---
Name: XBootMgr.exe
Description: Windows Performance Toolkit binary used to start performance traces.
Author: Avihay Eldad
Created: 2025-07-10
Commands:
  - Command: xbootmgr.exe -trace "{boot|hibernate|standby|shutdown|rebootCycle}" -callBack {PATH:.exe}
    Description: Executes an executable after the trace is complete using the callBack parameter.
    Usecase: Executes code as part of post-trace automation flow.
    Category: Execute
    Privileges: Administrator
    MitreID: T1202
    OperatingSystem: Windows
    Tags:
      - Execute: EXE
  - Command: xbootmgr.exe -trace "{boot|hibernate|standby|shutdown|rebootCycle}" -preTraceCmd {PATH:.exe}
    Description: Executes an executable before each trace run using the preTraceCmd parameter.
    Usecase: Executes code as part of pre-trace automation or staging.
    Category: Execute
    Privileges: Administrator
    MitreID: T1202
    OperatingSystem: Windows
    Tags:
      - Execute: EXE
Full_Path:
  - Path: C:\Program Files\Windows Kits\10\Windows Performance Toolkit\xbootmgr.exe
  - Path: C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\xbootmgr.exe
Resources:
  - Link: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/xperf/reference
Acknowledgement:
  - Person: Avihay Eldad
    Handle: '@AvihayEldad'
  - Person: Tommy Warren