From b04a5c97761525187852a7fdd24e9c75c38b9b80 Mon Sep 17 00:00:00 2001
From: Avihay Eldad <46644022+avihayeldad@users.noreply.github.com>
Date: Sun, 31 Aug 2025 18:38:57 +0300
Subject: [PATCH] Create XBootMgr.yml (#447)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
---
 yml/OtherMSBinaries/XBootMgr.yml | 33 ++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 yml/OtherMSBinaries/XBootMgr.yml

diff --git a/yml/OtherMSBinaries/XBootMgr.yml b/yml/OtherMSBinaries/XBootMgr.yml
new file mode 100644
index 0000000..dc9f943
--- /dev/null
+++ b/yml/OtherMSBinaries/XBootMgr.yml
@@ -0,0 +1,33 @@
+---
+Name: XBootMgr.exe
+Description: Windows Performance Toolkit binary used to start performance traces.
+Author: Avihay Eldad
+Created: 2025-07-10
+Commands:
+  - Command: xbootmgr.exe -trace "{boot|hibernate|standby|shutdown|rebootCycle}" -callBack {PATH:.exe}
+    Description: Executes an executable after the trace is complete using the callBack parameter.
+    Usecase: Executes code as part of post-trace automation flow.
+    Category: Execute
+    Privileges: Administrator
+    MitreID: T1202
+    OperatingSystem: Windows
+    Tags:
+      - Execute: EXE
+  - Command: xbootmgr.exe -trace "{boot|hibernate|standby|shutdown|rebootCycle}" -preTraceCmd {PATH:.exe}
+    Description: Executes an executable before each trace run using the preTraceCmd parameter.
+    Usecase: Executes code as part of pre-trace automation or staging.
+    Category: Execute
+    Privileges: Administrator
+    MitreID: T1202
+    OperatingSystem: Windows
+    Tags:
+      - Execute: EXE
+Full_Path:
+  - Path: C:\Program Files\Windows Kits\10\Windows Performance Toolkit\xbootmgr.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\xbootmgr.exe
+Resources:
+  - Link: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/xperf/reference
+Acknowledgement:
+  - Person: Avihay Eldad
+    Handle: '@AvihayEldad'
+  - Person: Tommy Warren