-hosted Azure services:

  • The SOAP- and REST-interfaces of the BioIDSvc are accessed through the URLs and paths defined in the configuration file (in BWS the SOAP service is accessed through the path BioIDWebService.svc, the REST-API through the path extension).
  • Because a database (MongoDB) is used for data management, the Biometric Class IDs (BCIDs) don't support different Storages. The only storage that can be used is configured in the ConnectionString{storage} parameter in the configuration file BioIDsvc.exe.config.

Sample applications, tools and source code:

To test and troubleshoot the service, you can use the BWS PowerShell Cmdlets. Various Blog entries contain code and other helpful information. In the BioID GitHub repositories (https://github.com/BioID-GmbH/) you can find a BWS command line tool, among others.

For this documentation following configuration is assumed. Replace server names and other parameters according to your environment!

Item Name
On-Premise BWS installation package bioidsvc.bioid.com.zip
BioIDsvc production system onpremise.bioid.com
Administrator workstation for installation workstation.bioid.com
MongoDB Database Server mongodb.bioid.com
TLS Server Certificate installed on onpremise.bioid.com Cert:\LocalMachine\My\55D7B0D345775A0A6DADE157EAF9DE05430EE096
X.509 Client Certificate installed on workstation.bioid.com Cert:\CurrentUser\My\80F0BFC6A3450441EF3F6A4D5B470518A0C2E72B

System Requirements

For a production installation, BioIDsvc requires the following system conditions, either as a physical system or as a VM in a virtualized environment.

System


Without Identification With Identification*)
OS Enviroment Microsoft Windows Server 2012 R2 64 Bit or newer Microsoft Windows Server 2012 R2 64 Bit or newer
Software MongoDB Version 3.2 or newer (on same or remote system) MongoDB Version 3.2 or newer (on same or remote system)
CPU Intel Xeon E5 v3 with 2 cores Intel Xeon E5 v3 with at least 4 cores
RAM At least 4 GB RAM At least 4 GB RAM + (number of users to be identified * 40 KB for face or 80 KB for periocular) RAM
Storage After startup the service runs in main memory and requires no hard drive space.
For installation and for entries in the Windows event log, some MBs of hard drive space are needed.
After startup the service runs in main memory and requires no hard drive space.
For installation and for entries in the Windows event log, some MBs of hard drive space are needed.

*) Identification as related to face and/or periocular recognition. Identification with voice recognition requires significantly more resources.

Network

The network ports assume default values. They should be adapted to local conditions as needed. Likewise changes to Windows Firewall settings may be needed, if a non-default configuration is used.

Incoming Seervice

Port

Outgoing Service Port
HTTPS 443 (TCP) HTTPS 443 (TCP)
Remote Desktop Protocol (RDP) 3389 (TCP/UDP) MongoDB 27017 (TCP)
Remote PowerShell 5985 / 5986 (TCP)


To establish a secure connection to BioIDsvc, a valid X.509 certificate issued to the FQDN of the server must be installed on the server in the certificate storage LocalMachine/My.

This can be done manually or by using the installation script. See the comments in the install script install-bioidsvc.ps1 for further information.

For the connection to the database the connection string (see: https://docs.mongodb.com/manual/reference/connection-string/) for the MongoDB database instance is required.

The service creates all necessary collections and indices automatically in the database object bws.

Installation

Typically Windows PowerShell Remoting is used for the installation of BioIDsvc on a remote system, e.g. on a Microsoft Windows 2016 Core installation with no desktop environment. On systems with an desktop environment the installation package can be unzipped in the windows explorer and the installation script can be started in a local PowerShell window as a user with administrative rights. 

Enable PowerShell Remoting

The Installation Package

The BioIDSvc installation package is a compressed  ZIP file with following structure after extracting:

  • bin/ - A directory with the binary files that are copied by the installation script into the program folder.
  • setup/ - A directory with the PowerShell installation script install-bioidsvc.ps1, the configuration file BioIDSvc.exe.config and optionally other files depending on the product type.

For the transfer to the remote system Windows PowerShell as unprivileged user or Windows Powershell ISE as unprivileged user can be used.

Configuration of the Service

The configuration file in the setup directory of the installation package has to be modified according to the target environment.

It is more easy to uncompress the installation package on the local computer and edit the configuration file before copying to the remote system. The other option is to edit the configuration file after transfer to the remote server with PSedit in the Windows PowerShell ISE.


Two elements serve to configure the BioIDSvc: the configuration file (BioIDSvc.exe.config in the setup directory of the installation package) and the collection clients in the MongoDB database. The configuration file contains the service's basic settings, which are typically read and analyzed at program startup. The allowed client applications are managed by the database, and are periodically fetched by the service. 

The Configuration file

The .NET configuration file BioIDSvc.exe.config contains the service's basic settings. The following application specific settings in element appSettings should be set to the values of the target installation.

Parameter Description
SoapEndpoint The well-formed URL for SOAP access to the service (WCF Endpoint). As a protocol, https should be used.
The host name must be the FQDN of the server in accordance with the SSL certificate, the path can be freely selected (we recommend simply using bws, e.g. https://servername.domain/bws).
WebApiEndpoint The well-formed URL for Web API (RESTful) access to the service. As a protocol, https should be used. 
The host name must be the FQDN of the server in accordance with the SSL certificate, the path can be freely selected (we recommend simply  using api, or extension as in BWS, e.g. https://servername.domain/api).
UpdateConfigurationInterval

The service loads its client configuration from the database once at startup, and then again after the time interval defined here.
The update interval for configuration updates in the format hh:mm[:ss] (something between 1 minute and 1 hour).

GenerateReportsInterval The service regularly generates a usage report. From the log files in the database, daily and monthly usage calculations are created and stored back in the database (collection usage).
This happens shortly after the startup of the service and after the time interval defined here. The interval format is hh:mm[:ss] (something between 1 and 24 hours).
ConnectionString{storage} The MongoDB Connection String to store and load the biometric data associated with the named {storage}.
The service supports only a single storage (required according to the definition of a Biometric Class ID), which is used here as well as in the client configuration.
MongoDBConnectionString The MongoDB Connection String, used to write the log data and to read the client configurations. The two connection string values are usually identical, e.g. mongodb://server.domain:27017.

The storage connection string appendix must match the storage name defined in the client configuration! E.g, if the storage name parameter Storage is set to MyStorage the MongoDB connection string reads ConnectionStringMyStorage.

The Installation Script

Syntax:

install-bioidsvc.ps1 [[-sslThumbprint] <String>] [-keepConfig] [-WhatIf]

Parameter:

  • -sslThumbprint: The optional thumbprint of the SSL certificate in LocalMachine/My certificate store that should be bound to the SSL port.
  • -keepConfig: keeps an existing config-file. By default an existing config-file is copied to a backup file before it is replaced by the bioidsvc.exe.config from the setup folder.
  • -WhatIf: shows what happens if the script is executed. The individual commands are not actually carried out.

The following installation steps are performed by the script:

  • If a BioIDSvc is already installed, it will first be stopped and uninstalled.
  • All files from the bin directory are copied into the target directory C:\Program Files\BioIDSvc.
  • The config-file is copied, if the parameter -keepConfig is not set.
  • The SSL certificate - if specified - is installed.
  • The SSL certificate is bound to the specified HTTPS port.
  • A firewall rule for incoming HTTPS data traffic is applied.
  • The BioIDSvc is installed using the .NET Framework Installation utility. In addition, BioIDSvc.exe itself contains some installers to install the service, the Application EventLog BWSLog and two EventLog sources (in Application Log and in BWSLog).
  • The BioIDSvc is started.

Installation

First a remote session to the system intended to run the BioID Web Service has to be initiated. The installation package is transferred to the remote system and the installation script is executed. 

Open a Windows PowerShell or Windows PowerShell (ISE) on workstation.bioid.com and create a remote session. 

$RemoteSession = New-PSSession -ComputerName "onpremise.bioid.com" -Credential "~\Administrator"

Next transfer the installation package to the remote system onpremise.bioid.com and extract the files

Copy-Item -ToSession $RemoteSession -Path "C:\tmp\bioidsvc.bioid.com.zip" -Destination "C:\Users\Administrator\Downloads"
Invoke-Command -Session $RemoteSession -ScriptBlock { Expand-Archive -Path "C:\Users\Administrator\Downloads\bioidsvc.bioid.com.zip" }

# OR if the zip file with the installation package was extracted on the local system

Copy-Item -ToSession $RemoteSession -Path "C:\tmp\bioidsvc.bioid.com\" -Destination "C:\Users\Administrator\Downloads" -Recurse

Start the installation on the remote system using the thumbprint of the TLS server certificate.

Command
Invoke-Command -Session $RemoteSession -ScriptBlock { & "C:\Users\Administrator\Downloads\bioidsvc.bioid.com\setup\install-bioidsvc.ps1" 55D7B0D345775A0A6DADE157EAF9DE05430EE096 }
Sample Output
******************************************************************************
Installing BioIDSvc from C:\Users\Administrator\Downloads\bioidsvc.bioid.com\bin
using configuration at C:\Users\Administrator\Downloads\bioidsvc.bioid.com\setup
******************************************************************************
Copying files to C:\Program Files\BioIDSvc\ ...
Binding the SSL certificate tp port 0.0.0.0:443 ...
Adding inbound HTTPS firewall rule ...
Installing and starting the BioIDSvc ...
Microsoft (R) .NET Framework Installation utility Version 4.7.2556.0
Copyright (C) Microsoft Corporation.  All rights reserved.


Running a transacted installation.

Beginning the Install phase of the installation.
See the contents of the log file for the C:\Program Files\BioIDSvc\BioIDSvc.exe assembly's progress.
The file is located at C:\Program Files\BioIDSvc\BioIDSvc.InstallLog.
Installing assembly 'C:\Program Files\BioIDSvc\BioIDSvc.exe'.
Affected parameters are:
   logtoconsole = 
   assemblypath = C:\Program Files\BioIDSvc\BioIDSvc.exe
   logfile = C:\Program Files\BioIDSvc\BioIDSvc.InstallLog
Creating EventLog source BioIDWebService in log BWSLog...
Installing service BioIDSvc...
Service BioIDSvc has been successfully installed.
Creating EventLog source BioIDSvc in log Application...

The Install phase completed successfully, and the Commit phase is beginning.
See the contents of the log file for the C:\Program Files\BioIDSvc\BioIDSvc.exe assembly's progress.
The file is located at C:\Program Files\BioIDSvc\BioIDSvc.InstallLog.
Committing assembly 'C:\Program Files\BioIDSvc\BioIDSvc.exe'.
Affected parameters are:
   logtoconsole = 
   assemblypath = C:\Program Files\BioIDSvc\BioIDSvc.exe
   logfile = C:\Program Files\BioIDSvc\BioIDSvc.InstallLog

The Commit phase completed successfully.

The transacted install has completed.
WARNING: Waiting for service 'BioIDSvc (BioID Web Service) (BioIDSvc)' to start...

Checking the Service

After performing the installation the service is started on the remote system. You can check the status of the service with the Get-Service command.

Command
Invoke-Command -Session $RemoteSession -ScriptBlock { (Get-Service -Name BioIDsvc).Status }
Sample Output
Status   Name               DisplayName                           
------   ----               -----------                           
Running  BioIDsvc           BioIDSvc (BioID Web Service)    

Client configuration

The configuration of client applications of the BioIDsvc is handled through the collection clients in the MongoDB database.

All documents assigned to the service are read in and analyzed at the startup of the service and at regular intervals set by UpdateConfigurationInterval in the configuration file.

Only clients that identify themselves with the certificates specified here or the corresponding App-ID / secrets are granted access to the configured partitions. Specifically, a BWS Client Document contains the following data:


Parameter Description
_id The unique name of the client to whom this entry belongs.
Storage The name of the storage to which the client is granted access. The service supports only a single storage, therefore a consistent name must be used, which the service retrieves with the help of the connection string in ConnectionString{Storage} in the configuration file.
Partition The client is only granted access to the partition defined here. If this entry is omitted, the client has access to all classes in the given storage. 
IdentifyPartitions An optional array of partitions, each one requiring one identification module to be started. If only one Partition is defined, then only this partition can be used here. 
Expires The configured client expiry. After this date, the client does not get access granted to the service any more.
SaveEnrollmentPatterns Defines whether the raw data used for enrollment should be saved. This data is not needed for the service to function, but can help a user or administrator to understand which data has actually been trained and added to the template.
LogSamples Defines whether data sent to the service should be saved. Used for diagnostic purposes and is typically turned off. (Saved samples are deleted after a certain time.) 
Certificates An optional array of certificates that the client can use for authentication. Each entry in this array has at least the element Thumbprint containing the thumbprint of the certificate, and the optional element Expires with the ISO 8601 expiration date of the certificate.
ClientApps An optional array of App-ID/-secrets that the client can use for Basic Authentication for REST calls. Each entry in this array consists of the elements Identifier, the unique App-ID, and the element PasswordHash, the hash of the corresponding secret.

This is a sampe JSON document for the configuration of a client. It creates a client MyClient with the storage name MyStorage and the storage partition 23 for verification and identification.

For testing and debugging the samples for enrollment and the biometric operations are saved. A X.509 client certificate is given allowance to access the BioIDsrv instance for SOAP requests. Also two client apps are allowed access to the service with the combination of App-ID and secret for RESTful API calls.


{
    "_id" : "MyClient",
    "Storage" : "MyStorage",
    "Partition" : 23,
    "IdentifyPartitions" : [
        23
    ],
    "Expires" : ISODate("2018-06-10T12:00:00.000Z"), 
    "SaveEnrollmentSamples" : true,
    "LogSamples" : true,
    "Certificates" : [
        {
            "Thumbprint" : "80F0BFC6A3450441EF3F6A4D5B470518A0C2E72B"
        }
    ],
    "ClientApps" : [
        {
            "Identifier" : "testclient.1",
            "PasswordHash" : "pbkdf2:1000:QAVHuvUNNdWslJxhlDTBZyxW:PjxOuID+lRUOCIHj4Lp8y/MHiT7FIPzECkXU/7l0"
        }
    ]
}

Client Certificates

For accessing the BioIDsvc with the SOAP API, a standard X.509 certificate has to be installed on the client system. Access to the service is granted if the certificates thumbprint on the client matches the thumbprint configured in the Certificates section of the JSON client configuration file.The certificates can be issued by your local PKI or tools like OpenSSL. Alternatively, if you have no local PKI installed but want to use the SOAP API with client certificate credentials, we can issue the necessary certificates for you.

You can then use the BWS PowerShell Cmdlets to test the connectivity from your client system to the BioIDsrv service using the certificate's thumbprint. Assuming the client certificate installed on the client machine and assigned to the client configuration on the server has the thumbprint 80F0BFC6A3450441EF3F6A4D5B470518A0C2E72B following command can be used to display the status of the BioIDsvc:

Command
Get-BWSStatus -BWS 'https://onpremise.bioid.com/bws' -Certificate  ( Get-ChildItem Cert:\CurrentUser\My\80F0BFC6A3450441EF3F6A4D5B470518A0C2E72B )
Sample Output
Version Label           Features                                  
------- -----           --------                                  
2.3     BWS 2.3.18071.1 {QualityCheck, LiveDetection, PhotoVerify}


The technical blog articles Test the BWS accessibility with wget and Test the BWS accessibility with curl explain how to test the status of the service with tools more commonly found on UNIX or GNU/Linux systems.

Password Hashes

To call a REST interface, Basic Authentication with an App-ID and password is necessary. The service can perform the authentication through a hash value stored in the client configuration. To calculate the password hash, a typical standard process is used (salted password hashing with PBKDF2-HMACSHA1). The formatting of the hash then occurs as follows:

pbkdf2:{#iterations}:{base64 of salt}:{base64 of hash}

We provide a simple tool to create those hashes:

Hash Secret
https://playground.bioid.com/tools/hashsecret?secret=YOUR_SECRET

To insert this document into the database, the mongo Shell may be used. The mongo Shell can be invoked by using the command mongo (or mongo.exe on Microsoft Windows operating environment).

First select the database and then insert the JSON snippet into the clients collection.

MongoDB Shell
use bws
db.clients.insert( 
	{ "_id" : "MyClient", 
	Storage : "MyStorage", 
	Partition : NumberInt(23), 
	IdentifyPartitions : [ NumberInt(23) ], 
	Expires : ISODate("2018-12-31T12:00:00.000Z"), 
	SaveEnrollmentSamples : true, 
	LogSamples : true, 
	Certificates : 	[{ Thumbprint : "80F0BFC6A3450441EF3F6A4D5B470518A0C2E72B" }], 
	ClientApps : 	[ { Identifier : "testclient.1", PasswordHash : "pbkdf2:1000:c+B2f9wR/uKzFyRXB6QIcbUu:jKjFZ7MVZqW+FTvsNtnhSFd5R1QFkhNDbgWQFI7v" }, 
				      { Identifier : "sample-rest-app.2345739", PasswordHash : "pbkdf2:1000:gmuqNnM6VvwwMNKnsz8FTUi6:PWu3MOpMLTKc9riYWGPd3SkzhY47DsyLh0asYlid" } ] } )

Data Management

In general we distinguish between three types of data:

  • biometric data
  • log data
  • configuration data.

Biometric Data

Biometric data is managed in various collections according to the biometric trait faceperiocular or voice and their type. In the Template collections the biometric templates are stored as required for the operations "verification" and "identification". In the Features collections the data are stored that are extracted from the raw data at enrollment and used to generate the templates. Optionally, in the Pattern collections the used raw data can also be stored (these are not needed for operation and serve only informational or diagnostic purposes, see the LogSamples parameter in the client configuration).

In summary, there can currently be up to nine collections for the biometric data:

Collection Description
FaceTemplates The calculated biometric face 'Templates'.
FaceFeatures The  biometric 'Features' extracted from an image. The face template is then calculated from all features in a class. 
FacePatterns Optional original images. Used only for informational purposes, e.g. to manually verify which images were actually used to generate the biometric template for a class.
PeriocularTemplates The calculated biometric periocular 'Templates'.
PeriocularFeatures The  biometric periocular-'Features' extracted from an image. The periocular template is then calculated from all features in a class. 
PeriocularPatterns Optional original images. Used only for informational purposes, e.g. to manually verify which images were actually used to generate the biometric template for a class.
VoiceTemplates The calculated biometric voice 'Templates'.
VoiceFeatures The  biometric 'Features' extracted from the audio data. The voice template is then calculated from all features in a class. 
VoicePatterns Optional original audio data. Used only for informational purposes, e.g. to manually verify which audio files were actually used to generate the biometric template for a class.

Synchronization

The BioIDSvc must keep all instances of all identifiers (classifiers that enable identification against a complete partition) up to date. This is done with the help of the collection classifer-updates. If a class is first trained or subsequently retrained or deleted, a corresponding document is written in this collection. All identifiers fetch the collection regularly (approx. every 4 seconds) and update their classes accordingly.

The collection classifier-updates uses a TTL index to automatically delete all documents older than 20 seconds. 

Log data

All calls to the BioIDSvc are logged. This is done with the help of the collections bwslog_yyyy_MMyyyy represents the year and MM the month in which the entry was generated. In the collection usage, daily and monthly summaries of the log entries are noted.

In the bwslog tables, _id refers to the internally assigned unique JobId, enablng a search for further data relating to this entry. For instance, the data uploaded to the service (if Logging is turned on) is also marked with this JobId in the collection SamplesLog.

All other fields describe the performed operation and are self-explanatory.

In the usage collection, monthly and daily usage statistics are prepared by BioIDSvc at configured intervals. For each client, all operations are summed for the current period (day or month). Accordingly,  _id refers to the Period in the format yyyy_MM (monthly statistics) or yyyy_MM_dd (daily statistics) with appended Client name. All further entries are the sums from the bwslog tables.

Configuration data

There are three places, where configuration data is stored:

  • the configuration file BioIDsvc.exe.config
  • the client configuration in the config collection of the database
  • the installation file install-bioidsvc.ps1 (optional)

The configuration file BioIDsvc.exe.config is in the sub folder setup of the installation folder. It will then be copied into the program folder, usually C:\Program Files\BioIDsvc\. The settings are explained in the section Configuration of the Service in this document and in the comments in the file itself. Configured items are the network URI's of the API's, intervals for configuration updates and reporting and the database connection strings.

The client configuration is stored in the services database. The parameters set in the client configuration are storage identifiers, logging settings and client authentication settings. Those parameters are explained in section Client Configuration in this document.

In the installation script install-bioidsvc.ps1 the services port (defaults to TCP 443 for HTTPS) is set and an TLS servcer certificate could be installed and bound to the port while performing the service installation. This is optional and usually the certificate is installed with PowerShell as explained in the Appendix. Refer to the comments in the installation script if you want to use this feature.

Appendix

Starting and Stopping the Service with Powershell

Following commands can be used to stop, start and restart the service on a remote system after creating a PowerShell remote session:

Start, Stop and Restart the BioIDsvc service
# First create a remote session if needed
$RemoteSession = New-PSSession -ComputerName "onpremise.bioid.com" -Credential "~\Administrator"


# use Invoke-Command to execute the commands in the remote session
Invoke-Command -Session $RemoteSession -ScriptBlock { Stop-Service -Name Bioidsvc }                                                                                                                    
Invoke-Command -Session $RemoteSession -ScriptBlock { Start-Service -Name Bioidsvc }                                                                                                                   
Invoke-Command -Session $RemoteSession -ScriptBlock { Restart-Service -Name Bioidsvc }  

Getting Information about the BioIDsvc Service

To check the current status of the BioIDsvc service use the Get-Service command:

Command
# First create a remote session if needed
$RemoteSession = New-PSSession -ComputerName "onpremise.bioid.com" -Credential "~\Administrator"

# use Invoke-Command to execute the command in the remote session
Invoke-Command -Session $RemoteSession -ScriptBlock { (Get-Service -Name BioIDsvc).Status }
Sample Output
PSComputerName      RunspaceId                           Value  
--------------      ----------                           -----  
onpremise.bioid.com c270522c-e19e-439c-a525-9751c0deeb75 Running

To display the last 10 entries in the event log on the remote system running a BioIDsvc service you can use following command:

Command
# First create a remote session if needed
$RemoteSession = New-PSSession -ComputerName "onpremise.bioid.com" -Credential "~\Administrator"


# use Invoke-Command to execute the command in the remote session
Invoke-Command -Session $RemoteSession -ScriptBlock { Get-WinEvent -LogName BWSlog -MaxEvents 10 }
Sample Output
   ProviderName: BioIDWebService

TimeCreated                     Id LevelDisplayName Message                                                                                                                                                 
-----------                     -- ---------------- -------                                                                                                                                                 
23/03/2018 11:39:09              0 Information      Voice-Identifiers for partition 23 have been initialized with 0 classes ( 0 0 0 ). (Elapsed: 00:00:00.3706119)                                           
23/03/2018 11:39:09              0 Information      Periocular-Identifiers for partition 23 have been initialized with 0 classes ( 0 0 0 0 ). (Elapsed: 00:00:00.3952226)                                    
23/03/2018 11:39:09              0 Information      Face-Identifiers for partition 23 have been initialized with 0 classes ( 0 0 0 0 ). (Elapsed: 00:00:00.3923160)                                          
23/03/2018 11:39:09              0 Information      The BioID Graph IdentifyGraph_templates_23 is now running.                                                                                               
23/03/2018 11:39:09              0 Information      The BioID Graph VerifyGraph_templates is now running.                                                                                                   
23/03/2018 11:39:09              0 Information      The BioID Graph EnrollGraph_templates is now running.                                                                                                   
23/03/2018 11:39:09              0 Information      The BioID Graph PhotoVerifyGraph is now running.                                                                                                        
23/03/2018 11:39:09              0 Information      The BioID Graph LiveDetectionGraph is now running.                                                                                                      
23/03/2018 11:39:09              0 Information      The BioID Graph QualityCheckGraph is now running.                                                                                                       
23/03/2018 11:39:08              0 Information      Reading BWS configuration for 'bioidsvc.bioid.com' from MongoDB collection 'clients'.     

TLS Certificate installation with PowerShell 

To install the TLS server certificate first transfer the certificate file to the remote system and use a PowerShell session to login into the remote computer. Then use the Import-PFXCertificate command to import the certificate into the LocalMachine certificate store.

Commands
$plainpassword = "IAvvhMhhlACU58boyQXz"
$CertPassword = $plainpassword | ConvertTo-SecureString -AsPlainText -Force
Import-PFXCertificate -FilePath .\onpremise.bioid.com.p12 -CertStoreLocation Cert:\LocalMachine\My -Password $CertPassword                                                                                       
Sample Output
   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
 
Thumbprint                                Subject                                                                                                                                                          
----------                                -------                                                                                                                                                          
09HE8LGSVUW9N6BXVDOAH39A7DEG5MLOANHIK29F  C=DE, O=BioID GmbH, OU=BioID Device Certificate, CN=onpremise.bioid.com   

Display the Certificate Thumbprint

The certificates thumbprint is used to assign the correct certificate to the network port of the BioIDsvc service.To retrieve the thumbprint of the certificates installed in the LocalMachine certificate store following command can be used.

Command
Get-ChildItem Cert:\LocalMachine\My
Sample Output
    PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\my
 
Thumbprint                                Subject                                                                                                                                                          
----------                                -------                                                                                                                                                          
09HE8LGSVUW9N6BXVDOAH39A7DEG5MLOANHIK29F  C=DE, O=BioID GmbH, OU=BioID Device Certificate, CN=onpremise.bioid.com

Uninstall BioIDsvc

To uninstall the BioIDsvc the service has to be stopped first. Then the service entry in the Windows Registry has to be removed. In a last step the files belonging to the service are deleted from the disk.

Uninstalling on a local system

This applies either to a PowerShell window on a local system or an interactive remote session.

Stop-Service -Name BioIDSvc -Force
$BioIDSVCservice = Get-WmiObject -Class Win32_Service -Filter "Name='BioIDSvc'"
$BioIDSVCservice.Delete()
Remove-Item -Path "C:\Program Files\BioIDSvc" -Recurse

Uninstalling on a remote system

The same steps can be applied with Invoke-Command on a remote system.

# First create a remote session if needed
$RemoteSession = New-PSSession -ComputerName "onpremise.bioid.com" -Credential "~\Administrator"

# use Invoke-Command to execute the command in the remote session
Invoke-Command -Session $RemoteSession -ScriptBlock { Stop-Service -Name BioIDSvc -Force }

Invoke-Command -Session $RemoteSession -ScriptBlock { $BioIDSVCservice = Get-WmiObject -Class Win32_Service -Filter "Name='BioIDSvc'"} 
Invoke-Command -Session $RemoteSession -ScriptBlock { $BioIDSVCservice.Delete() }
Invoke-Command -Session $RemoteSession -ScriptBlock { Remove-Item -Path "C:\Program Files\BioIDSvc" -Recurse }