diff --git a/.changelog/19925.txt b/.changelog/19925.txt
new file mode 100644
index 00000000000..a9508d1bca9
--- /dev/null
+++ b/.changelog/19925.txt
@@ -0,0 +1,3 @@
+```release-note:security
+windows: Remove `LazyDLL` calls for system modules to harden Nomad against attacks from the host
+```
diff --git a/command/agent/host/windows.go b/command/agent/host/windows.go
index 1631cdc08a4..e94f029f935 100644
--- a/command/agent/host/windows.go
+++ b/command/agent/host/windows.go
@@ -9,7 +9,8 @@ package host
 import (
 	"os"
 	"syscall"
-	"unsafe"
+
+	"golang.org/x/sys/windows"
 )
 
 func uname() string {
@@ -36,34 +37,30 @@ func mountedPaths() (disks []string) {
 }
 
 type df struct {
-	size  int64
-	avail int64
+	size       *uint64 // "systemFree" less quotas
+	avail      *uint64
+	systemFree *uint64
 }
 
 func makeDf(path string) (*df, error) {
-	h, err := syscall.LoadDLL("kernel32.dll")
-	if err != nil {
-		return nil, err
-	}
-
-	c, err := h.FindProc("GetDiskFreeSpaceExW")
-	if err != nil {
-		return nil, err
-	}
-
 	df := &df{}
+	err := windows.GetDiskFreeSpaceEx(
+		syscall.StringToUTF16Ptr(path),
+		df.avail, df.size, df.systemFree)
 
-	c.Call(uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr(path))),
-		uintptr(unsafe.Pointer(&df.size)),
-		uintptr(unsafe.Pointer(&df.avail)))
-
-	return df, nil
+	return df, err
 }
 
 func (d *df) total() uint64 {
-	return uint64(d.size)
+	if d.size == nil {
+		return 0
+	}
+	return *d.size
 }
 
 func (d *df) available() uint64 {
-	return uint64(d.avail)
+	if d.avail == nil {
+		return 0
+	}
+	return *d.avail
 }
diff --git a/drivers/shared/executor/executor_windows.go b/drivers/shared/executor/executor_windows.go
index d12ba14a155..457f29a6e02 100644
--- a/drivers/shared/executor/executor_windows.go
+++ b/drivers/shared/executor/executor_windows.go
@@ -9,6 +9,8 @@ import (
 	"fmt"
 	"os"
 	"syscall"
+
+	"golang.org/x/sys/windows"
 )
 
 // configure new process group for child process
@@ -45,18 +47,9 @@ func (e *UniversalExecutor) killProcessTree(proc *os.Process) error {
 }
 
 // Send a Ctrl-Break signal for shutting down the process,
-// like in https://golang.org/src/os/signal/signal_windows_test.go
 func sendCtrlBreak(pid int) error {
-	dll, err := syscall.LoadDLL("kernel32.dll")
-	if err != nil {
-		return fmt.Errorf("Error loading kernel32.dll: %v", err)
-	}
-	proc, err := dll.FindProc("GenerateConsoleCtrlEvent")
+	err := windows.GenerateConsoleCtrlEvent(syscall.CTRL_BREAK_EVENT, uint32(pid))
 	if err != nil {
-		return fmt.Errorf("Cannot find procedure GenerateConsoleCtrlEvent: %v", err)
-	}
-	result, _, err := proc.Call(syscall.CTRL_BREAK_EVENT, uintptr(pid))
-	if result == 0 {
 		return fmt.Errorf("Error sending ctrl-break event: %v", err)
 	}
 	return nil